Add flake.lock validation to CI pipeline (!14) · Merge requests · nix / gitlab-omnix-ci · GitLab

Daniel Firth requested to merge feature/add-flake-lock-validation into master Mar 02, 2026

Summary

Adds flake.lock validation to the CI pipeline to ensure lock files stay in sync with flake.nix changes.

Changes

New validate stage: Runs before devour stage
New validate-lockfile job: Executes nix flake lock --no-update-lock-file to verify lock file is current
Dependency: devour jobs now wait for lockfile validation to pass
ChangeLog: Updated for v0.5.0

Benefits

Catches developer errors: Detects when flake.nix inputs are changed but nix flake lock wasn't run
Fast failure: Validation runs early (~5-10s) before expensive builds
Clear feedback: Error message guides developers on how to fix
Zero false positives: Only fails on actual input mismatches, not cosmetic changes

Example

When a developer changes nixpkgs.url but forgets to regenerate the lock file:

validate-lockfile ................................. FAILED
❌ flake.lock is out of sync with flake.nix
Please run: nix flake lock

Testing

Validated that:

✅ Passes when flake.nix and flake.lock are in sync
✅ Fails when inputs are changed without updating lock
✅ Ignores cosmetic changes (comments, descriptions)

🤖 Generated with Claude Code

Edited Mar 02, 2026 by Daniel Firth