perf(ci): move slow pre-push hooks to CI-only nix-tools matrix job

Disable deadcode, golangci-lint, govulncheck, and osv-scanner from
pre-push hooks (they remain defined but with enable=false) and run them
as independent CI jobs via a nix-tools matrix using cachix/install-nix-action
and nix run. go-generate-check stays in pre-push.

Also adds a run-golangci-lint nix app and updates the pre-commit CI step
to use --from-ref/--to-ref for diff-only checking instead of --all-files.

closes #718

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: cpcloud

.github/workflows/ci.yml

@@ -149,23 +149,33 @@ jobs:
       - name: Run smoke benchmarks
         run: go test -bench . -benchtime 1x -timeout 5m -run '^$' ./...
 
-  deadcode:
-    name: Dead Code
+  nix-tools:
+    name: ${{ matrix.name }}
     runs-on: ubuntu-latest
     concurrency:
-      group: ci-deadcode-${{ github.ref }}
+      group: ci-${{ matrix.tool }}-${{ github.ref }}
       cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+    strategy:
+      fail-fast: ${{ github.event_name == 'pull_request' }}
+      matrix:
+        include:
+          - tool: deadcode
+            name: Dead Code
+          - tool: golangci-lint
+            name: Lint
+          - tool: govulncheck
+            name: Vulnerability Check
+          - tool: osv-scanner
+            name: OSV Scan
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
-        with:
-          go-version: "1.25"
+      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
 
-      - name: Check for dead code
-        run: go run golang.org/x/tools/cmd/deadcode@v0.42.0 -test ./...
+      - name: Run ${{ matrix.tool }}
+        run: nix run '.#${{ matrix.tool }}'
 
   pre-commit:
     name: Pre-commit
@@ -176,12 +186,13 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
+          fetch-depth: 0
           persist-credentials: false
 
       - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
 
       - name: Run pre-commit hooks
-        run: nix run '.#pre-commit'
+        run: nix run '.#pre-commit' -- --from-ref 'origin/${{ github.base_ref || 'main' }}' --to-ref HEAD
 
   nix-build:
     name: Nix Build
@@ -246,7 +257,7 @@ jobs:
 
   semantic-release:
     name: Semantic Release
-    needs: [test, deadcode, pre-commit, nix-build, docs, secrets]
+    needs: [test, nix-tools, pre-commit, nix-build, docs, secrets]
     runs-on: ubuntu-latest
     concurrency:
       group: semantic-release-${{ github.ref }}

flake.nix

@@ -125,7 +125,7 @@
             };
             nixfmt.enable = true;
             golangci-lint = {
-              enable = true;
+              enable = false; # CI-only job
               stages = [ "pre-push" ];
             };
             actionlint.enable = true;
@@ -160,7 +160,7 @@
               pass_filenames = false;
             };
             deadcode-check = {
-              enable = true;
+              enable = false; # CI-only job
               name = "deadcode";
               entry = "${run-deadcode}/bin/run-deadcode";
               files = "\\.go$";
@@ -169,7 +169,7 @@
               stages = [ "pre-push" ];
             };
             govulncheck = {
-              enable = true;
+              enable = false; # CI-only job
               name = "govulncheck";
               entry = "${run-govulncheck}/bin/run-govulncheck";
               files = "^go\\.(mod|sum)$";
@@ -178,7 +178,7 @@
               stages = [ "pre-push" ];
             };
             osv-scanner = {
-              enable = true;
+              enable = false; # CI-only job
               name = "osv-scanner";
               entry = "${run-osv-scanner}/bin/run-osv-scanner";
               files = "^go\\.(mod|sum)$";
@@ -292,6 +292,22 @@
           '';
         };
 
+        run-golangci-lint = pkgs.writeShellApplication {
+          name = "run-golangci-lint";
+          runtimeInputs = [
+            pkgs.golangci-lint
+            pkgs.go
+          ];
+          runtimeEnv.CGO_ENABLED = "0";
+          text = ''
+            _tmpdir=$(mktemp -d -t micasa-golangci-lint-XXXXXX)
+            trap 'chmod -R u+w "$_tmpdir" 2>/dev/null; rm -rf "$_tmpdir"' EXIT
+            export GOCACHE="''${GOCACHE:-$_tmpdir/gocache}"
+            export GOMODCACHE="''${GOMODCACHE:-$_tmpdir/gomodcache}"
+            golangci-lint run ./...
+          '';
+        };
+
         goModTidyCheck = pkgs.writeShellApplication {
           name = "go-mod-tidy-check";
           runtimeInputs = [
@@ -596,7 +612,12 @@
               gen-mixed-pdf
             '';
           };
-          inherit run-deadcode run-govulncheck run-osv-scanner;
+          inherit
+            run-deadcode
+            run-govulncheck
+            run-osv-scanner
+            run-golangci-lint
+            ;
           run-pre-commit = pkgs.writeShellApplication {
             name = "run-pre-commit";
             runtimeInputs = [
@@ -617,8 +638,11 @@
             ];
             text = ''
               ${preCommit.shellHook}
-              pre-commit run --all-files
-              pre-commit run --all-files --hook-stage pre-push
+              if [ $# -eq 0 ]; then
+                set -- --all-files
+              fi
+              pre-commit run "$@"
+              pre-commit run "$@" --hook-stage pre-push
             '';
           };
 
@@ -646,6 +670,7 @@
             deadcode = app (pkg "run-deadcode") "Run whole-program dead code analysis";
             govulncheck = app (pkg "run-govulncheck") "Check for known Go vulnerabilities with call-graph analysis";
             osv-scanner = app (pkg "run-osv-scanner") "Scan for known vulnerabilities";
+            golangci-lint = app (pkg "run-golangci-lint") "Run golangci-lint";
             pre-commit = app (pkg "run-pre-commit") "Run all pre-commit hooks";
           };