From 9c4488f07aa4116dcce80a82101d17e588845d5c Mon Sep 17 00:00:00 2001
From: Sander <hey@sandydoo.me>
Date: Thu, 28 Aug 2025 17:45:48 +0200
Subject: [PATCH 1/2] fix: set up the environment based on the installer shell
 scripts

The installer scripts would normally set up the various environment variables that Nix needs.
Since GitHub doesn't run any profile or rc scripts by default, we need to set these up ourselves.
---
 install-nix.sh | 70 +++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 64 insertions(+), 6 deletions(-)

diff --git a/install-nix.sh b/install-nix.sh
index 3cf4ec4..2bb730f 100755
--- a/install-nix.sh
+++ b/install-nix.sh
@@ -31,6 +31,7 @@ add_config() {
 add_config "show-trace = true"
 # Set jobs to number of cores
 add_config "max-jobs = auto"
+# TODO: is this still necessary if we set NIX_SSL_CERT_FILE below?
 if [[ $OSTYPE =~ darwin ]]; then
   add_config "ssl-cert-file = /etc/ssl/cert.pem"
 fi
@@ -70,8 +71,14 @@ installer_options=(
   --nix-extra-conf-file "$workdir/nix.conf"
 )
 
-# only use the nix-daemon settings if on darwin (which get ignored) or systemd is supported
+# Enable daemon on macOS and Linux systems with systemd, unless --no-daemon is specified
 if [[ (! $INPUT_INSTALL_OPTIONS =~ "--no-daemon") && ($OSTYPE =~ darwin || -e /run/systemd/system) ]]; then
+  use_daemon() { true; }
+else
+  use_daemon() { false; }
+fi
+
+if use_daemon; then
   installer_options+=(
     --daemon
     --daemon-user-count "$(python3 -c 'import multiprocessing as mp; print(mp.cpu_count() * 2)')"
@@ -107,19 +114,70 @@ done
 
 sh "$workdir/install" "${installer_options[@]}"
 
-# Set paths
-echo "/nix/var/nix/profiles/default/bin" >> "$GITHUB_PATH"
-# new path for nix 2.14
-echo "$HOME/.nix-profile/bin" >> "$GITHUB_PATH"
+# Configure the environment
+#
+# Adapted from the single- and multi-user scripts:
+#   single-user: https://github.com/NixOS/nix/blob/master/scripts/nix-profile-daemon.sh.in
+#   multi-user: https://github.com/NixOS/nix/blob/master/scripts/nix-profile-daemon.sh.in
+#
+# These scripts would normally be evaluated as part of the user's shell profile.
+# GitHub doesn't evaluate profiles or rc scripts by default, so we set up the environment manually.
+echo "::debug::Nix installed, setting up environment"
 
+# Export the path to Nix
 if [[ -n "${INPUT_NIX_PATH:-}" ]]; then
   echo "NIX_PATH=${INPUT_NIX_PATH}" >> "$GITHUB_ENV"
 fi
 
-# Set temporary directory (if not already set) to fix https://github.com/cachix/install-nix-action/issues/197
+# Set temporary directory if not already set
+# Fixes https://github.com/cachix/install-nix-action/issues/197
 if [[ -z "${TMPDIR:-}" ]]; then
   echo "TMPDIR=${RUNNER_TEMP}" >> "$GITHUB_ENV"
 fi
 
+# Determine NIX_LINK path (XDG spec, newer XDG-compliant, or legacy)
+if [[ -n "${XDG_STATE_HOME:-}" && -e "$XDG_STATE_HOME/nix/profile" ]]; then
+  NIX_LINK="$XDG_STATE_HOME/nix/profile"
+elif [[ -e "$HOME/.local/state/nix/profile" ]]; then
+  NIX_LINK="$HOME/.local/state/nix/profile"
+else
+  NIX_LINK="$HOME/.nix-profile"
+fi
+
+# Set Nix profiles
+echo "NIX_PROFILES=/nix/var/nix/profiles/default $NIX_LINK" >> "$GITHUB_ENV"
+
+# Set NIX_SSL_CERT_FILE if not already configured
+if [[ -z "${NIX_SSL_CERT_FILE:-}" ]]; then
+  # Check common SSL certificate file locations
+  if [[ -f "/etc/ssl/certs/ca-certificates.crt" ]]; then # NixOS, Ubuntu, Debian, Gentoo, Arch
+    echo "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" >> "$GITHUB_ENV"
+  elif [[ $OSTYPE =~ darwin && -f "/etc/ssl/cert.pem" ]]; then # macOS
+    echo "NIX_SSL_CERT_FILE=/etc/ssl/cert.pem" >> "$GITHUB_ENV"
+  elif [[ -f "/etc/ssl/ca-bundle.pem" ]]; then # openSUSE Tumbleweed
+    echo "NIX_SSL_CERT_FILE=/etc/ssl/ca-bundle.pem" >> "$GITHUB_ENV"
+  elif [[ -f "/etc/ssl/certs/ca-bundle.crt" ]]; then # Old NixOS
+    echo "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" >> "$GITHUB_ENV"
+  elif [[ -f "/etc/pki/tls/certs/ca-bundle.crt" ]]; then # Fedora, CentOS
+    echo "NIX_SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt" >> "$GITHUB_ENV"
+  elif [[ -f "/usr/local/share/certs/ca-root-nss.crt" ]]; then # FreeBSD
+    echo "NIX_SSL_CERT_FILE=/usr/local/share/certs/ca-root-nss.crt" >> "$GITHUB_ENV"
+  elif [[ -f "/etc/pki/tls/cacert.pem" ]]; then # OpenELEC
+    echo "NIX_SSL_CERT_FILE=/etc/pki/tls/cacert.pem" >> "$GITHUB_ENV"
+  elif [[ -f "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" ]]; then # fall back to cacert in default Nix profile
+    echo "NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" >> "$GITHUB_ENV"
+  elif [[ -f "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" ]]; then # fall back to cacert in user Nix profile
+    echo "NIX_SSL_CERT_FILE=$NIX_LINK/etc/ssl/certs/ca-bundle.crt" >> "$GITHUB_ENV"
+  fi
+fi
+
+# Set paths based on the installation type
+if use_daemon; then
+  # Multi-user daemon install - add both paths
+  echo "/nix/var/nix/profiles/default/bin" >> "$GITHUB_PATH"
+fi
+# Always add the user profile path
+echo "$NIX_LINK/bin" >> "$GITHUB_PATH"
+
 # Close the log message group which was opened above
 echo "::endgroup::"

From 8010de87ca441a6a9a31ee7f54ff74845dced43b Mon Sep 17 00:00:00 2001
From: Sander <hey@sandydoo.me>
Date: Thu, 28 Aug 2025 18:07:38 +0200
Subject: [PATCH 2/2] test: validate environment variables

Add a test to check that the environment is correctly set.
---
 .github/workflows/test.yml |  2 ++
 test-env.sh                | 65 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+)
 create mode 100755 test-env.sh

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 7b3884b..f73594c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -26,6 +26,8 @@ jobs:
       uses: ./
       with:
         nix_path: ${{ env.nixpkgs_channel }}
+    - name: Test environment variables
+      run: ./test-env.sh
     - run: nix-env -iA cachix -f https://cachix.org/api/v1/install
     - run: cat /etc/nix/nix.conf
     # cachix should be available and be able to configure a cache
diff --git a/test-env.sh b/test-env.sh
new file mode 100755
index 0000000..bdcccf7
--- /dev/null
+++ b/test-env.sh
@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+echo "=== Testing Nix Environment Variables ==="
+echo
+
+# Test NIX_PROFILES
+echo "NIX_PROFILES: ${NIX_PROFILES:-<not set>}"
+if [[ -n "${NIX_PROFILES:-}" ]]; then
+  echo "✓ NIX_PROFILES is set"
+else
+  echo "✗ NIX_PROFILES is not set"
+  exit 1
+fi
+
+# Test NIX_SSL_CERT_FILE
+echo "NIX_SSL_CERT_FILE: ${NIX_SSL_CERT_FILE:-<not set>}"
+if [[ -n "${NIX_SSL_CERT_FILE:-}" ]]; then
+  if [[ -f "$NIX_SSL_CERT_FILE" ]]; then
+    echo "✓ NIX_SSL_CERT_FILE is set and file exists"
+  else
+    echo "⚠ NIX_SSL_CERT_FILE is set but file does not exist: $NIX_SSL_CERT_FILE"
+  fi
+else
+  echo "⚠ NIX_SSL_CERT_FILE is not set (may be OK depending on system)"
+fi
+
+# Test PATH contains Nix paths
+echo "PATH: $PATH"
+if echo "$PATH" | grep -E -q "(\.nix-profile|nix/profile)"; then
+  echo "✓ PATH contains Nix paths"
+else
+  echo "✗ PATH does not contain Nix paths"
+  exit 1
+fi
+
+# Test NIX_PATH if set
+if [[ -n "${NIX_PATH:-}" ]]; then
+  echo "NIX_PATH: $NIX_PATH"
+  echo "✓ NIX_PATH is set"
+else
+  echo "NIX_PATH: <not set>"
+fi
+
+# Test TMPDIR
+echo "TMPDIR: ${TMPDIR:-<not set>}"
+if [[ -n "${TMPDIR:-}" ]]; then
+  echo "✓ TMPDIR is set"
+else
+  echo "⚠ TMPDIR is not set"
+fi
+
+echo
+echo "=== Testing Nix Command ==="
+if command -v nix >/dev/null 2>&1; then
+  echo "✓ nix command is available"
+  echo "Nix version: $(nix --version)"
+else
+  echo "✗ nix command is not available"
+  exit 1
+fi
+
+echo
+echo "=== Environment Setup Test Complete ==="