diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 45916d7..771ec0e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,7 +11,7 @@ jobs: id-token: "write" contents: "read" steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - uses: ./. diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b149bfb..2bc12a3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,7 +25,9 @@ jobs: shorttag=$(echo "$VERSION" | cut -d'.' -f1) echo "shorttag=$shorttag" >> "$GITHUB_OUTPUT" - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Create the short tag env: SHORTTAG: ${{ steps.check_tag.outputs.shorttag }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 9397c97..e6a3c98 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -15,7 +15,7 @@ jobs: actions: read steps: - name: Checkout repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/README.md b/README.md index 18c9983..b9edfde 100644 --- a/README.md +++ b/README.md @@ -52,8 +52,8 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v7.0.0 - - uses: DeterminateSystems/determinate-nix-action@main # or v3.21.5 to pin to a release + - uses: actions/checkout@v6.0.3 + - uses: DeterminateSystems/determinate-nix-action@main # or v3.21.1 to pin to a release - run: nix build . ``` @@ -67,10 +67,10 @@ jobs: Unlike `DeterminateSystems/nix-installer-action`, we fully support explicit version pinning for maximum consistency. This Action is **automatically tagged** for every Determinate Nix release, giving you complete control over your CI environment: -📍 Pinning to `DeterminateSystems/determinate-nix-action@v3.21.5` guarantees: +📍 Pinning to `DeterminateSystems/determinate-nix-action@v3.21.1` guarantees: - Same `nix-installer-action` revision every time -- Consistent Determinate Nix v3.21.5 installation +- Consistent Determinate Nix v3.21.1 installation - Reproducible CI workflows, even years later ✨ Using `@main` instead? You'll: @@ -96,37 +96,30 @@ updates: ## ️⚙️ Configuration -| Parameter | Description | Required | Default | -|---------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|----------------------------| -| `extra-conf` | Extra configuration lines for `/etc/nix/nix.conf` (includes `access-tokens` with `secrets.GITHUB_TOKEN` automatically if `github-token` is set) | | | -| `github-server-url` | The URL for the GitHub server, to use with the `github-token` token. Defaults to the current GitHub server, supporting GitHub Enterprise Server automatically. Only change this value if the provided `github-token` is for a different GitHub server than the current server. | | `${{ github.server_url }}` | -| `github-token` | A GitHub token for making authenticated requests (which have a higher rate-limit quota than unauthenticated requests) | | `${{ github.token }}` | -| `trust-runner-user` | Whether to make the runner user trusted by the Nix daemon | | `true` | -| `summarize` | Whether to add a build summary and timeline chart to the GitHub job summary | | `true` | -| `force-no-systemd` | Force using other methods than systemd to launch the daemon. This setting is automatically enabled when necessary. | | `false` | -| `init` | The init system to configure, requires `planner: linux-multi` (allowing the choice between `none` or `systemd`) | | | -| `kvm` | Automatically configure the GitHub Actions Runner for NixOS test supports, if the host supports it. | | `true` | -| `planner` | A planner to use | | | -| `proxy` | The proxy to use (if any), valid proxy bases are `https://$URL`, `http://$URL` and `socks5://$URL` | | | -| `reinstall` | Force a reinstall if an existing installation is detected (consider backing up `/nix/store`) | | `false` | -| `source-binary` | Run a version of the nix-installer binary from somewhere already on disk. Conflicts with all other `source-*` options. Intended only for testing this Action. | | | -| `source-branch` | The branch of `nix-installer` to use (conflicts with `source-tag`, `source-revision`, `source-pr`) | | | -| `source-pr` | The PR of `nix-installer` to use (conflicts with `source-tag`, `source-revision`, `source-branch`) | | | -| `source-revision` | The revision of `nix-installer` to use (conflicts with `source-tag`, `source-branch`, `source-pr`) | | | -| `source-tag` | The tag of `nix-installer` to use (conflicts with `source-revision`, `source-branch`, `source-pr`) | | `v3.21.5` | -| `source-url` | A URL pointing to a `nix-installer` executable | | | -| `source-checksums-url` | URL of a `shasum`-format checksums file listing the SHA-256 of each -`nix-installer--` artifact. Used together with -`source-checksums-sha256` to verify the downloaded installer. - | | | -| `source-checksums-sha256` | Pinned SHA-256 (hex) of the file served at `source-checksums-url`. Must -be set together with `source-checksums-url`. - | | | -| `backtrace` | The setting for `RUST_BACKTRACE` (see https://doc.rust-lang.org/std/backtrace/index.html#environment-variables) | | | -| `diagnostic-endpoint` | Diagnostic endpoint url where the installer sends data to. To disable set this to an empty string. | | `-` | -| `log-directives` | A list of Tracing directives, comma separated, `-`s replaced with `_` (eg. `nix_installer=trace`, see https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html#directives) | | | -| `logger` | The logger to use for install (eg. `pretty`, `json`, `full`, `compact`) | | | -| `_internal-strict-mode` | Whether to fail when any errors are thrown. Used only to test the Action; do not set this in your own workflows. | | `false` | +| Parameter | Description | Required | Default | +|-------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|----------------------------| +| `extra-conf` | Extra configuration lines for `/etc/nix/nix.conf` (includes `access-tokens` with `secrets.GITHUB_TOKEN` automatically if `github-token` is set) | | | +| `github-server-url` | The URL for the GitHub server, to use with the `github-token` token. Defaults to the current GitHub server, supporting GitHub Enterprise Server automatically. Only change this value if the provided `github-token` is for a different GitHub server than the current server. | | `${{ github.server_url }}` | +| `github-token` | A GitHub token for making authenticated requests (which have a higher rate-limit quota than unauthenticated requests) | | `${{ github.token }}` | +| `trust-runner-user` | Whether to make the runner user trusted by the Nix daemon | | `true` | +| `summarize` | Whether to add a build summary and timeline chart to the GitHub job summary | | `true` | +| `force-no-systemd` | Force using other methods than systemd to launch the daemon. This setting is automatically enabled when necessary. | | `false` | +| `init` | The init system to configure, requires `planner: linux-multi` (allowing the choice between `none` or `systemd`) | | | +| `kvm` | Automatically configure the GitHub Actions Runner for NixOS test supports, if the host supports it. | | `true` | +| `planner` | A planner to use | | | +| `proxy` | The proxy to use (if any), valid proxy bases are `https://$URL`, `http://$URL` and `socks5://$URL` | | | +| `reinstall` | Force a reinstall if an existing installation is detected (consider backing up `/nix/store`) | | `false` | +| `source-binary` | Run a version of the nix-installer binary from somewhere already on disk. Conflicts with all other `source-*` options. Intended only for testing this Action. | | | +| `source-branch` | The branch of `nix-installer` to use (conflicts with `source-tag`, `source-revision`, `source-pr`) | | | +| `source-pr` | The PR of `nix-installer` to use (conflicts with `source-tag`, `source-revision`, `source-branch`) | | | +| `source-revision` | The revision of `nix-installer` to use (conflicts with `source-tag`, `source-branch`, `source-pr`) | | | +| `source-tag` | The tag of `nix-installer` to use (conflicts with `source-revision`, `source-branch`, `source-pr`) | | `v3.21.1` | +| `source-url` | A URL pointing to a `nix-installer` executable | | | +| `backtrace` | The setting for `RUST_BACKTRACE` (see https://doc.rust-lang.org/std/backtrace/index.html#environment-variables) | | | +| `diagnostic-endpoint` | Diagnostic endpoint url where the installer sends data to. To disable set this to an empty string. | | `-` | +| `log-directives` | A list of Tracing directives, comma separated, `-`s replaced with `_` (eg. `nix_installer=trace`, see https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html#directives) | | | +| `logger` | The logger to use for install (eg. `pretty`, `json`, `full`, `compact`) | | | +| `_internal-strict-mode` | Whether to fail when any errors are thrown. Used only to test the Action; do not set this in your own workflows. | | `false` | ## 🛟 Need help? We're here for you! diff --git a/action.yml b/action.yml index 30250e5..511c0c8 100644 --- a/action.yml +++ b/action.yml @@ -72,20 +72,12 @@ "source-tag": { "description": "The tag of `nix-installer` to use (conflicts with `source-revision`, `source-branch`, `source-pr`)", "required": false, - "default": "v3.21.5" + "default": "v3.21.1" }, "source-url": { "description": "A URL pointing to a `nix-installer` executable", "required": false }, - "source-checksums-url": { - "description": "URL of a `shasum`-format checksums file listing the SHA-256 of each\n`nix-installer--` artifact. Used together with\n`source-checksums-sha256` to verify the downloaded installer.\n", - "required": false - }, - "source-checksums-sha256": { - "description": "Pinned SHA-256 (hex) of the file served at `source-checksums-url`. Must\nbe set together with `source-checksums-url`.\n", - "required": false - }, "backtrace": { "description": "The setting for `RUST_BACKTRACE` (see https://doc.rust-lang.org/std/backtrace/index.html#environment-variables)", "required": false @@ -113,7 +105,7 @@ "using": "composite", "steps": [ { - "uses": "DeterminateSystems/nix-installer-action@a7ad9c4f0c65208097f4d34f3cfa1913b80cce5c", + "uses": "DeterminateSystems/nix-installer-action@1d87d45818068401a10cf16bdc5f00b24994a83f", "with": { "extra-conf": "${{ inputs.extra-conf }}", "github-server-url": "${{ inputs.github-server-url }}", @@ -132,8 +124,6 @@ "source-revision": "${{ inputs.source-revision }}", "source-tag": "${{ inputs.source-tag }}", "source-url": "${{ inputs.source-url }}", - "source-checksums-url": "${{ inputs.source-checksums-url }}", - "source-checksums-sha256": "${{ inputs.source-checksums-sha256 }}", "backtrace": "${{ inputs.backtrace }}", "diagnostic-endpoint": "${{ inputs.diagnostic-endpoint }}", "log-directives": "${{ inputs.log-directives }}", diff --git a/flake.lock b/flake.lock index 451e1e0..ccbbae5 100644 --- a/flake.lock +++ b/flake.lock @@ -2,12 +2,12 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1783224372, - "narHash": "sha256-8i/87eeoqiGE4yOTjwSA3Eh/ziJRQEmd/unYU+K27sk=", - "rev": "d407951447dcd00442e97087bf374aad70c04cea", - "revCount": 1027867, + "lastModified": 1780749050, + "narHash": "sha256-3av0pIjlOWQ6rDbNOmpUSvbNnJkGORQKKjb4LtCZsIY=", + "rev": "a799d3e3886da994fa307f817a6bc705ae538eeb", + "revCount": 1011622, "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.1027867%2Brev-d407951447dcd00442e97087bf374aad70c04cea/019f32d6-f801-7201-b6cb-59773d7eec95/source.tar.gz" + "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.1011622%2Brev-a799d3e3886da994fa307f817a6bc705ae538eeb/019ea4be-9303-7001-8232-6b7ec45c4f5b/source.tar.gz" }, "original": { "type": "tarball", diff --git a/tools/generate.py b/tools/generate.py index 1a3d1e3..e9e41b2 100644 --- a/tools/generate.py +++ b/tools/generate.py @@ -74,8 +74,6 @@ keep_inputs = [ "source-revision", "source-tag", "source-url", - "source-checksums-url", - "source-checksums-sha256", # debugging "backtrace", "diagnostic-endpoint", diff --git a/tools/state.json b/tools/state.json index d79adaf..2ab2cfa 100644 --- a/tools/state.json +++ b/tools/state.json @@ -1,5 +1,5 @@ { - "nix_installer_action_revision": "a7ad9c4f0c65208097f4d34f3cfa1913b80cce5c", - "determinate_nix_tag": "v3.21.5", - "checkout_action_tag": "v7.0.0" + "nix_installer_action_revision": "1d87d45818068401a10cf16bdc5f00b24994a83f", + "determinate_nix_tag": "v3.21.1", + "checkout_action_tag": "v6.0.3" }