feat: add direnv gitignore, migrate flake to use pnpm, and create automatic hash update script (added to github action made bot sign the cla)
#366
Conversation
|
I have read the CLA Document and I hereby sign the CLA 1 out of 2 committers have signed the CLA. |
|
I have read the CLA Document and I hereby sign the CLA |
|
Thanks! One CODEX.md, why would we want to add it to .gitignore? It should be pretty universal, so what is the thinking here? |
|
Ope. thought the idea was to add more specific context to a goal in CODEX.md. I'll remove it from gitignore |
remove CODEX.md from .gitignore
|
This change is based on the package-lock.json, however we are using pnpm since #287. Could you update the logic to reflect? |
|
Yes I will update the logic to reflect. Thanks for switching to pnpm I like it alot more! |
.github/workflows/ci.yml
Outdated
| update-nix-hash: | ||
| runs-on: ubuntu-latest | ||
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | ||
| permissions: | ||
| contents: write # Needed for push access | ||
| pull-requests: write # Needed for PR creation |
There was a problem hiding this comment.
Just flagging this for awareness, this job introduces write access from CI for the first time (excluding the CLA Assistant, which already operates with elevated perms via pull_request_target).
It’s scoped well (only runs on push to main) so it won’t run on PRs or forks. That said, it does slightly shift the trust boundary, merging into main will now trigger a job that can push branches and open PRs back to the repo.
No action needed here, but it might be worth making sure folks reviewing automation changes are aware of that shift. If main isn’t already protected, enabling “require PRs before merging” and disallowing force-pushes/deletion would be good hardening steps for this kind of setup.
There was a problem hiding this comment.
since this job is the only one in ci.yml with write permissions, it might be worth considering moving it to a separate workflow file (e.g. update-nix-hash.yml). That could make it easier to see at a glance which workflows mutate the repo and which are strictly read-only CI.
Also worth noting, the script update-nix-hash.sh will be run with elevated permissions and therefore also needs special attention during review to ensure it is not going to smuggle a secret, accidentally commit something, and that it’s not vulnerable to input injection (e.g. using PR metadata like branch names in shell commands without quoting).
|
I updated the flake and hash updater to use pnpm, let me know if the github action step to update the flake hash should be it's own action. |
|
I updated the flake to use pnpm. Please let me know if you want any other changes |
|
Just updated the bot to sign the CLA since the CLA is failing |
made bot sign the cla)
|
@conneroisu Sorry im still new to nix/flakes so if this question is beside the point of this PR then please ignore it but if if i run ~ ❯ nix run github:conneroisu/codex --extra-experimental-features nix-command --extra-experimental-features flakes
error: unable to execute '/nix/store/z4cwhcbj786xlw82y3mx1w3m5nxy1l4g--openai-codex-0.1.2504251709/bin/@openai/codex': No such file or directoryAdditionally when i include this in my flake it seems to download correctly and runs without any errors however |
|
@peteringram0 You are correct. Additionally, it should now add to the path correctly. Thanks! |
That update is working now! I notice though that it it exports 'codex-cli' rather than just default. This requires people to look into the flake and out what thats needed. Maybe an idea to make |
|
@conneroisu i think in packages you can have a 'default' and just equal to 'codex-cli'. Like this: https://github.com/helix-editor/helix/blob/master/flake.nix#L50 |
|
@peteringram0 yep, didn't even see your comment, but updated to have both codex-cli, default, and the |
latest version doesnt seem to support .default but does still work with .codex-cli |
This automated commit updates the pnpm deps hash hash in flake.nix to match the latest hash of the workspace's pnpm-lock.yaml file. This ensures that Nix's store is consistent with the latest dependencies.
This pull request updates the
flake.nixfile to improve its structure and maintainability. The most important changes include reformatting theoutputsattribute for better readability and updating thecodex-clipackage definition to use a local path and a new hash fornpmDepsHash.Structural improvements:
outputsattribute to use a block-style layout, making it more readable and consistent with common Nix practices.Package definition updates:
codex-clipackage definition to use a local path (./codex-cli) for thesrcattribute instead of a relative reference (self + "/codex-cli").npmDepsHashforcodex-clito a new value (sha256-UkvkaM7tvVlio0st8UA45x8wQ+q423BTzshsmdmmO2o=), reflecting updated dependencies.Autonomous Update for the future: