ci: flatten two-entry matrices into explicit jobs

cpcloud · claude · cpcloud · commit 66064367420a · 2026-03-08T19:03:05.000-04:00
Replace the nix-lint and nix-security matrix strategies with standalone
jobs. Two entries don't justify the indirection of a matrix.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -13,29 +13,37 @@ permissions:
   contents: read
 
 jobs:
-  nix-lint:
-    name: ${{ matrix.name }}
+  deadcode:
+    name: Dead Code
     runs-on: ubuntu-latest
     concurrency:
-      group: lint-${{ matrix.tool }}-${{ github.ref }}
+      group: lint-deadcode-${{ github.ref }}
       cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-    strategy:
-      fail-fast: ${{ github.event_name == 'pull_request' }}
-      matrix:
-        include:
-          - tool: deadcode
-            name: Dead Code
-          - tool: golangci-lint
-            name: Lint
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
       - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
 
-      - name: Run ${{ matrix.tool }}
-        run: nix run '.#${{ matrix.tool }}'
+      - name: Run deadcode
+        run: nix run '.#deadcode'
+
+  golangci-lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    concurrency:
+      group: lint-golangci-lint-${{ github.ref }}
+      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
+
+      - name: Run golangci-lint
+        run: nix run '.#golangci-lint'
 
   pre-commit:
     name: Pre-commit
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -13,29 +13,37 @@ permissions:
   contents: read
 
 jobs:
-  nix-security:
-    name: ${{ matrix.name }}
+  govulncheck:
+    name: Vulnerability Check
     runs-on: ubuntu-latest
     concurrency:
-      group: security-${{ matrix.tool }}-${{ github.ref }}
+      group: security-govulncheck-${{ github.ref }}
       cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-    strategy:
-      fail-fast: ${{ github.event_name == 'pull_request' }}
-      matrix:
-        include:
-          - tool: govulncheck
-            name: Vulnerability Check
-          - tool: osv-scanner
-            name: OSV Scan
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
       - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
 
-      - name: Run ${{ matrix.tool }}
-        run: nix run '.#${{ matrix.tool }}'
+      - name: Run govulncheck
+        run: nix run '.#govulncheck'
+
+  osv-scanner:
+    name: OSV Scan
+    runs-on: ubuntu-latest
+    concurrency:
+      group: security-osv-scanner-${{ github.ref }}
+      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
+
+      - name: Run osv-scanner
+        run: nix run '.#osv-scanner'
 
   secrets:
     name: Secret Scan
