Create a flake.nix at the repository root with inputs referencing nixpkgs and define outputs.devShells.default using pkgs.mkShell with buildInputs listing Go, golangci-lint, and other tools pinned via nixpkgs
Define a flake check under outputs.checks.<system>.default using pkgs.runCommand or pkgs.buildGoModule that builds the Go package and runs tests in the Nix sandbox
Run 'nix flake check' locally to verify the check passes in the hermetic build sandbox without access to the network or impure system paths
Add 'nix develop' invocation to your CI workflow to drop into the devShell and run project-specific commands with pinned tool versions
Commit the flake.lock file to version control so all developers and CI runs use identical nixpkgs revisions
Known gotchas
Nix flake checks run in a sandbox with no network access by default; Go modules must be pre-fetched and their hashes declared in the Nix derivation, otherwise the build fails at the module download step
The flake.lock file pins nixpkgs to a specific git rev; updating nixpkgs requires running 'nix flake update' and re-testing, as package versions may change and break the build
buildGoModule requires setting 'vendorHash' to the hash of the vendor directory; if dependencies change without updating this hash, the Nix build fails with a hash mismatch error
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp