Review SCM files and security updates (#6) #17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Guix/Nix Package Policy | |
| on: [push, pull_request] | |
| jobs: | |
| check: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Enforce Guix primary / Nix fallback | |
| run: | | |
| # Check for package manager files | |
| HAS_GUIX=$(find . -name "*.scm" -o -name ".guix-channel" -o -name "guix.scm" 2>/dev/null | head -1) | |
| HAS_NIX=$(find . -name "*.nix" 2>/dev/null | head -1) | |
| # Block new package-lock.json, yarn.lock, Gemfile.lock, etc. | |
| NEW_LOCKS=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E 'package-lock\.json|yarn\.lock|Gemfile\.lock|Pipfile\.lock|poetry\.lock|cargo\.lock' || true) | |
| if [ -n "$NEW_LOCKS" ]; then | |
| echo "⚠️ Lock files detected. Prefer Guix manifests for reproducibility." | |
| fi | |
| # Prefer Guix, fallback to Nix | |
| if [ -n "$HAS_GUIX" ]; then | |
| echo "✅ Guix package management detected (primary)" | |
| elif [ -n "$HAS_NIX" ]; then | |
| echo "✅ Nix package management detected (fallback)" | |
| else | |
| echo "ℹ️ Consider adding guix.scm or flake.nix for reproducible builds" | |
| fi | |
| echo "✅ Package policy check passed" |