ci: add devenv test to code checks

[xenOs76]

Summary by CodeRabbit

• Infrastructure

  • CI workflow renamed and triggers refined; job names consolidated and parallelism limited.
  • Go version matrix standardized across checks and release pipeline; release job updated.
  • Nix-based environment added to CI for reproducible builds and pre-commit checks.

• New Features

  • Automated certificate-refresh task added to run before the web server starts.

• Chores

  • Some test-run entries temporarily commented out to adjust test execution.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Renames and updates CI workflows, adds Nix/Cachix-based devenv install and a devenv test step in CodeChecks, adjusts Release workflow Go/qemu/GoReleaser settings, and adds a devenv task web:refreshCertsBeforeNginxStart that removes a tests dir and runs create-certs before nginx starts.

Changes

Cohort / File(s)	Summary
CI workflow: CodeChecks ​.github/workflows/codeChecks.yml	Renames workflow to "CodeChecks"; extends push path triggers (adds .github/workflows/codeChecks.yml and devenv.*), renames job to code_checks, adds strategy: max-parallel: 1, retains Go matrix (1.24, 1.25), and inserts Nix/Cachix/devenv steps (cachix/install-nix-action@v31, cachix/cachix-action@v16, nix profile add nixpkgs#devenv, build/run devenv test with 15m timeout) while keeping existing checkout/setup-go/build/test/vuln-check steps.
CI workflow: Release ​.github/workflows/release.yml	Adds a Go matrix with go-version: '1.25' for the goreleaser job, upgrades setup-qemu-action to v3, uses matrix.go-version for setup-go, updates GoReleaser step to version: "~> 2" with args: release --clean and explicit workdir, adds a "Refresh Go Report Card" step, and capitalizes job name to Release.
Devenv configuration devenv.nix	Adds public task tasks."web:refreshCertsBeforeNginxStart" with exec that removes ${config.env.DEVENV_ROOT}/tests if present and runs create-certs, registered before = ["devenv:processes:nginx"]; comments out test-requests-k3s and run-go-tests entries in test-related sections.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Inspect .github/workflows/codeChecks.yml for correct trigger paths, matrix preservation, and max-parallel placement.
• Verify Cachix/Nix action inputs, GitHub token usage, and nix profile add nixpkgs#devenv invocation.
• Confirm the devenv test command, timeout semantics, and any required environment variables.
• Review devenv.nix task shell snippet for safe path handling and correct ${config.env.DEVENV_ROOT} expansion.
• Check before = ["devenv:processes:nginx"] ordering semantics and commented-out test entries for intended effect.

Poem

🐰 I hopped through CI with nimble paws,
Cached Nix shells and tidy cause,
I swept old tests and made fresh keys,
Nudged nginx gently, soft as breeze,
A rabbit hums: safe builds and peaceful laws 🌿

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding devenv test execution to the code checks workflow, as evidenced by the new devenv-related steps and task in devenv.nix.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/add_devenv_action

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9184802 and 2d8848b.

📒 Files selected for processing (1)

• .github/workflows/codeChecks.yml (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/codeChecks.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: code_checks (1.24)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/codeChecks.yml (1)

44-52: Nice addition: devenv integration into CI.

The Nix and devenv setup steps are correctly configured. The workflow will now validate the devenv environment and run pre-commit hooks.

Optional: Consider adding Nix store caching and a timeout

To improve CI performance and reliability:

1. Add Nix store caching to speed up subsequent runs:

      - uses: cachix/install-nix-action@v31
+        with:
+          extra_nix_config: |
+            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
      - uses: cachix/cachix-action@v16
        with:
          name: devenv

2. Add a timeout to prevent indefinite hangs:

      - name: Build the devenv shell and run any pre-commit hooks
        run: devenv test
+        timeout-minutes: 15

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cb6cd8d and 38d80a3.

📒 Files selected for processing (2)

• .github/workflows/codeChecks.yml (2 hunks)
• devenv.nix (2 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: xenOs76
Repo: xenOs76/https-wrench PR: 5
File: devenv.nix:569-569
Timestamp: 2025-11-15T17:16:55.075Z
Learning: In the xenOs76/https-wrench repository, the devenv.nix test environment is local-only without GitHub CI integration, so automatic dependency updates in enterTest are acceptable for the maintainer's workflow.

Learnt from: xenOs76
Repo: xenOs76/https-wrench PR: 10
File: internal/requests/requests_test.go:918-997
Timestamp: 2025-11-29T14:05:35.000Z
Learning: In the https-wrench tool test suite (xenOs76/https-wrench repository), the user wants to be reminded in the future about potentially adding MinVersion enforcement to TLS configurations in test code, once legacy server compatibility becomes less critical.

📚 Learning: 2025-11-15T17:16:55.075Z

Learnt from: xenOs76
Repo: xenOs76/https-wrench PR: 5
File: devenv.nix:569-569
Timestamp: 2025-11-15T17:16:55.075Z
Learning: In the xenOs76/https-wrench repository, the devenv.nix test environment is local-only without GitHub CI integration, so automatic dependency updates in enterTest are acceptable for the maintainer's workflow.

Applied to files:

• .github/workflows/codeChecks.yml
• devenv.nix

🔇 Additional comments (4)

.github/workflows/codeChecks.yml (2)

17-17: LGTM: Simplified to Go 1.25 only.

The matrix now tests exclusively with Go 1.25, streamlining the CI workflow.

---

44-45: Both cachix/install-nix-action@v31 and cachix/cachix-action@v16 are already at current stable versions. Major tags like v31 point to the latest minor/patch release in line with how most GitHub actions manage releases, and v31.4.0 is the latest release. v16 is the latest release for cachix-action.

devenv.nix (2)

151-157: LGTM: Clean cert refresh before nginx starts.

The task correctly removes stale test artifacts and regenerates TLS certificates before nginx processes start. The conditional directory check (test -d ... &&) prevents errors when the directory doesn't exist.

---

626-626: LGTM: Avoids duplicate Go test execution.

Commenting out run-go-tests in the enterTest script is appropriate since the GitHub Actions workflow already runs go test -v ./... (line 35 of codeChecks.yml). The enterTest script now focuses on integration and CLI tests without redundancy.

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

21-23: Simplify single-version matrix to direct version string.

The matrix strategy with a single Go version ['1.25'] adds unnecessary complexity. Consider using a direct version string instead.

🔎 Apply this diff to simplify the configuration:

     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        go-version: ['1.25']
-

       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: ${{ matrix.go-version }}
+          go-version: '1.25'

Also applies to: 51-51

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 38d80a3 and dbec28d.

📒 Files selected for processing (3)

• .github/workflows/codeChecks.yml (2 hunks)
• .github/workflows/release.yml (2 hunks)
• devenv.nix (3 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: xenOs76
Repo: xenOs76/https-wrench PR: 5
File: devenv.nix:569-569
Timestamp: 2025-11-15T17:16:55.075Z
Learning: In the xenOs76/https-wrench repository, the devenv.nix test environment is local-only without GitHub CI integration, so automatic dependency updates in enterTest are acceptable for the maintainer's workflow.

Learnt from: xenOs76
Repo: xenOs76/https-wrench PR: 10
File: internal/requests/requests_test.go:918-997
Timestamp: 2025-11-29T14:05:35.000Z
Learning: In the https-wrench tool test suite (xenOs76/https-wrench repository), the user wants to be reminded in the future about potentially adding MinVersion enforcement to TLS configurations in test code, once legacy server compatibility becomes less critical.

📚 Learning: 2025-11-15T17:16:55.075Z

Learnt from: xenOs76
Repo: xenOs76/https-wrench PR: 5
File: devenv.nix:569-569
Timestamp: 2025-11-15T17:16:55.075Z
Learning: In the xenOs76/https-wrench repository, the devenv.nix test environment is local-only without GitHub CI integration, so automatic dependency updates in enterTest are acceptable for the maintainer's workflow.

Applied to files:

• devenv.nix

🪛 actionlint (1.7.9)

.github/workflows/release.yml

39-39: the runner of "docker/setup-qemu-action@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (4)

.github/workflows/codeChecks.yml (2)

6-7: LGTM! Path triggers correctly include workflow and devenv files.

Adding the workflow file itself and devenv.* patterns to the path triggers ensures CI runs when the test environment or workflow configuration changes.

---

59-61: LGTM! devenv test integration looks good.

The devenv test step with a 15-minute timeout appropriately integrates the Nix-based test environment into CI, aligning with the PR objective.

devenv.nix (1)

526-526: Verify if disabling k3s test is intentional.

The test-requests-k3s has been commented out. If this is because k3s infrastructure is unavailable in the CI environment, consider adding a comment explaining why it's disabled.

Is k3s infrastructure available in the CI environment? If not, consider adding a comment:

-    #test-requests-k3s
+    # k3s test disabled - requires k3s cluster not available in CI

.github/workflows/release.yml (1)

34-36: The Nix installation step is necessary for this workflow. GoReleaser's configuration explicitly includes a Nix build step (see .goreleaser.yaml lines 167 and 174 which reference nix: and pkgs/https-wrench/default.nix). The cachix/install-nix-action provides the Nix environment required for GoReleaser to execute this build configuration.

Likely an incorrect or invalid review comment.