Add Nix support

[srid]

Adds Nix flake support so bkt can be installed and run reproducibly on NixOS, nix-darwin, Linux, and macOS:

nix run github:avivsinai/bitbucket-cli -- --version
nix profile install github:avivsinai/bitbucket-cli

New to Nix? See Nix First.

Changes

• flake.nix — packages.default, apps.default, devShells.default (go, gopls, gotools, golangci-lint). Version is stamped from the short git rev via ldflags.
• .github/workflows/nix.yml — builds and smoke-tests the flake on ubuntu-latest and macos-latest.
• README.md — new Installation subsection covering nix run / nix profile install / ref-pinning.

vendorHash is pinned to the current go.sum; CI fails loudly on drift. Commits are DCO-signed.

Context: came up while wiring bkt into srid/agency#10. Related: #121.

[avivsinai]

Triage note: the diff is scoped and reasonable, and I don't see a blocking code/design issue in the flake or workflow itself.

What is still missing is an actual Nix verification signal. This machine does not have nix installed, and the PR currently does not show a successful Nix workflow run, so the next action here is a real nix flake check / nix build .#default verification from an environment that has Nix available.

[srid]

I can confirm nix build works locally. Also the PR includes GitHub workflows to run both nix flake check and nix build in CI, but it may require repo maintainer's approval and acceptance to actually begin running. @avivsinai

[avivsinai]

I want to push back on one design choice before we merge this.

The flake currently sets doCheck = false in flake.nix, which disables the entire Go test suite for the Nix build. For an OSS project, I don't think we should ship that as the default unless there is a concrete, documented reason that the tests cannot run in the Nix sandbox.

Why I'm pushing on this:

• buildGoModule runs checks by default; the idiomatic direction is to keep checks on and only narrow them if specific tests are sandbox-incompatible.
• go test ./... passes on this repo today.
• If a few tests need extra tools under Nix, the targeted fix is things like nativeCheckInputs = [ pkgs.git ]; and/or selective checkFlags, not a blanket doCheck = false.

So I think this PR should do one of these before merge:

1. Remove doCheck = false and make the test phase pass under Nix.
2. If there is a real blocker, document the exact failing tests/tooling constraint in the flake and scope the workaround as narrowly as possible.

The rest of the PR looks reasonable for a first flake integration:

• exposing packages.default / apps.default / devShells.default is fine
• buildGoModule + vendorHash + subPackages = [ "cmd/bkt" ] is the right overall shape
• the Linux/macOS workflow is the right platform coverage

Non-blocking notes:

• nix flake check --no-build is more of an eval pass than a real build check; the separate nix build .#default step is what actually proves the package builds.
• cachix/install-nix-action already enables nix-command and flakes, so the explicit experimental-features stanza is redundant, though harmless.

References:

• Nixpkgs Go packaging manual (buildGoModule): https://ryantm.github.io/nixpkgs/languages-frameworks/go/
• nix flake check reference: https://nix.dev/manual/nix/2.18/command-ref/new-cli/nix3-flake-check
• install-nix-action defaults: https://github.com/marketplace/actions/install-nix

[srid]

@avivsinai Done!

[srid]

https://github.com/nixbuild/nix-quick-install-action is also preferable because it is faster in general. And I've been using it in several projects. The AI defaults to cachix action (or DetSys action) for some reason.

[avivsinai]

Thanks for pushing on Nix support. I think there are a few merge blockers here, mainly because this changes user-visible product behavior rather than just adding another packaging path.

1. flake.nix:14-30 breaks the version contract for Nix installs. The flake derives version from self.rev and injects that short SHA into internal/build.versionFromLdflags. internal/build/info.go:18-26 then prefers that value over Go build metadata. That means a tag-pinned install like github:avivsinai/bitbucket-cli/v0.24.1 will report a commit hash from bkt --version, not the release version. For a CLI, version output is part of the product contract; Nix installs should not behave differently from the official binaries.

2. The Nix build currently drops the Cloud OAuth ldflags that the release binaries carry. flake.nix:26-30 only sets versionFromLdflags, while .goreleaser.yaml:22-28 also injects pkg/oauth.cloudClientID and pkg/oauth.cloudClientSecret. As a result, bkt auth login --kind cloud --web will fail for Nix users at pkg/cmd/auth/auth.go:318-321. If Nix is presented in the README as a first-class install path, that auth flow needs to work or be called out explicitly.

3. .github/workflows/nix.yml:25-27 regresses the repo’s current GitHub Actions hardening by using floating action tags instead of pinned SHAs. The existing workflows already pin actions, for example .github/workflows/ci.yml:22-24, and I think we should keep the same supply-chain bar here.

Stepping back: gh itself is a useful reference point here. It treats packaging as part of the product surface, not just distribution plumbing. That means keeping version output stable, keeping auth behavior consistent, and keeping CI hygiene aligned with the rest of the repo.

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[avivsinai]

Thanks for pushing this through. The mechanics are green now, and I’m happy with merging this as an additional packaging path.