From 2bb614e91ac4d68577f12de9f9844d1e89c80b8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Fri, 27 Sep 2024 13:45:10 +0200 Subject: [PATCH 01/21] Nix: 2.24.7 -> 2.24.8 https://github.com/NixOS/nix/security/advisories/GHSA-6fjr-mq49-mm2c --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 56b9c08..02fa7f8 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -93,7 +93,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.24.7/install}" +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.24.8/install}" do sleep 1 ((curl_retries--)) From 4204e15198ce9348dda13b658f2b0b45397cf9e7 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 3 Oct 2024 12:35:16 +1000 Subject: [PATCH 02/21] nix: 2.24.8 -> 2.24.9 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 02fa7f8..df30dd2 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -93,7 +93,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.24.8/install}" +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.24.9/install}" do sleep 1 ((curl_retries--)) From b1deb06f62baf2f4c1604bc301787f127e990349 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Mon, 18 Nov 2024 19:24:32 +0100 Subject: [PATCH 03/21] nix: 2.24.9 -> 2.25.2 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index df30dd2..bdb2b6f 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -93,7 +93,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.24.9/install}" +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.25.2/install}" do sleep 1 ((curl_retries--)) From f3f544c44bee9e88b5ab7976e42c675083a4f60b Mon Sep 17 00:00:00 2001 From: Sander Date: Tue, 31 Dec 2024 12:55:55 +0400 Subject: [PATCH 04/21] ci: fix latest installer tests --- .github/workflows/test.yml | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9ead59d..b685421 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -8,9 +8,6 @@ on: env: nixpkgs_channel: nixpkgs=channel:nixos-24.05 oldest_supported_installer: nix-2.8.0 - # Fetch new versions from the Nix CI run: https://github.com/NixOS/nix/blob/master/.github/workflows/ci.yml - # TODO: add pinning upstream or rethink this - pinned_installer_hash: zfzfrbb59jsqrfkldwj8drcr9nhhc49k jobs: simple-build: @@ -87,23 +84,31 @@ jobs: uses: ./ - run: nix flake show github:NixOS/nixpkgs - installer-options: + latest-installer: strategy: fail-fast: false matrix: - os: - - ubuntu-latest - # - macos-latest missing installer for aarch64-darwin - - macos-13 + include: + - os: ubuntu-latest + system: x86_64-linux + - os: macos-latest + system: aarch64-darwin + - os: macos-13 + system: x86_64-darwin runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 + - name: Run NAR server + run: | + curl --location https://github.com/cachix/nar-toolbox/releases/download/v0.1.0/nar-toolbox-${{ matrix.system }} -O + chmod +x ./nar-toolbox-${{ matrix.system }} + ./nar-toolbox-${{ matrix.system }} serve https://cache.nixos.org & - name: Install Nix uses: ./ with: nix_path: ${{ env.nixpkgs_channel }} - install_options: --tarball-url-prefix https://nixos-nix-install-tests.cachix.org/serve - install_url: https://nixos-nix-install-tests.cachix.org/serve/${{ env.pinned_installer_hash }}/install + install_url: https://hydra.nixos.org/job/nix/master/installerScript/latest-finished/download/1/install + install_options: "--tarball-url-prefix http://localhost:8080" - run: nix-build test.nix oldest-supported-installer: From a49b703498f43e1426a1b820f27cf12cad57143f Mon Sep 17 00:00:00 2001 From: Sander Date: Tue, 31 Dec 2024 13:00:44 +0400 Subject: [PATCH 05/21] ci: fix act test --- .github/workflows/test.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b685421..1ff9461 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -137,5 +137,9 @@ jobs: steps: - uses: actions/checkout@v4 - run: curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash - - run: docker pull ghcr.io/catthehacker/ubuntu:js-20.04 - - run: ./bin/act -P ubuntu-latest=ghcr.io/catthehacker/ubuntu:js-20.04 push -j simple-build + - run: docker pull ghcr.io/catthehacker/ubuntu:js-24.04 + - run: | + ./bin/act push \ + -P ubuntu-latest=ghcr.io/catthehacker/ubuntu:js-24.04 \ + -j simple-build \ + --matrix os:ubuntu-latest From a76df16350261308addb51d2386f28f5f0975987 Mon Sep 17 00:00:00 2001 From: Sander Date: Tue, 31 Dec 2024 13:11:14 +0400 Subject: [PATCH 06/21] ci: bump nixpkgs channel --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1ff9461..70265e5 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -6,7 +6,7 @@ on: - master env: - nixpkgs_channel: nixpkgs=channel:nixos-24.05 + nixpkgs_channel: nixpkgs=channel:nixos-24.11 oldest_supported_installer: nix-2.8.0 jobs: From 265a04a520d4a95357365b3a9c2e73135a8e9830 Mon Sep 17 00:00:00 2001 From: Sean Gilligan Date: Thu, 16 Jan 2025 12:24:48 -0800 Subject: [PATCH 07/21] GitHub test.yml: add ubuntu-24.04-arm to matrix --- .github/workflows/test.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 70265e5..6eecd5d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,6 +16,7 @@ jobs: matrix: os: - ubuntu-latest + - ubuntu-24.04-arm - macos-latest - macos-13 runs-on: ${{ matrix.os }} @@ -37,6 +38,7 @@ jobs: matrix: os: - ubuntu-latest + - ubuntu-24.04-arm - macos-latest - macos-13 runs-on: ${{ matrix.os }} @@ -55,6 +57,7 @@ jobs: matrix: os: - ubuntu-latest + - ubuntu-24.04-arm - macos-latest - macos-13 runs-on: ${{ matrix.os }} @@ -75,6 +78,7 @@ jobs: matrix: os: - ubuntu-latest + - ubuntu-24.04-arm - macos-latest - macos-13 runs-on: ${{ matrix.os }} @@ -91,6 +95,8 @@ jobs: include: - os: ubuntu-latest system: x86_64-linux + - os: ubuntu-24.04-arm + system: aarch64-linux - os: macos-latest system: aarch64-darwin - os: macos-13 @@ -117,6 +123,7 @@ jobs: matrix: os: - ubuntu-latest + - ubuntu-24.04-arm - macos-latest - macos-13 runs-on: ${{ matrix.os }} From d81eadf041318952daecfb82fe8d7b4538067642 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Fri, 14 Feb 2025 11:25:14 +0700 Subject: [PATCH 08/21] nix: 2.25.2 -> 2.26.2 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index bdb2b6f..156ffaf 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -93,7 +93,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.25.2/install}" +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.26.2/install}" do sleep 1 ((curl_retries--)) From e8dbd0c99268f4acbb432e443018da10b7ed9bdc Mon Sep 17 00:00:00 2001 From: Sander Date: Mon, 10 Mar 2025 17:58:37 +0100 Subject: [PATCH 09/21] docs: update readme with latest version --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 8ff488c..3e0851c 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v27 + - uses: cachix/install-nix-action@v31 with: nix_path: nixpkgs=channel:nixos-unstable - run: nix-build @@ -52,7 +52,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v27 + - uses: cachix/install-nix-action@v31 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} - run: nix build @@ -146,7 +146,7 @@ Otherwise, you can add any binary cache to nix.conf using install-nix-action's own `extra_nix_config` input: ```yaml -- uses: cachix/install-nix-action@v27 +- uses: cachix/install-nix-action@v31 with: extra_nix_config: | trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= From 066004291cc7638382c409f632f7e0b113fb4daa Mon Sep 17 00:00:00 2001 From: Sander Date: Sat, 15 Mar 2025 20:06:12 +0100 Subject: [PATCH 10/21] nix: 2.26.2 -> 2.26.3 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 156ffaf..c50aa1f 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -93,7 +93,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.26.2/install}" +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.26.3/install}" do sleep 1 ((curl_retries--)) From b21ff827074aff6ed4294fe0e3f4d9ed99f4ed65 Mon Sep 17 00:00:00 2001 From: Sander Date: Thu, 20 Mar 2025 22:58:29 +0000 Subject: [PATCH 11/21] Remove deprecated `--darwin-use-unencrypted-nix-store-volume` flag Fixes the following warning: ``` Warning: the flag --darwin-use-unencrypted-nix-store-volume is no longer needed and will be removed in the future. ```` --- install-nix.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index c50aa1f..f25955c 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -65,7 +65,6 @@ fi # Nix installer flags installer_options=( --no-channel-add - --darwin-use-unencrypted-nix-store-volume --nix-extra-conf-file "$workdir/nix.conf" ) From 21e6bcccb00b56476f095d1c4e138592d56d6667 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Tue, 1 Apr 2025 00:58:47 +0900 Subject: [PATCH 12/21] action: add option to configure updating trusted users --- README.md | 2 ++ action.yml | 7 ++++++- install-nix.sh | 6 ++++-- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3e0851c..4a13410 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,8 @@ To install Nix from any commit, go to [the corresponding installer_test action]( - `enable_kvm`: whether to enable KVM for hardware-accelerated virtualization on Linux. Enabled by default if available. +- `set_as_trusted_user`: whether to add the current user to `trusted-users`. Enabled by default. + ## Differences from the default Nix installer diff --git a/action.yml b/action.yml index d33114a..fd22752 100644 --- a/action.yml +++ b/action.yml @@ -5,7 +5,7 @@ inputs: extra_nix_config: description: 'Gets appended to `/etc/nix/nix.conf` if passed.' github_access_token: - description: 'Configure nix to pull from github using the given github token.' + description: 'Configure Nix to pull from GitHub using the given GitHub token.' install_url: description: 'Installation URL that will contain a script to install Nix.' install_options: @@ -16,6 +16,10 @@ inputs: description: 'Enable KVM for hardware-accelerated virtualization on Linux, if available.' required: false default: true + set_as_trusted_user: + description: 'Add current user to `trusted-users`.' + required: false + default: true branding: color: 'blue' icon: 'sun' @@ -31,4 +35,5 @@ runs: INPUT_INSTALL_URL: ${{ inputs.install_url }} INPUT_NIX_PATH: ${{ inputs.nix_path }} INPUT_ENABLE_KVM: ${{ inputs.enable_kvm }} + INPUT_SET_AS_TRUSTED_USER: ${{ inputs.set_as_trusted_user }} GITHUB_TOKEN: ${{ github.token }} diff --git a/install-nix.sh b/install-nix.sh index f25955c..e4ec849 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -34,8 +34,10 @@ add_config "max-jobs = auto" if [[ $OSTYPE =~ darwin ]]; then add_config "ssl-cert-file = /etc/ssl/cert.pem" fi -# Allow binary caches for user -add_config "trusted-users = root ${USER:-}" +# Allow binary caches specified at user level +if [[ $INPUT_SET_AS_TRUSTED_USER == 'true' ]]; then + add_config "trusted-users = root ${USER:-}" +fi # Add a GitHub access token. # Token-less access is subject to lower rate limits. if [[ -n "${INPUT_GITHUB_ACCESS_TOKEN:-}" ]]; then From f3ff3f99d80ed5a150e133764915d1b0a94da318 Mon Sep 17 00:00:00 2001 From: Victor Engmark Date: Thu, 16 Nov 2023 11:57:02 +1300 Subject: [PATCH 13/21] feat: Pin actions to hashes Done with pin-github-action 1.8.0 using `npx pin-github-action .github/workflows/*.yml`, and then manually bumping the version tag to the relevant number. This fixes the issue that it is common practice for GitHub Actions authors to move major tags when releasing new minor versions. Dependabot supports updating in the same fashion, bumping the version tag when updating the hash. --- .github/workflows/test.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6eecd5d..a39155c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Nix uses: ./ with: @@ -43,7 +43,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Nix uses: ./ with: @@ -62,7 +62,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Nix uses: ./ with: @@ -83,7 +83,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Nix uses: ./ - run: nix flake show github:NixOS/nixpkgs @@ -103,7 +103,7 @@ jobs: system: x86_64-darwin runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Run NAR server run: | curl --location https://github.com/cachix/nar-toolbox/releases/download/v0.1.0/nar-toolbox-${{ matrix.system }} -O @@ -128,7 +128,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Nix uses: ./ with: @@ -142,7 +142,7 @@ jobs: os: [ubuntu-latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash - run: docker pull ghcr.io/catthehacker/ubuntu:js-24.04 - run: | From edf986efb39c90e610aa76f32135ba35753e9b0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Mon, 7 Apr 2025 12:33:27 +0200 Subject: [PATCH 14/21] nix: 2.26.3 -> 2.28.2 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index e4ec849..3877f2e 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.26.3/install}" +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.28.2/install}" do sleep 1 ((curl_retries--)) From 9b4ef2ff2d3ee4f8f56a24c61504009201dadd94 Mon Sep 17 00:00:00 2001 From: Sander Date: Sat, 19 Apr 2025 01:26:12 +0400 Subject: [PATCH 15/21] docs: add release notes --- RELEASE.md | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 RELEASE.md diff --git a/RELEASE.md b/RELEASE.md new file mode 100644 index 0000000..6f035e5 --- /dev/null +++ b/RELEASE.md @@ -0,0 +1,44 @@ +# Release + +As of v31, releases of this action follow Semantic Versioning. + +### Publishing a new release + +#### Publish the release + +Draft [a new release on GitHub](https://github.com/cachix/install-nix-action/releases): + +- In `Choose a tag`, create a new tag, like `v31.2.1`, following semver. +- Click `Generate release notes`. +- `Set as the latest release` should be selected automatically. +- Publish release + +#### Update the major tag + +The major tag, like `v31`, allows downstream users to opt-in to automatic non-breaking updates. + +This process follows GitHub's own guidelines: +https://github.com/actions/toolkit/blob/main/docs/action-versioning.md + +##### Fetch the latest tags + +``` +git pull --tags --force +``` + +##### Move the tag + +``` +git tag -fa v31 +``` +``` +git push origin v31 --force +``` + +#### Update the release notes for the major tag + +Find the release on GitHub: https://github.com/cachix/install-nix-action/releases + +Edit the release and click `Generate release notes`. +Edit the formatting and publish. + From eafea807c1589a882490ac9966da36927d394cb4 Mon Sep 17 00:00:00 2001 From: Sander Date: Sat, 19 Apr 2025 01:29:11 +0400 Subject: [PATCH 16/21] remove unused gitignores --- .gitignore | 93 +----------------------------------------------------- 1 file changed, 1 insertion(+), 92 deletions(-) diff --git a/.gitignore b/.gitignore index ffdd18c..c5657b8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,93 +1,2 @@ -__tests__/runner/* - -# comment out in distribution branches -node_modules/ - -# Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore -# Logs -logs -*.log -npm-debug.log* -yarn-debug.log* -yarn-error.log* -lerna-debug.log* - -# Diagnostic reports (https://nodejs.org/api/report.html) -report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json - -# Runtime data -pids -*.pid -*.seed -*.pid.lock - -# Directory for instrumented libs generated by jscoverage/JSCover -lib-cov - -# Coverage directory used by tools like istanbul -coverage -*.lcov - -# nyc test coverage -.nyc_output - -# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) -.grunt - -# Bower dependency directory (https://bower.io/) -bower_components - -# node-waf configuration -.lock-wscript - -# Compiled binary addons (https://nodejs.org/api/addons.html) -build/Release - -# Dependency directories -jspm_packages/ - -# TypeScript v1 declaration files -typings/ - -# TypeScript cache -*.tsbuildinfo - -# Optional npm cache directory -.npm - -# Optional eslint cache -.eslintcache - -# Optional REPL history -.node_repl_history - -# Output of 'npm pack' -*.tgz - -# Yarn Integrity file -.yarn-integrity - # dotenv environment variables file -.env -.env.test - -# parcel-bundler cache (https://parceljs.org/) -.cache - -# next.js build output -.next - -# nuxt.js build output -.nuxt - -# vuepress build output -.vuepress/dist - -# Serverless directories -.serverless/ - -# FuseBox cache -.fusebox/ - -# DynamoDB Local files -.dynamodb/ +.env* From 83772d105a0277f40fbedafc4d2a510eb498a42c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Apr 2025 00:43:21 +0000 Subject: [PATCH 17/21] chore(deps): bump actions/checkout from 4.1.1 to 4.2.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.2.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/b4ffde65f46336ab88eb53be808477a3936bae11...11bd71901bbe5b1630ceea73d27597364c9af683) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 4.2.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/test.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a39155c..5337d38 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Nix uses: ./ with: @@ -43,7 +43,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Nix uses: ./ with: @@ -62,7 +62,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Nix uses: ./ with: @@ -83,7 +83,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Nix uses: ./ - run: nix flake show github:NixOS/nixpkgs @@ -103,7 +103,7 @@ jobs: system: x86_64-darwin runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run NAR server run: | curl --location https://github.com/cachix/nar-toolbox/releases/download/v0.1.0/nar-toolbox-${{ matrix.system }} -O @@ -128,7 +128,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Nix uses: ./ with: @@ -142,7 +142,7 @@ jobs: os: [ubuntu-latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash - run: docker pull ghcr.io/catthehacker/ubuntu:js-24.04 - run: | From 4f800b725cedc2e2ce9fe7ab2693296ba2fd559f Mon Sep 17 00:00:00 2001 From: Sander Date: Wed, 23 Apr 2025 15:17:07 +0400 Subject: [PATCH 18/21] docs: document how to provide AWS credentials to the nix-daemon Fixes #229. --- README.md | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/README.md b/README.md index 4a13410..4ac81e2 100644 --- a/README.md +++ b/README.md @@ -174,3 +174,59 @@ Or you can disable pure mode entirely with the `--impure` flag: ``` nix develop --impure ``` + +### How do I pass AWS credentials to the Nix daemon? + +In multi-user mode, Nix commands that operate on the Nix store are forwarded to a privileged daemon. This daemon runs in a separate context from your GitHub Actions workflow and cannot access the workflow's environment variables. Consequently, any secrets or credentials defined in your workflow environment will not be available to Nix operations that require store access. + +There are two ways to pass AWS credentials to the Nix daemon: + - Configure a default profile using the AWS CLI + - Install Nix in single-user mode + +#### Configure a default profile using the AWS CLI + +The Nix daemon supports reading AWS credentials from the `~/.aws/credentials` file. + +We can use the AWS CLI to configure a default profile using short-lived credentials fetched using OIDC: + +```yaml +job: + build: + runs-on: ubuntu-latest + # Required permissions to request AWS credentials + permissions: + id-token: write + contents: read + steps: + - uses: actions/checkout@v4 + - uses: cachix/install-nix-action@v31 + - name: Assume AWS Role + uses: aws-actions/configure-aws-credentials@v4.1.0 + with: + aws-region: us-east-1 + role-to-assume: arn:aws-cn:iam::123456789100:role/my-github-actions-role + - name: Make AWS Credentials accessible to nix-daemon + run: | + sudo -i aws configure set aws_access_key_id "${AWS_ACCESS_KEY_ID}" + sudo -i aws configure set aws_secret_access_key "${AWS_SECRET_ACCESS_KEY}" + sudo -i aws configure set aws_session_token "${AWS_SESSION_TOKEN}" + sudo -i aws configure set region "${AWS_REGION}" +``` + +#### Install Nix in single-user mode + +In some environments it may be possible to install Nix in single-user mode by passing the `--no-daemon` flag to the installer. +This mode is normally used on platforms without an init system, like systemd, and in containerized environments with a single user that can own the entire Nix store. + +This approach is more generic as it allows passing environment variables directly to Nix, including secrets, proxy settings, and other configuration options. + +However, it may not be suitable for all environments. [Consult the Nix manual](https://nix.dev/manual/nix/latest/installation/nix-security) for the latest restrictions and differences between the two modes. + +For example, single-user mode is currently supported on hosted Linux GitHub runners, like `ubuntu-latest`. +It is not supported on macOS runners, like `macos-latest`. + +```yaml +- uses: cachix/install-nix-action@v31 + with: + install_options: --no-daemon +``` From b2b89c6cb12d1cf229b3b605413344a7b701a4b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 30 Apr 2025 08:22:03 +0200 Subject: [PATCH 19/21] nix: 2.28.2 -> 2.28.3 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 3877f2e..879e214 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.28.2/install}" +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.28.3/install}" do sleep 1 ((curl_retries--)) From f5e4dbff3bcf3651939faa49d3cdc505d43966b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 27 May 2025 09:15:35 +0200 Subject: [PATCH 20/21] nix: 2.28.3 -> 2.29.0 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 879e214..d156496 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.28.3/install}" +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.29.0/install}" do sleep 1 ((curl_retries--)) From 129de1289fba8861699d92a10853cba82011362e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 27 May 2025 10:02:27 +0200 Subject: [PATCH 21/21] add github action to keep nix up-to-date --- .github/workflows/update-nix.yml | 31 +++++++++++++++++++++++++++++++ install-nix.sh | 3 ++- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/update-nix.yml diff --git a/.github/workflows/update-nix.yml b/.github/workflows/update-nix.yml new file mode 100644 index 0000000..3e088c3 --- /dev/null +++ b/.github/workflows/update-nix.yml @@ -0,0 +1,31 @@ +name: "Update nix" +on: + repository_dispatch: + workflow_dispatch: + schedule: + - cron: "31 2 * * *" +jobs: + update-nix-releases: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Update nix releases + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + latest_nix=$( + gh api repos/NixOS/nix/tags --paginate --jq '.[].name' | + grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' | + sort -V | + tail -n 1 + ) + if [ -z "$latest_nix" ]; then + echo "Failed to determine latest Nix version." >&2 + exit 1 + fi + sed -i -E "s/nix_version=[0-9.]+/nix_version=${latest_nix}/" ./install-nix.sh + - name: Create Pull Request + uses: peter-evans/create-pull-request@v7 + with: + title: Update nix versions + labels: dependencies diff --git a/install-nix.sh b/install-nix.sh index d156496..7198377 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,8 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.29.0/install}" +nix_version=2.29.0 +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}" do sleep 1 ((curl_retries--))