feat: auto-generate CI jobs from flake checks

Add `checks` option and `config.autoChecks` to auto-generate a CI job
for each flake check derivation. Auto-generated jobs go through
`mkJobPatched` for proper Nix setup, cache, and environment handling.

The `checks` option is automatically wired to `config.checks` in
flake-parts. System is inferred from `pkgs.system` and set via the new
`system` option. User-defined jobs with the same name always take
precedence.

New tests cover both flake-parts and direct API entry points.

MT-14138

tests/auto_checks_test.nix

@@ -0,0 +1,65 @@
+{
+  pkgs,
+  ntlib,
+  cilib,
+  ...
+}: {
+  suites."autoChecks" = {
+    pos = __curPos;
+    tests = [
+      {
+        name = "flakeModule";
+        type = "script";
+        script =
+          # sh
+          ''
+            ${ntlib.helpers.scriptHelpers}
+            ${ntlib.helpers.path (with pkgs; [coreutils nix gnused gnugrep jq])}
+            export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+            export NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+            repo_path=${../.}
+
+            cp ${./fixtures/flake_parts_autochecks}/* .
+            sed -i -e "s|@repo_path@|$repo_path|" flake.nix
+
+            nix build --impure .#gitlab-ci:pipeline:default
+            assert "-f result" "should exist"
+
+            system=$(nix eval --impure --expr "builtins.currentSystem" --raw)
+            jq -e '."my-check" | .stage == "test"' result > /dev/null
+            jq -e '."my-check" | .script[0] | contains("nix build")' result > /dev/null
+            jq -e '."my-check" | .script[0] | contains("'"$system"'")' result > /dev/null
+            jq -e '."my-check" | has("before_script")' result > /dev/null
+            jq -e '."my-check" | has("after_script")' result > /dev/null
+          '';
+      }
+      {
+        name = "direct";
+        type = "script";
+        script = let
+          system = pkgs.system;
+          fakeCheck = pkgs.runCommand "fake-check" {} "touch $out";
+          ci = cilib.mkCI {
+            checks.my-check = fakeCheck;
+            config.autoChecks.enable = true;
+            pipelines.default.stages = [ "test" ];
+          };
+          pkg = ci.packages."gitlab-ci:pipeline:default";
+        in
+          # sh
+          ''
+            ${ntlib.helpers.scriptHelpers}
+            ${ntlib.helpers.path (with pkgs; [coreutils gnugrep jq])}
+
+            json=$(cat ${pkg})
+            echo "$json" | jq -e '.stages == [".pre", "test", ".post"]' > /dev/null
+            echo "$json" | jq -e '."my-check" | .stage == "test"' > /dev/null
+            echo "$json" | jq -e '."my-check" | .script[0] | contains("nix build")' > /dev/null
+            echo "$json" | jq -e '."my-check" | .script[0] | contains("${system}")' > /dev/null
+            echo "$json" | jq -e '."my-check" | has("before_script")' > /dev/null
+            echo "$json" | jq -e '."my-check" | has("after_script")' > /dev/null
+          '';
+      }
+    ];
+  };
+}

tests/fixtures/flake_parts_autochecks/flake.nix

@@ -0,0 +1,33 @@
+{
+  outputs = {
+    flake-parts,
+    systems,
+    ...
+  } @ inputs:
+    flake-parts.lib.mkFlake {inherit inputs;} {
+      imports = [
+        "@repo_path@/lib/flakeModule.nix"
+      ];
+      systems = import systems;
+      flake = {};
+      perSystem = {pkgs, ...}: let
+        fakeCheck = pkgs.runCommand "fake-check" {} "touch $out";
+      in {
+        checks = {
+          my-check = fakeCheck;
+        };
+        ci = {
+          config.autoChecks.enable = true;
+          pipelines.default = {
+            stages = ["test"];
+          };
+        };
+      };
+    };
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+    flake-parts.url = "github:hercules-ci/flake-parts";
+    systems.url = "github:nix-systems/default-linux";
+  };
+}

tests/modules_test.nix

@@ -98,6 +98,112 @@
             assert_file_contains ${package} 'export EXAMPLE="/nix/store/.*-hello-.*"'
           '';
       }
+      {
+        name = "autoChecks with no checks set";
+        expected = {
+          stages = [".pre" "test" ".post"];
+        };
+        actual =
+          (cilib.mkCI {
+            config.autoChecks.enable = true;
+            pipelines."default".stages = ["test"];
+          }).pipelines."default".finalConfig;
+      }
+      {
+        name = "autoChecks generates check jobs";
+        expected = {
+          stages = [".pre" "check" ".post"];
+          unit = {
+            image = "$NIX_CI_IMAGE";
+            stage = "test";
+            script = ["nix build .#checks.\"${pkgs.system}\".unit"];
+            before_script = ["source setup_nix_ci \"gitlab-ci:pipeline:default:job-deps:auto:unit\""];
+            after_script = ["finalize_nix_ci"];
+          };
+          lint = {
+            image = "$NIX_CI_IMAGE";
+            stage = "test";
+            script = ["nix build .#checks.\"${pkgs.system}\".lint"];
+            before_script = ["source setup_nix_ci \"gitlab-ci:pipeline:default:job-deps:auto:lint\""];
+            after_script = ["finalize_nix_ci"];
+          };
+        };
+        actual = let
+          fakeCheck = pkgs.runCommand "fake-check" {} "touch $out";
+        in
+          (cilib.mkCI {
+            config.autoChecks = {
+              enable = true;
+            };
+            checks = {
+              unit = fakeCheck;
+              lint = fakeCheck;
+            };
+            pipelines."default".stages = ["check"];
+          }).pipelines."default".finalConfig;
+      }
+      {
+        name = "autoChecks skips existing jobs";
+        expected = {
+          stages = [".pre" "check" "build" ".post"];
+          unit = {
+            image = "$NIX_CI_IMAGE";
+            stage = "test";
+            script = ["nix build .#checks.\"${pkgs.system}\".unit"];
+          };
+          custom = {
+            image = "$NIX_CI_IMAGE";
+            stage = "build";
+            script = ["echo custom"];
+          };
+        };
+        actual = let
+          fakeCheck = pkgs.runCommand "fake-check" {} "touch $out";
+        in
+          (cilib.mkCI {
+            config.autoChecks = {
+              enable = true;
+            };
+            checks = {
+              unit = fakeCheck;
+              custom = fakeCheck;
+            };
+            pipelines."default" = {
+              nix.nixJobsByDefault = false;
+              stages = ["check" "build"];
+              jobs."custom" = {
+                stage = "build";
+                script = ["echo custom"];
+              };
+            };
+          }).pipelines."default".finalConfig;
+      }
+      {
+        name = "autoChecks uses custom stage and tags";
+        expected = {
+          stages = [".pre" "quality" ".post"];
+          lint = {
+            image = "$NIX_CI_IMAGE";
+            stage = "quality";
+            tags = ["docker" "nix"];
+            script = ["nix build .#checks.\"${pkgs.system}\".lint"];
+            before_script = ["source setup_nix_ci \"gitlab-ci:pipeline:default:job-deps:auto:lint\""];
+            after_script = ["finalize_nix_ci"];
+          };
+        };
+        actual = let
+          fakeCheck = pkgs.runCommand "fake-check" {} "touch $out";
+        in
+          (cilib.mkCI {
+            config.autoChecks = {
+              enable = true;
+              stage = "quality";
+              tags = ["docker" "nix"];
+            };
+            checks.lint = fakeCheck;
+            pipelines."default".stages = ["quality"];
+          }).pipelines."default".finalConfig;
+      }
     ];
   };
 }