1  name: Guix/Nix Package Policy
 2  on: [push, pull_request]
 3  jobs:
 4    check:
 5      runs-on: ubuntu-latest
 6      steps:
 7        - uses: actions/checkout@v6
 8        - name: Enforce Guix primary / Nix fallback
 9          run: |
10            # Check for package manager files
11            HAS_GUIX=$(find . -name "*.scm" -o -name ".guix-channel" -o -name "guix.scm" 2>/dev/null | head -1)
12            HAS_NIX=$(find . -name "*.nix" 2>/dev/null | head -1)
13            
14            # Block new package-lock.json, yarn.lock, Gemfile.lock, etc.
15            NEW_LOCKS=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E 'package-lock\.json|yarn\.lock|Gemfile\.lock|Pipfile\.lock|poetry\.lock|cargo\.lock' || true)
16            if [ -n "$NEW_LOCKS" ]; then
17              echo "⚠️ Lock files detected. Prefer Guix manifests for reproducibility."
18            fi
19            
20            # Prefer Guix, fallback to Nix
21            if [ -n "$HAS_GUIX" ]; then
22              echo "✅ Guix package management detected (primary)"
23            elif [ -n "$HAS_NIX" ]; then
24              echo "✅ Nix package management detected (fallback)"
25            else
26              echo "ℹ️ Consider adding guix.scm or flake.nix for reproducible builds"
27            fi
28            
29            echo "✅ Package policy check passed"