Goal
Finish relocating the org's Nix CI to dryvist/.github. The reusable Nix workflows (_nix-validate.yml, _nix-build.yml) now live here (#13). The remaining consumers still reference the copies in JacobPEvans-personal/.github. Repoint them, then remove the orphaned personal copies.
Background
Repoint consumers (one PR per repo, DRYVIST tier, SSH)
Swap only the uses: owner segment JacobPEvans-personal/.github → dryvist/.github for the Nix reusable workflows (_nix-validate.yml, _nix-build.yml), preserving path and @main. Test each repo's CI individually.
While repointing, confirm each repo's zizmor policy trusts the org self-references it uses. Note: JacobPEvans-personal/* is not in the trusted list, yet some consumers reference JacobPEvans-personal/.github/...@main for non-Nix shared workflows (_markdown-lint, _file-size, _python-security, _osv-scan) and currently pass — verify why (SHA-pinned? zizmor not scanning?) and add JacobPEvans-personal/*: ref-pin if those @main refs are real and unprotected.
Remove orphaned personal copies (after all consumers repointed)
Optional follow-ups
Refs: #13
Goal
Finish relocating the org's Nix CI to
dryvist/.github. The reusable Nix workflows (_nix-validate.yml,_nix-build.yml) now live here (#13). The remaining consumers still reference the copies inJacobPEvans-personal/.github. Repoint them, then remove the orphaned personal copies.Background
dryvist/.github: feat(workflows): add reusable Nix validate/build templates #13dryvist/*added to the zizmor trusted-publisher policy in feat(workflows): add reusable Nix validate/build templates #13 so@mainself-references passunpinned-uses.Repoint consumers (one PR per repo, DRYVIST tier, SSH)
Swap only the
uses:owner segmentJacobPEvans-personal/.github→dryvist/.githubfor the Nix reusable workflows (_nix-validate.yml,_nix-build.yml), preserving path and@main. Test each repo's CI individually.dryvist/nix-darwin—.github/workflows/ci-validate.yml(and any_nix-buildref)dryvist/nix-ai—.github/workflows/ci-gate.ymldryvist/nix-home—.github/workflows/ci-gate.ymldryvist/nix-screenpipe(private) —.github/workflows/ci-gate.ymldryvist/nix-ai-server,dryvist/nix-pxe-bootstrap— on scaffold-branch mergeWhile repointing, confirm each repo's zizmor policy trusts the org self-references it uses. Note:
JacobPEvans-personal/*is not in the trusted list, yet some consumers referenceJacobPEvans-personal/.github/...@mainfor non-Nix shared workflows (_markdown-lint,_file-size,_python-security,_osv-scan) and currently pass — verify why (SHA-pinned? zizmor not scanning?) and addJacobPEvans-personal/*: ref-pinif those@mainrefs are real and unprotected.Remove orphaned personal copies (after all consumers repointed)
_nix-validate.yml+_nix-build.ymlfromJacobPEvans-personal/.github— requires agh-claude-privaterelaunch (PRIVATE tier); not doable from a DRYVIST session.Optional follow-ups
dryvist/nix-claude-codefullci-gateparity (paths-filter + file-size + python-security + merge-gate) to matchnix-ai.deps-update-flake.ymlDeterminate-installer usage acrossnix-home/nix-ai/nix-ai-server/nix-pxe-bootstrap.Refs: #13