Improve CI

Author: jcf

.claude/skills/commit-all/SKILL.md

@@ -1,13 +1,17 @@
 ---
 name: commit-all
 description: Create atomic commits from all unstaged changes
-allowed-tools: Bash(git status, git diff*, git add, git commit, git log)
+allowed-tools: Bash(just fmt, git status, git diff*, git add, git commit, git log)
 ---
 
 # Commit All Unstaged Changes
 
 Create atomic commits from all unstaged changes.
 
+## Step 1: Format Code
+
+!`just fmt`
+
 ## Current State
 
 !`git status --short`

.claude/skills/commit/SKILL.md

@@ -1,19 +1,23 @@
 ---
 name: commit
 description: Create atomic commits from session changes only
-allowed-tools: Bash(git status, git diff*, git add, git commit, git log)
+allowed-tools: Bash(just fmt, git status, git diff*, git add, git commit, git log)
 ---
 
 # Commit Session Changes
 
 Create atomic commits for **only the changes we made together** in this session.
 
-## Step 1: Identify Session Changes
+## Step 1: Format Code
+
+!`just fmt`
+
+## Step 2: Identify Session Changes
 
 Review your tool use history from this conversation. List the files you edited
 using Edit or Write tools. These are "our changes."
 
-## Step 2: Cross-Reference with Git
+## Step 3: Cross-Reference with Git
 
 !`git status --short`
 
@@ -26,7 +30,7 @@ Only consider files that:
 
 Ignore any pre-existing uncommitted changes that weren't part of our work.
 
-## Step 3: Propose Atomic Commits
+## Step 4: Propose Atomic Commits
 
 Group related changes into logical commits. For each proposed commit, show:
 
@@ -39,7 +43,7 @@ Commit 2: <message>
   - path/to/other.clj
 ```
 
-## Step 4: Wait for Approval
+## Step 5: Wait for Approval
 
 Present the plan and ask: "Ready to create these commits?"
 

.claude/skills/sync-deps/SKILL.md

@@ -0,0 +1,40 @@
+---
+name: sync-deps
+description: Synchronise Nix deps hash after changing deps.edn
+---
+
+# Sync Dependencies Hash
+
+Update the fixed-output derivation hash in `pkgs/bits-uberjar/default.nix` after
+changing `deps.edn`.
+
+## Background
+
+The uberjar build uses a fixed-output derivation (FOD) to cache Maven/Clojure
+dependencies. When `deps.edn` changes, the hash becomes stale and builds fail
+with a hash mismatch error containing the correct hash.
+
+## Process
+
+1. Read `pkgs/bits-uberjar/default.nix`
+
+2. Edit `depsHash` to an invalid value to force recomputation:
+
+   ```nix
+   depsHash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+   ```
+
+3. Clear devenv cache: `rm -f .devenv/nix-eval-cache.db`
+
+4. Run: `devenv build outputs.bits-uberjar`
+
+   The build fails with a hash mismatch. Find the `got:` line containing the
+   correct hash (format: `sha256-...=`).
+
+5. Edit `depsHash` with the correct hash from the error output.
+
+6. Verify: `devenv build outputs.bits-uberjar`
+
+7. If verification fails, restore: `git checkout pkgs/bits-uberjar/default.nix`
+
+$ARGUMENTS

.forgejo/scripts/attic-push.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -eu
+
+# Push gcroots and their closures to Attic
+# This ensures future CI runs can fetch from Attic instead of cache.nixos.org
+for path in .devenv/gc/*; do
+  if [[ -L $path ]]; then
+    # Resolve symlink and push the actual store path with its closure
+    store_path=$(readlink -f "$path")
+    attic push invetica:invetica "$store_path" || true
+  fi
+done

.forgejo/scripts/attic-setup.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -eu
+
+usage() {
+  echo >&2 "Usage: ATTIC_TOKEN=<token> attic-setup.sh"
+}
+
+if [[ -z ${ATTIC_TOKEN:-} ]]; then
+  usage
+  exit 22 # EINVAL
+fi
+
+attic login invetica https://attic.lan.invetica.co.uk "$ATTIC_TOKEN"
+attic use invetica:invetica

.forgejo/scripts/build.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -eu
+
+usage() {
+  echo >&2 "Usage: build.sh <output-name>"
+}
+
+if [[ $# -ne 1 ]]; then
+  usage
+  exit 22 # EINVAL
+fi
+
+output=$1
+
+devenv build "outputs.$output"

.forgejo/scripts/filter-devenv.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+
+# Filter devenv spinner noise from output, preserving error lines
+grep -v '^[⠋⠙⠹⠸⠼⠴⠦⠧⠇]' || true

.forgejo/scripts/tag-image.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env zsh
+set -eu
+
+usage() {
+  echo >&2 "Usage: tag-image.sh <image-path> <arch>"
+}
+
+if [[ $# -ne 2 ]]; then
+  usage
+  exit 22 # EINVAL
+fi
+
+image_path=$1
+arch=$2
+
+podman load <"$image_path"
+
+version=$(podman images bits --format '{{.Tag}}' | head -1)
+echo "version=$version" >>"$GITHUB_OUTPUT"
+echo "Version: $version"
+
+image="ghcr.io/jcf/bits"
+podman tag "bits:$version" "$image:$version-$arch"
+echo "image=$image" >>"$GITHUB_OUTPUT"

.forgejo/workflows/bootstrap.yml

@@ -0,0 +1,59 @@
+name: Bootstrap
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main, morph]
+    paths:
+      - "pkgs/bits-ci/**"
+      - ".forgejo/workflows/bootstrap.yml"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Build
+    runs-on: nixos
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure Attic cache
+        env:
+          ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
+        run: .forgejo/scripts/attic-setup.sh
+
+      - name: Build CI container
+        id: build
+        run: |
+          set -euo pipefail
+          output=$(.forgejo/scripts/build.sh bits-ci-amd64 2>&1) || {
+            echo "$output"
+            exit 1
+          }
+          image_path=$(echo "$output" | .forgejo/scripts/filter-devenv.sh | tail -1)
+          echo "image_path=$image_path" >> "$GITHUB_OUTPUT"
+
+      - name: Push closure to Attic cache
+        run: nix-store -qR "${{ steps.build.outputs.image_path }}" | xargs attic push invetica:invetica
+
+      - name: Push to Forgejo
+        env:
+          REGISTRY_AUTH_FILE: ${{ runner.temp }}/auth.json
+        run: |
+          echo "${{ secrets.FORGEJO_PKG_TOKEN }}" | skopeo login git.lan.invetica.co.uk -u jcf --password-stdin
+          version="$(date +%Y%m%d)-$(git rev-parse --short HEAD)"
+          image="git.lan.invetica.co.uk/jcf/bits/bits-ci"
+          skopeo copy \
+            "docker-archive:${{ steps.build.outputs.image_path }}" \
+            "docker://$image:$version"
+          skopeo copy \
+            "docker-archive:${{ steps.build.outputs.image_path }}" \
+            "docker://$image:latest"
+          echo ""
+          echo "✨ Images pushed!"
+          echo ""
+          echo "$image:$version"
+          echo "$image:latest"