feat(nix): integrate uv2nix for Python dependency management (#88)

* feat(nix): integrate uv2nix for Python dependency management

Replace uv-managed .venv with Nix-managed Python environments using
uv2nix. This provides fully reproducible builds with dependencies
cached in the Nix store, eliminating the need for uv sync in CI.

Key changes:
- Add uv2nix, pyproject-nix, and pyproject-build-systems inputs
- Create devShells for Python 3.11 and 3.13 (default, python311, python313)
- Add build system overrides for pypika (setuptools) and stackone-ai (editables)
- Update CI matrix to use nix develop .#pythonXXX instead of uv sync
- Simplify setup-nix action with gc-max-store-size for cache management
- Add lint-fix alias to justfile

The .venv directory is no longer needed as all dependencies are
managed by Nix. Both Nix and non-Nix users can still use uv run
commands which will work in either environment.

* fix(ci): add python-version to cache key for parallel jobs

Separate cache keys per Python version to prevent cache overwrites
when matrix jobs run in parallel. Default to python311 since it
matches the default devShell.

* fix(nix): set VIRTUAL_ENV for ty to find site-packages

ty needs VIRTUAL_ENV to locate the Python environment's site-packages.
Without this, ty looks for .venv which doesn't exist in the Nix environment.

Also update justfile to conditionally use 'uv run' prefix only when
not in a Nix environment (detected via VIRTUAL_ENV). This makes
commands work for both Nix and non-Nix users.

* ci: add build-cache job to pre-build Nix environments

Add a dedicated build-cache job that runs before other CI jobs to
pre-populate the Nix store cache. This ensures that subsequent
parallel jobs (gitleaks, ci matrix, coverage) can benefit from the
cached derivations instead of each rebuilding from scratch.

The build-cache job:
- Runs as a matrix for both python311 and python313
- Builds the Nix development environment
- Saves the cache via cache-nix-action for downstream jobs

gitleaks, ci, and coverage jobs now depend on build-cache to ensure
cache is available before they run.

* ci: include lockfile hash in cache key for proper invalidation

Add flake.lock and uv.lock hash to the cache key so that:
- Cache is saved when dependencies change (new hash = new key)
- Old cache is still restored via restore-prefixes-first-match
- Incremental updates build on previous cache

This ensures cache hits do not prevent saving updated derivations
while still benefiting from partial cache restoration.

* ci: remove build-cache job as lockfile hash handles invalidation

Now that cache keys include lockfile hashes, proper invalidation
happens automatically. Each job can build and save its own cache,
making the dedicated build-cache job unnecessary.

* ci: add pyproject.toml and src to cache key hash

Include pyproject.toml and src/**/*.py in the cache key hash
since source changes affect the editable install derivation.

Author: ryoppippi

.github/actions/setup-nix/action.yaml

@@ -1,5 +1,10 @@
 name: "Setup Nix"
 description: "Install Nix and configure cache"
+inputs:
+  python-version:
+    description: "Python version for cache key (e.g., python311, python313)"
+    required: false
+    default: "python311"
 runs:
   using: "composite"
   steps:
@@ -11,8 +16,8 @@ runs:
     - name: Cache Nix store
       uses: nix-community/cache-nix-action@b426b118b6dc86d6952988d396aa7c6b09776d08 # v7
       with:
-        primary-key: nix-${{ runner.os }}
-
-    - name: Load Nix development environment
-      shell: bash
-      run: nix develop --command true
+        primary-key: nix-${{ runner.os }}-${{ inputs.python-version }}-${{ hashFiles('flake.lock', 'uv.lock', 'pyproject.toml', 'src/**/*.py') }}
+        restore-prefixes-first-match: |
+          nix-${{ runner.os }}-${{ inputs.python-version }}-
+          nix-${{ runner.os }}-
+        gc-max-store-size: 4G

.github/workflows/ci.yaml

@@ -34,12 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.11", "3.13"]
-        include:
-          - python-version: "3.11"
-            sync-extras: "--all-extras"
-          - python-version: "3.13"
-            sync-extras: "--all-extras"
+        python-version: ["python311", "python313"]
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -48,18 +43,17 @@ jobs:
 
       - name: Setup Nix
         uses: ./.github/actions/setup-nix
-
-      - name: Install dependencies
-        run: nix develop --command just install ${{ matrix.sync-extras }}
+        with:
+          python-version: ${{ matrix.python-version }}
 
       - name: Run Lint
-        run: nix develop --command just lint
+        run: nix develop .#${{ matrix.python-version }} --command just lint
 
       - name: Run Ty
-        run: nix develop --command just ty
+        run: nix develop .#${{ matrix.python-version }} --command just ty
 
       - name: Run Tests
-        run: nix develop --command just test
+        run: nix develop .#${{ matrix.python-version }} --command just test
 
   coverage:
     runs-on: ubuntu-latest
@@ -73,9 +67,6 @@ jobs:
       - name: Setup Nix
         uses: ./.github/actions/setup-nix
 
-      - name: Install dependencies
-        run: nix develop --command just install --all-extras
-
       - name: Run Tests with Coverage
         run: nix develop --command just coverage