set up CI, project templates, monorepo management #70
Conversation
Signed-off-by: Ajay Ganapathy <ajay@incremental.design>
- use nix build .#<package> to build a package - use nix and direnv to load dev shells Signed-off-by: Ajay Ganapathy <ajay@incremental.design>
chore: set up dev shell Signed-off-by: Ajay Ganapathy <ajay@incremental.design>
Signed-off-by: Ajay Ganapathy <ajay@incremental.design>
Signed-off-by: Ajay Ganapathy <ajay@incremental.design>
create a blank folder with a - README.md - CONTRIBUTE.md - .envrc - .gitignore - flake.nix Signed-off-by: Ajay Ganapathy <ajay@incremental.design>
Signed-off-by: Ajay Ganapathy <ajay@incremental.design>
Signed-off-by: Ajay Ganapathy <ajay@incremental.design>
recurse through all projects, running - project-lint - project-build - project-test Signed-off-by: Ajay Ganapathy <ajay@incremental.design>
every time a branch is pushed - project-lint - project-build - project-test Signed-off-by: Ajay Ganapathy <ajay@incremental.design>
do not allow a branch to be merged if it is not already up to date with the branch it is merging into Signed-off-by: Ajay Ganapathy <ajay@incremental.design>
- @designbyajay owns the entire repo Signed-off-by: Ajay Ganapathy <ajay@incremental.design>
Signed-off-by: Ajay Ganapathy <ajay@incremental.design>
Signed-off-by: Ajay Ganapathy <ajay@incremental.design>
Signed-off-by: Ajay Ganapathy <ajay@incremental.design>
tag main iterates through commits merged to main, and tags every commit that contains a project with a semver bump Signed-off-by: Ajay Ganapathy <ajay@incremental.design>
Signed-off-by: Ajay Ganapathy <ajay@incremental.design>
There was a problem hiding this comment.
Pull request overview
This PR establishes a comprehensive monorepo infrastructure using Nix for reproducible builds and development environments. It sets up CI/CD pipelines through GitHub Actions, implements git hooks for commit validation, and provides project templates for creating new projects in various languages.
Key Changes:
- Nix-based development environment with cross-platform support (x86_64-linux, aarch64-linux, x86_64-darwin, aarch64-darwin)
- GitHub Actions workflows for validating commits, enforcing rebase-only merges, and auto-tagging releases
- Git hooks for commit message linting and pre-push validation
Reviewed changes
Copilot reviewed 27 out of 29 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| flake.nix | Main Nix flake defining development shells and configuration; includes extensive educational comments |
| flake.lock | Dependency lock file for reproducible builds |
| README.md | Repository overview with ASCII art logo |
| CONTRIBUTE.md | Comprehensive contribution guidelines covering workflow, project structure, and coding standards |
| .gitignore | Whitelist-based ignore patterns for the monorepo root |
| .envrc | Direnv integration for automatic environment loading |
| .github/workflows/push.yml | CI workflow validating commits across all platforms |
| .github/workflows/merge.yml | Workflow enforcing fast-forward merge requirements |
| .github/workflows/tagMain.yml | Auto-tagging workflow for semantic version bumps |
| .github/workflows/.gitignore | Whitelist for workflow files |
| .github/CODEOWNERS | Code ownership configuration |
| .config/stubProject.nix | Project scaffolding script generator |
| .config/recurse.nix | Script for recursively running commands across projects |
| .config/lintCommit.nix | Commit message linting implementation |
| .config/devShell.nix | Core development shell configuration with wrapped commands |
| .config/installGitHooks.nix | Git hooks installation script |
| .config/importFromLanguageFolder.nix | Dynamic language configuration loader |
| .config/configZed.nix | Zed editor configuration generator |
| .config/configVscode.nix | VS Code configuration generator |
| .config/commitlintConfig.nix | Conventional commits configuration |
| .config/CONTRIBUTE.md | Guide for adding new language support |
| .config/.gitignore | Whitelist for config folder |
| .config/.envrc | Config folder direnv setup |
| .config/language-nix/* | Nix language support files (devShell, editor configs, project stub) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| elif [ -e "$name" ]; then | ||
| echo "$name already exists" >&2 | ||
| exit 1 | ||
| elif [[ ! "$name" =~ ^[a-z][a-z\/-]*[a-z]$ ]]; then |
There was a problem hiding this comment.
The regex pattern allows project names ending with a forward slash (e.g., "my/project/") which could lead to directory creation issues. The pattern should be updated to prevent trailing slashes while still allowing internal slashes for nested projects.
There was a problem hiding this comment.
I double-checked this. It is not possible to add a trailing slash to a directory name
| local dir="$*" | ||
| cd "$dir" | ||
|
|
||
| direnv allow |
There was a problem hiding this comment.
This script calls direnv allow automatically for every discovered project directory, which effectively executes arbitrary .envrc shell code from the repository without explicit user review. A malicious contributor can add a crafted .envrc in a new project directory, and as soon as another developer runs project-*-all or triggers the pre-push hook, that .envrc will be trusted and executed, enabling remote code execution on their workstation. Instead of auto-running direnv allow, require manual approval per directory (or restrict execution to an explicit allowlist of known-safe .envrc locations) so untrusted .envrc files cannot be executed implicitly.
| direnv allow |
There was a problem hiding this comment.
I understand the issue with remote code execution. However, this exact same issue exists whenever you pull a devtool from npm or write any build script.
The way to be safe in this case is to run in a sandbox. No one is forcing a user to run this on their local machine. they can run in a container that supplies a nix installation if they wish
set up a .config folder with nix scripts that make commands for creating projects, linting, building, testing and publishing them. Set up githooks for pre-push and commit msg. Set up .github actions folder for post-push, pre-merge, post-merge actions