feat: nix flake

[ryardley]

So I setup a nix flake over here that was doing some fancy stuff to sync versions but in reality it is way more useful to have a nix flake build directly off a specific commit.

This makes any version of enclave easy to install using nix by just pointing to the live github repo:

Eg.

nix develop github:gnosisguild/enclave/v0.1.16

Or a branch like this one:

nix develop github:gnosisguild/enclave/ry/nix-flake

Or event just a commit:

nix develop github:gnosisguild/enclave/68b180e6440d4ec58870a3ce66e4a64dea708c0c

You can also use refresh to update the local git cache and reinstall everything:

nix develop github:gnosisguild/enclave/ry/nix-flake --refresh

How to test this:

1. Install the nix package manager: curl -fsSL https://install.determinate.systems/nix | sh -s -- install

2. Uninstall enclave if you have it installed.

3. Do this to get a devshell with everything installed:

   ❯ nix develop github:gnosisguild/enclave/ry/nix-flake
   ❯ enclave --version
   enclave 0.1.15
   ❯ bb --version
   3.0.0-nightly.20251104
   ❯ echo $E3_CUSTOM_BB
   /nix/store/6da5va1malbj4pjrzn5lan6n51m4hg9h-bb/bin/bb
   

4. When you're done, type exit or press Ctrl-D to leave the dev shell.

   Note: The first nix develop will take a while as it fetches and builds dependencies. Subsequent runs are cached and nearly instant.

   Note: If you're on macOS/Apple Silicon, the flake as written only targets x86_64-linux. You'll need to add your system (e.g. aarch64-darwin) or use flake-utils to support multiple platforms.

Maintenance

Another benefit here is that this is semi-automated (almost)

There is a test added here that scans for dependency inaccuracies.
It will fail and show the dependency sha that needs to be added to the flake.nix

I put it within our release to do a nix build ensuring this works for release but do a dependency check on PR so we can catch dependency updates early.

It will break and show the hash mismatch you then copy the new hash to the flake overwriting the old one. I think it should be a pretty low lift.

Example of where to change the hashes.

noirHash = "sha256-RoeWaqgFwr8A4HAlu5DzuxrNrexMolIZG14fHQA0KmM=";
fheHash = "sha256-dS8LcKDI/D9ycsRXbQnMVkUc2ymFBFL8kDrEtRGuHNI=";
vfsHash = "sha256-+d8RFk7UgOXDCE/LizCTV+UX/Xm/1mYWrR7W0l6mAl8=";

It should show:

❌ expected XXXX got YYYY

This script also validates the hashes within versions.json which aids in security.

So you could just do find replace on that.

Summary by CodeRabbit

• New Features

  • Nix flake support: provides e3-cli and bb packages plus a development shell for Nix users.
  • Release workflow now builds and verifies the Nix flake as part of releases.

• Documentation

  • New "Install with Nix" guide with nix run/devshell examples, platform notes, and version-pinning guidance.

• Chores

  • CI pre-check added to validate Nix artifact versions.
  • Build metadata can be overridden via an environment variable for reproducible builds.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
crisp	Ready	Preview, Comment	Mar 26, 2026 10:20am
enclave-docs	Ready	Preview, Comment	Mar 26, 2026 10:20am

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds Nix flake support and integration: new flake.nix, CI and release jobs to build and validate the flake, a hash‑validation script, docs for Nix installation, two .dockerignore exceptions, and a small crates/cli/build.rs change to allow GIT_SHA overrides.

Changes

Cohort / File(s)	Summary
Release workflow /.github/workflows/releases.yml	Adds Build Nix Flake job that installs Nix (flakes), runs scripts/nix-versions.sh, builds the cli flake target, and wires the job into release job dependencies and final release conditions.
CI workflow /.github/workflows/ci.yml	Adds check-nix-flake job to install Nix (flakes) and run scripts/nix-versions.sh before integration tests.
Nix flake & provisioning flake.nix	New multi‑platform flake defining e3-cli and wrapped-bb, per‑platform bb binaries and sha256 pins, Noir/FHE/VFS pins, cargoLock mappings, and devShells.default exposing E3_CUSTOM_BB.
Hash validation script scripts/nix-versions.sh	New script that extracts expected hashes from flake.nix, prefetches Noir and Barretenberg artifacts across platforms, converts to SRI and compares values, exiting nonzero on mismatch.
Docs: installation docs/pages/installation.mdx	Adds “Install with Nix” section with nix develop/nix run instructions, example outputs, and notes about caching and backend (bb) installation.
CLI build crates/cli/build.rs	Adds GIT_SHA environment override with cargo:rerun-if-env-changed=GIT_SHA; preserves existing fallback logic and rerun directives.
Docker context /.dockerignore	Stops ignoring flake.nix and flake.lock by adding allowlist entries so they are included in Docker build contexts.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant GH as GitHub Actions
    participant Runner as CI Runner
    participant Nix as Nix (flakes)
    participant Flake as flake.nix
    participant Fetch as Remote fetch (tarballs/git)
    participant Script as scripts/nix-versions.sh
    participant Cargo as Cargo / Rust build

    GH->>Runner: trigger workflow (CI or Release)
    Runner->>Nix: install Nix with flakes
    Runner->>Flake: evaluate `packages.cli` / build flake target
    Flake->>Fetch: fetch Noir / Barretenberg / crates
    Fetch-->>Flake: deliver artifacts & hashes
    Runner->>Script: run `scripts/nix-versions.sh` (validate hashes)
    Script->>Nix: prefetch URLs & compute SRI
    Script-->>Runner: validation result
    Runner->>Cargo: build e3-cli via flake
    Cargo-->>Runner: produce build artifacts
    Runner->>GH: report job success/failure

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Possibly related PRs

• chore: add script to bump versions and release workflows #764 — Related changes to .github/workflows/releases.yml and release job graph.
• Add releases workflows #476 — Earlier edits to the releases workflow into which this flake build job was integrated.

Suggested reviewers

• cedor
• ctrlc03

Poem

🐰 I hopped through flakes and hashes bright,
I chased down tarballs late at night,
A tiny env to pin my SHA,
Docs, shell, and bb to join the fray,
CI hums — the build takes flight. 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: nix flake' accurately summarizes the main change—adding Nix flake support for the project. It is concise, clear, and directly relates to the primary changeset.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ry/nix-flake

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cedoor]

Apparently the mac stuff that was in there is deprecated. Try this now:

rm -rf ~/.cache/nix/eval-cache-v*
nix flake metadata github:gnosisguild/ry/nix-flake --refresh
nix develop github:gnosisguild/ry/nix-flake --refresh

Maybe it works?

It works now. However I had 1 error while compiling the Interfold dependencies in Rust:

       > error: failed to run custom build command for `noirc_driver v1.0.0-beta.16 (https://github.com/noir-lang/noir?tag=v1.0.0-beta.16#2d46fca7)`
       >
       > Caused by:
       >   process didn't exit successfully: `/nix/var/nix/builds/nix-30329-4230336795/9lcw2rj8jy4l7p7hbl8bizijpb8vcfg0-source/target/release/build/noirc_driver-77894bd29acd561a/build-script-build` (exit status: 101)
       >   --- stderr
       >
       >   thread 'main' (8352343) panicked at /nix/var/nix/builds/nix-30329-4230336795/cargo-vendor-dir/noirc_driver-1.0.0-beta.16/build.rs:19:47:
       >   called `Result::unwrap()` on an `Err` value: Os { code: 2, kind: NotFound, message: "No such file or directory" }
       >   note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
       > warning: build failed, waiting for other jobs to finish...
       > warning: `e3-events` (lib) generated 3 warnings
       > warning: `e3-data` (lib) generated 1 warning (run `cargo fix --lib -p e3-data` to apply 1 suggestion)
       For full logs, run:
         nix-store -l /nix/store/dccrpi31c63rgpd0zwzllc63x49gpwxh-e3-cli-0.1.15.drv
error: Cannot build '/nix/store/2a48c2lnhjpvh993s71b21vxl8q1iqh6-nix-shell-env.drv'.
       Reason: 1 dependency failed.

[ryardley]

So I can't really debug this - there must be something platform specific around building noir on mac that is not handled in a standard way.

We can resort to using the release binaries which is more akin to how the old version worked but this means we cannot use this to install specific commits which I believe is really valuable for testing in production.

[cedoor]

tACK, some issue on mac but that won't be the main target I guess, so approved anyway