Improve CI

Author: jcf

.claude/skills/commit-all/SKILL.md

@@ -1,13 +1,17 @@
 ---
 name: commit-all
 description: Create atomic commits from all unstaged changes
-allowed-tools: Bash(git status, git diff*, git add, git commit, git log)
+allowed-tools: Bash(just fmt, git status, git diff*, git add, git commit, git log)
 ---
 
 # Commit All Unstaged Changes
 
 Create atomic commits from all unstaged changes.
 
+## Step 1: Format Code
+
+!`just fmt`
+
 ## Current State
 
 !`git status --short`

.claude/skills/commit/SKILL.md

@@ -1,19 +1,23 @@
 ---
 name: commit
 description: Create atomic commits from session changes only
-allowed-tools: Bash(git status, git diff*, git add, git commit, git log)
+allowed-tools: Bash(just fmt, git status, git diff*, git add, git commit, git log)
 ---
 
 # Commit Session Changes
 
 Create atomic commits for **only the changes we made together** in this session.
 
-## Step 1: Identify Session Changes
+## Step 1: Format Code
+
+!`just fmt`
+
+## Step 2: Identify Session Changes
 
 Review your tool use history from this conversation. List the files you edited
 using Edit or Write tools. These are "our changes."
 
-## Step 2: Cross-Reference with Git
+## Step 3: Cross-Reference with Git
 
 !`git status --short`
 
@@ -26,7 +30,7 @@ Only consider files that:
 
 Ignore any pre-existing uncommitted changes that weren't part of our work.
 
-## Step 3: Propose Atomic Commits
+## Step 4: Propose Atomic Commits
 
 Group related changes into logical commits. For each proposed commit, show:
 
@@ -39,7 +43,7 @@ Commit 2: <message>
   - path/to/other.clj
 ```
 
-## Step 4: Wait for Approval
+## Step 5: Wait for Approval
 
 Present the plan and ask: "Ready to create these commits?"
 

.claude/skills/sync-deps/SKILL.md

@@ -0,0 +1,40 @@
+---
+name: sync-deps
+description: Synchronise Nix deps hash after changing deps.edn
+---
+
+# Sync Dependencies Hash
+
+Update the fixed-output derivation hash in `pkgs/bits-uberjar/default.nix` after
+changing `deps.edn`.
+
+## Background
+
+The uberjar build uses a fixed-output derivation (FOD) to cache Maven/Clojure
+dependencies. When `deps.edn` changes, the hash becomes stale and builds fail
+with a hash mismatch error containing the correct hash.
+
+## Process
+
+1. Read `pkgs/bits-uberjar/default.nix`
+
+2. Edit `depsHash` to an invalid value to force recomputation:
+
+   ```nix
+   depsHash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+   ```
+
+3. Clear devenv cache: `rm -f .devenv/nix-eval-cache.db`
+
+4. Run: `devenv build outputs.bits-uberjar`
+
+   The build fails with a hash mismatch. Find the `got:` line containing the
+   correct hash (format: `sha256-...=`).
+
+5. Edit `depsHash` with the correct hash from the error output.
+
+6. Verify: `devenv build outputs.bits-uberjar`
+
+7. If verification fails, restore: `git checkout pkgs/bits-uberjar/default.nix`
+
+$ARGUMENTS

.forgejo/scripts/attic-push.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -eu
+
+# Push gcroots and their closures to Attic
+# This ensures future CI runs can fetch from Attic instead of cache.nixos.org
+for path in .devenv/gc/*; do
+  if [[ -L $path ]]; then
+    # Resolve symlink and push the actual store path with its closure
+    store_path=$(readlink -f "$path")
+    attic push invetica:invetica "$store_path" || true
+  fi
+done

.forgejo/scripts/attic-setup.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -eu
+
+usage() {
+  echo >&2 "Usage: ATTIC_TOKEN=<token> attic-setup.sh"
+}
+
+if [[ -z ${ATTIC_TOKEN:-} ]]; then
+  usage
+  exit 22 # EINVAL
+fi
+
+attic login invetica https://attic.lan.invetica.co.uk "$ATTIC_TOKEN"
+attic use invetica:invetica

.forgejo/scripts/build.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -eu
+
+usage() {
+  echo >&2 "Usage: build.sh <output-name>"
+}
+
+if [[ $# -ne 1 ]]; then
+  usage
+  exit 22 # EINVAL
+fi
+
+output=$1
+
+devenv build "outputs.$output"

.forgejo/scripts/filter-devenv.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+
+# Filter devenv spinner noise from output
+grep -v '^[⠋⠙⠹⠸⠼⠴⠦⠧⠇✖]' || true

.forgejo/scripts/tag-image.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env zsh
+set -eu
+
+usage() {
+  echo >&2 "Usage: tag-image.sh <image-path> <arch>"
+}
+
+if [[ $# -ne 2 ]]; then
+  usage
+  exit 22 # EINVAL
+fi
+
+image_path=$1
+arch=$2
+
+podman load <"$image_path"
+
+version=$(podman images bits --format '{{.Tag}}' | head -1)
+echo "version=$version" >>"$GITHUB_OUTPUT"
+echo "Version: $version"
+
+image="ghcr.io/jcf/bits"
+podman tag "bits:$version" "$image:$version-$arch"
+echo "image=$image" >>"$GITHUB_OUTPUT"

.forgejo/workflows/bootstrap.yml

@@ -0,0 +1,55 @@
+name: Bootstrap
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main, morph]
+    paths:
+      - "pkgs/bits-ci/**"
+      - ".forgejo/workflows/bootstrap.yml"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Build
+    runs-on: nixos
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure Attic cache
+        env:
+          ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
+        run: .forgejo/scripts/attic-setup.sh
+
+      - name: Build CI container
+        id: build
+        run: |
+          set -o pipefail
+          image_path=$(.forgejo/scripts/build.sh bits-ci-amd64 2>&1 | .forgejo/scripts/filter-devenv.sh | head -1)
+          echo "image_path=$image_path" >> "$GITHUB_OUTPUT"
+
+      - name: Push closure to Attic cache
+        run: nix-store -qR "${{ steps.build.outputs.image_path }}" | xargs attic push invetica:invetica
+
+      - name: Push to Forgejo
+        env:
+          REGISTRY_AUTH_FILE: ${{ runner.temp }}/auth.json
+        run: |
+          echo "${{ secrets.FORGEJO_PKG_TOKEN }}" | skopeo login git.lan.invetica.co.uk -u jcf --password-stdin
+          version="$(date +%Y%m%d)-$(git rev-parse --short HEAD)"
+          image="git.lan.invetica.co.uk/jcf/bits/bits-ci"
+          skopeo copy \
+            "docker-archive:${{ steps.build.outputs.image_path }}" \
+            "docker://$image:$version"
+          skopeo copy \
+            "docker-archive:${{ steps.build.outputs.image_path }}" \
+            "docker://$image:latest"
+          echo ""
+          echo "✨ Images pushed!"
+          echo ""
+          echo "$image:$version"
+          echo "$image:latest"

.forgejo/workflows/ci.yml

@@ -0,0 +1,158 @@
+name: CI
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main, morph]
+    paths-ignore:
+      - .forgejo/workflows/bootstrap.yml
+      - pkgs/bits-ci/**
+  pull_request:
+    branches: [main, morph]
+    paths-ignore:
+      - .forgejo/workflows/bootstrap.yml
+      - pkgs/bits-ci/**
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  packages: read
+
+env:
+  CI: true
+  IMAGE: git.lan.invetica.co.uk/jcf/bits/bits-ci:20260225-9a8b11c
+
+jobs:
+  check:
+    name: Check
+    runs-on: nixos
+    container:
+      image: ${{ env.IMAGE }}
+      credentials:
+        username: jcf
+        password: ${{ github.token }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check
+        run: just check
+
+  test:
+    name: Test
+    runs-on: nixos
+    container:
+      image: ${{ env.IMAGE }}
+      credentials:
+        username: jcf
+        password: ${{ github.token }}
+    services:
+      postgres:
+        image: postgres:17
+        env:
+          POSTGRES_USER: bits
+          POSTGRES_PASSWORD: please
+          POSTGRES_DB: bits_test
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Cache Clojure deps
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.m2/repository
+            ~/.gitlibs
+            ~/.deps.clj
+          key: maven-${{ hashFiles('deps.edn') }}
+          restore-keys: maven-
+
+      - name: Wait for PostgreSQL
+        run: |
+          for i in $(seq 1 30); do
+            pg_isready -h postgres -p 5432 -U bits && exit 0
+            sleep 1
+          done
+          echo "Postgres failed to start"
+          exit 1
+
+      - name: Generate CSS
+        run: tailwindcss --input resources/tailwind.css --output resources/public/app.css
+
+      - name: Run tests
+        env:
+          CLUSTER_KEYSTORE_PASSWORD: correct-horse-battery-staple
+          DATABASE_URL: postgres://bits:please@postgres:5432/bits_test
+        run: just os=linux-x86_64 test --reporter documentation
+
+  build:
+    name: Build ${{ matrix.arch }}
+    runs-on: nixos
+    needs: [check, test]
+    if: github.event_name == 'push'
+
+    strategy:
+      matrix:
+        include:
+          - arch: amd64
+            output: bits-container-amd64
+          - arch: arm64
+            output: bits-container-arm64
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure Attic cache
+        env:
+          ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
+        run: .forgejo/scripts/attic-setup.sh
+
+      - name: Build container
+        id: build
+        run: |
+          set -o pipefail
+          image_path=$(.forgejo/scripts/build.sh "${{ matrix.output }}" 2>&1 | .forgejo/scripts/filter-devenv.sh | head -1)
+          echo "image_path=$image_path" >> "$GITHUB_OUTPUT"
+
+      - name: Push to Attic cache
+        run: attic push invetica:invetica "${{ steps.build.outputs.image_path }}"
+
+      - name: Load and tag image
+        id: tag
+        run: .forgejo/scripts/tag-image.sh "${{ steps.build.outputs.image_path }}" "${{ matrix.arch }}"
+
+      - name: Push to ghcr.io
+        run: |
+          echo "${{ secrets.GH_TOKEN }}" | podman login ghcr.io -u jcf --password-stdin
+          podman push "${{ steps.tag.outputs.image }}:${{ steps.tag.outputs.version }}-${{ matrix.arch }}"
+
+    outputs:
+      version: ${{ steps.tag.outputs.version }}
+      image: ${{ steps.tag.outputs.image }}
+
+  manifest:
+    name: Create manifest
+    runs-on: nixos
+    needs: [build]
+    if: github.event_name == 'push'
+
+    steps:
+      - name: Login to ghcr.io
+        run: echo "${{ secrets.GH_TOKEN }}" | podman login ghcr.io -u jcf --password-stdin
+
+      - name: Create multi-arch manifest
+        run: |
+          image="${{ needs.build.outputs.image }}"
+          version="${{ needs.build.outputs.version }}"
+
+          # Create versioned manifest
+          podman manifest create "$image:$version" \
+            "$image:$version-amd64" \
+            "$image:$version-arm64"
+          podman manifest push "$image:$version" "docker://$image:$version"
+
+          # Create latest manifest
+          podman manifest create "$image:latest" \
+            "$image:$version-amd64" \
+            "$image:$version-arm64"
+          podman manifest push "$image:latest" "docker://$image:latest"