root: shell.nix for nixfmt

This uses the reusable pinned Nixpkgs from the parent commit to create a
shell.nix file for an environment with a pinned nixfmt version.

2 files changed, 31 insertions, 1 deletions

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 89d8d57cd73df..ebdefd539999d 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -15,8 +15,9 @@
 /.github/workflows @NixOS/Security @Mic92 @zowoq
 /ci @infinisil
 
-# EditorConfig
+# Develompent support
 /.editorconfig @Mic92 @zowoq
+/shell.nix @infinisil @NixOS/Security
 
 # Libraries
 /lib                        @infinisil
diff --git a/.github/workflows/check-shell.yml b/.github/workflows/check-shell.yml
new file mode 100644
index 0000000000000..01ea97dfff20a
--- /dev/null
+++ b/.github/workflows/check-shell.yml
@@ -0,0 +1,29 @@
+name: "Check shell"
+
+on:
+  pull_request_target:
+
+permissions: {}
+
+jobs:
+  x86_64-linux:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      - uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26
+      - name: Build shell
+        run: nix-build shell.nix
+
+  aarch64-darwin:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      - uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26
+      - name: Build shell
+        run: nix-build shell.nix