3 files changed, 56 insertions, 43 deletions

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 365325d..c3f7a7e 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -5,39 +5,60 @@ on:
     branches: [main]
     paths:
       - "**.nix"
-      - "flake.lock"
       - "**.rs"
-      - "Cargo.toml"
+      - ".github/workflows/ci.yaml"
       - "Cargo.lock"
+      - "Cargo.toml"
+      - "flake.lock"
   pull_request:
     paths:
       - "**.nix"
-      - "flake.lock"
       - "**.rs"
-      - "Cargo.toml"
+      - ".github/workflows/ci.yaml"
       - "Cargo.lock"
+      - "Cargo.toml"
+      - "flake.lock"
   workflow_dispatch:
 
 jobs:
   build:
     name: Build
 
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [macos-latest, windows-latest]
+
+    runs-on: ${{ matrix.os }}
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@stable
-
-      - name: Setup Rust cache
-        uses: Swatinem/rust-cache@v2
+        uses: actions-rust-lang/setup-rust-toolchain@v1
 
       - name: Run build
         run: |
           cargo build --locked --release
 
+  nix:
+    name: Nix
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v13
+
+      - name: Setup Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@v7
+
+      - name: Run build
+        run: nix build --print-build-logs --show-trace
+
   treefmt:
     name: Treefmt
 
@@ -52,11 +73,11 @@ jobs:
 
       - name: Run check
         run: |
-          nix flake check --print-build-logs --show-trace
+          nix fmt -- --fail-on-change
 
   release-gate:
     name: CI Release gate
-    needs: [build, treefmt]
+    needs: [build, nix, treefmt]
 
     runs-on: ubuntu-latest
 
diff --git a/.github/workflows/clippy.yaml b/.github/workflows/clippy.yaml
index 2d3ea70..c94f6ce 100644
--- a/.github/workflows/clippy.yaml
+++ b/.github/workflows/clippy.yaml
@@ -3,15 +3,17 @@ name: Clippy
 on:
   push:
     paths:
-      - 'Cargo.toml'
-      - 'Cargo.lock'
       - '**.rs'
+      - '.github/workflows/clippy.yaml'
+      - 'Cargo.lock'
+      - 'Cargo.toml'
     branches: [main]
   pull_request:
     paths:
-      - 'Cargo.toml'
-      - 'Cargo.lock'
       - '**.rs'
+      - '.github/workflows/clippy.yaml'
+      - 'Cargo.lock'
+      - 'Cargo.toml'
   workflow_dispatch:
 
 jobs:
@@ -27,33 +29,21 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Install Rust
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          components: "clippy"
-
-      - name: Setup Rust cache
-        uses: Swatinem/rust-cache@v2
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v13
 
-      - name: Install SARIF tools
-        run: |
-          cargo install clippy-sarif sarif-fmt
-
-      - name: Fetch Cargo deps
-        run: |
-          cargo fetch --locked
+      - name: Setup Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@v7
 
       - name: Run Clippy
-        continue-on-error: true
+        id: clippy-run
         run: |
-          cargo clippy \
-            --all-features \
-            --all-targets \
-            --message-format=json \
-          | clippy-sarif | tee /tmp/clippy.sarif | sarif-fmt
+          nix build --print-build-logs .#checks.x86_64-linux.clippy-sarif
+          [ -L result ] || exit 1
+          echo "sarif-file=$(readlink -f result)" >> "$GITHUB_OUTPUT"
 
       - name: Upload results
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: /tmp/clippy.sarif
+          sarif_file: ${{ steps.clippy-run.outputs.sarif-file }}
           wait-for-processing: true
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index 4fba73a..efce40e 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -5,17 +5,19 @@ on:
     branches: [main]
     paths:
       - "**.nix"
-      - "flake.lock"
       - "**.rs"
-      - "Cargo.toml"
+      - ".github/workflows/docker.yaml"
       - "Cargo.lock"
+      - "Cargo.toml"
+      - "flake.lock"
   pull_request:
     paths:
       - "**.nix"
-      - "flake.lock"
       - "**.rs"
-      - "Cargo.toml"
+      - ".github/workflows/docker.yaml"
       - "Cargo.lock"
+      - "Cargo.toml"
+      - "flake.lock"
   workflow_dispatch:
 
 jobs:
@@ -25,7 +27,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        arch: [x86_64, arm64]
+        arch: [amd64, arm64]
 
     runs-on: ubuntu-latest
 
@@ -111,7 +113,7 @@ jobs:
         env:
           TAG: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
         run: |
-          architectures=("x86_64" "arm64")
+          architectures=("amd64" "arm64")
           for arch in "${architectures[@]}"; do
             docker load < images/container-"$arch"/*.tar.gz
             docker tag nixpkgs-tracker-bot:latest-"$arch" "$TAG"-"$arch"
@@ -119,7 +121,7 @@ jobs:
           done
 
           docker manifest create "$TAG" \
-            --amend "$TAG"-x86_64 \
+            --amend "$TAG"-amd64 \
             --amend "$TAG"-arm64
 
           docker manifest push "$TAG"