ci: split container tests into virtualenv and Nix flake environments

Refactor CI to clearly separate virtualenv-based container tests from pure Nix flake tests across all distros (arch, debian, ubuntu, fedora, centos).
Introduce dedicated test-env-nix workflow and Makefile targets, rename former container tests to test-env-virtual, and update stable pipeline dependencies.
Improve Nix reliability in containers by fixing installer permissions and explicitly validating nix availability and version during image build and tests.

scripts/init-nix.sh

@@ -80,6 +80,13 @@ install_nix_with_retry() {
 
   installer="$(mktemp -t nix-installer.XXXXXX)"
 
+  # -------------------------------------------------------------------------
+  # FIX: mktemp creates files with 0600 by default, which breaks when we later
+  #      run the installer as a different user (e.g., 'nix' in container+root).
+  #      Make it readable and (best-effort) owned by the target user.
+  # -------------------------------------------------------------------------
+  chmod 0644 "${installer}"
+
   echo "[init-nix] Downloading Nix installer from ${NIX_INSTALL_URL} with retry (max ${NIX_DOWNLOAD_MAX_TIME}s)..."
 
   while true; do
@@ -103,6 +110,9 @@ install_nix_with_retry() {
   done
 
   if [[ -n "${run_as}" ]]; then
+    # Best-effort: ensure the target user can read the downloaded installer
+    chown "${run_as}:${run_as}" "${installer}" 2>/dev/null || true
+
     echo "[init-nix] Running installer as user '${run_as}' with mode '${mode}'..."
     if command -v sudo >/dev/null 2>&1; then
       sudo -u "${run_as}" bash -lc "sh '${installer}' ${mode_flag}"

scripts/installation/venv-create.sh

@@ -3,42 +3,84 @@ set -euo pipefail
 
 # venv-create.sh
 #
-# Small helper to create/update a Python virtual environment for pkgmgr.
+# Create/update a Python virtual environment for pkgmgr and install dependencies.
+#
+# Priority order:
+#  1) pyproject.toml  -> pip install (editable by default)
+#  2) requirements.txt
+#  3) _requirements.txt (legacy)
 #
 # Usage:
 #   PKGMGR_VENV_DIR=/home/dev/.venvs/pkgmgr bash scripts/installation/venv-create.sh
 # or
 #   bash scripts/installation/venv-create.sh /home/dev/.venvs/pkgmgr
+#
+# Optional:
+#   PKGMGR_PIP_EDITABLE=0           # install non-editable (default: 1)
+#   PKGMGR_PIP_EXTRAS="dev,test"    # install extras: .[dev,test]
+#   PKGMGR_PREFER_NIX=1             # print Nix hint and exit non-zero
 
 PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 cd "${PROJECT_ROOT}"
 
 VENV_DIR="${PKGMGR_VENV_DIR:-${1:-${HOME}/.venvs/pkgmgr}}"
+PIP_EDITABLE="${PKGMGR_PIP_EDITABLE:-1}"
+PIP_EXTRAS="${PKGMGR_PIP_EXTRAS:-}"
+PREFER_NIX="${PKGMGR_PREFER_NIX:-0}"
 
 echo "[venv-create] Using VENV_DIR=${VENV_DIR}"
 
+if [[ "${PREFER_NIX}" == "1" ]]; then
+  echo "[venv-create] PKGMGR_PREFER_NIX=1 set."
+  echo "[venv-create] Hint: Use Nix instead of a venv for reproducible installs:"
+  echo "[venv-create]   nix develop"
+  echo "[venv-create]   nix run .#pkgmgr -- --help"
+  exit 2
+fi
+
 echo "[venv-create] Ensuring virtualenv parent directory exists..."
 mkdir -p "$(dirname "${VENV_DIR}")"
 
 if [[ ! -d "${VENV_DIR}" ]]; then
-    echo "[venv-create] Creating virtual environment at: ${VENV_DIR}"
-    python3 -m venv "${VENV_DIR}"
+  echo "[venv-create] Creating virtual environment at: ${VENV_DIR}"
+  python3 -m venv "${VENV_DIR}"
 else
-    echo "[venv-create] Virtual environment already exists at: ${VENV_DIR}"
+  echo "[venv-create] Virtual environment already exists at: ${VENV_DIR}"
 fi
 
 echo "[venv-create] Installing Python tooling into venv..."
 "${VENV_DIR}/bin/python" -m ensurepip --upgrade
 "${VENV_DIR}/bin/pip" install --upgrade pip setuptools wheel
 
-if [[ -f "requirements.txt" ]]; then
-    echo "[venv-create] Installing dependencies from requirements.txt..."
-    "${VENV_DIR}/bin/pip" install -r requirements.txt
+# ---------------------------------------------------------------------------
+# Install dependencies
+# ---------------------------------------------------------------------------
+if [[ -f "pyproject.toml" ]]; then
+  echo "[venv-create] Detected pyproject.toml. Installing project via pip..."
+
+  target="."
+  if [[ -n "${PIP_EXTRAS}" ]]; then
+    target=".[${PIP_EXTRAS}]"
+  fi
+
+  if [[ "${PIP_EDITABLE}" == "1" ]]; then
+    echo "[venv-create] pip install -e ${target}"
+    "${VENV_DIR}/bin/pip" install -e "${target}"
+  else
+    echo "[venv-create] pip install ${target}"
+    "${VENV_DIR}/bin/pip" install "${target}"
+  fi
+
+elif [[ -f "requirements.txt" ]]; then
+  echo "[venv-create] Installing dependencies from requirements.txt..."
+  "${VENV_DIR}/bin/pip" install -r requirements.txt
+
 elif [[ -f "_requirements.txt" ]]; then
-    echo "[venv-create] Installing dependencies from _requirements.txt..."
-    "${VENV_DIR}/bin/pip" install -r _requirements.txt
+  echo "[venv-create] Installing dependencies from _requirements.txt (legacy)..."
+  "${VENV_DIR}/bin/pip" install -r _requirements.txt
+
 else
-    echo "[venv-create] No requirements.txt or _requirements.txt found. Skipping dependency installation."
+  echo "[venv-create] No pyproject.toml, requirements.txt, or _requirements.txt found. Skipping dependency installation."
 fi
 
 echo "[venv-create] Done."

scripts/test/test-env-nix.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+IMAGE="package-manager-test-${distro}"
+
+echo "============================================================"
+echo ">>> Running Nix flake-only test in ${distro} container"
+echo ">>> Image: ${IMAGE}"
+echo "============================================================"
+
+docker run --rm \
+  -v "$(pwd):/src" \
+  -v "pkgmgr_nix_store_${distro}:/nix" \
+  -v "pkgmgr_nix_cache_${distro}:/root/.cache/nix" \
+  --workdir /src \
+  -e PKGMGR_DEV=0 \
+  "${IMAGE}" \
+  bash -lc '
+    set -euo pipefail
+
+    if command -v git >/dev/null 2>&1; then
+      git config --global --add safe.directory /src || true
+      git config --global --add safe.directory /src/.git || true
+      git config --global --add safe.directory "*" || true
+    fi
+
+    echo ">>> preflight: nix must exist in image"
+    if ! command -v nix >/dev/null 2>&1; then
+      echo "NO_NIX"
+      echo "ERROR: nix not found in image '\'''"${IMAGE}"''\'' (distro='"${distro}"')"
+      echo "HINT: Ensure Nix is installed during image build for this distro."
+      exit 1
+    fi
+
+    echo ">>> nix version"
+    nix --version
+
+    echo ">>> nix flake show"
+    nix flake show . --no-write-lock-file >/dev/null
+
+    echo ">>> nix build .#default"
+    nix build .#default --no-link --no-write-lock-file
+
+    echo ">>> nix run .#pkgmgr -- --help"
+    nix run .#pkgmgr -- --help --no-write-lock-file
+
+    echo ">>> OK: Nix flake-only test succeeded."
+  '

scripts/test/test-env-virtual.sh

@@ -5,12 +5,12 @@ IMAGE="package-manager-test-$distro"
 
 echo
 echo "------------------------------------------------------------"
-echo ">>> Testing container: $IMAGE"
+echo ">>> Testing VENV: $IMAGE"
 echo "------------------------------------------------------------"
-echo "[test-container] Inspect image metadata:"
+echo "[test-env-virtual] Inspect image metadata:"
 docker image inspect "$IMAGE" | sed -n '1,40p'
 
-echo "[test-container] Running: docker run --rm --entrypoint pkgmgr $IMAGE --help"
+echo "[test-env-virtual] Running: docker run --rm --entrypoint pkgmgr $IMAGE --help"
 echo
 
 # Run the command and capture the output
@@ -22,11 +22,11 @@ if OUTPUT=$(docker run --rm \
         "$IMAGE" 2>&1); then
     echo "$OUTPUT"
     echo
-    echo "[test-container] SUCCESS: $IMAGE responded to 'pkgmgr --help'"
+    echo "[test-env-virtual] SUCCESS: $IMAGE responded to 'pkgmgr --help'"
 
 else
     echo "$OUTPUT"
     echo
-    echo "[test-container] ERROR: $IMAGE failed to run 'pkgmgr --help'"
+    echo "[test-env-virtual] ERROR: $IMAGE failed to run 'pkgmgr --help'"
     exit 1
 fi