From b21ff827074aff6ed4294fe0e3f4d9ed99f4ed65 Mon Sep 17 00:00:00 2001 From: Sander Date: Thu, 20 Mar 2025 22:58:29 +0000 Subject: [PATCH 01/50] Remove deprecated `--darwin-use-unencrypted-nix-store-volume` flag Fixes the following warning: ``` Warning: the flag --darwin-use-unencrypted-nix-store-volume is no longer needed and will be removed in the future. ```` --- install-nix.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index c50aa1f..f25955c 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -65,7 +65,6 @@ fi # Nix installer flags installer_options=( --no-channel-add - --darwin-use-unencrypted-nix-store-volume --nix-extra-conf-file "$workdir/nix.conf" ) From 21e6bcccb00b56476f095d1c4e138592d56d6667 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Tue, 1 Apr 2025 00:58:47 +0900 Subject: [PATCH 02/50] action: add option to configure updating trusted users --- README.md | 2 ++ action.yml | 7 ++++++- install-nix.sh | 6 ++++-- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3e0851c..4a13410 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,8 @@ To install Nix from any commit, go to [the corresponding installer_test action]( - `enable_kvm`: whether to enable KVM for hardware-accelerated virtualization on Linux. Enabled by default if available. +- `set_as_trusted_user`: whether to add the current user to `trusted-users`. Enabled by default. + ## Differences from the default Nix installer diff --git a/action.yml b/action.yml index d33114a..fd22752 100644 --- a/action.yml +++ b/action.yml @@ -5,7 +5,7 @@ inputs: extra_nix_config: description: 'Gets appended to `/etc/nix/nix.conf` if passed.' github_access_token: - description: 'Configure nix to pull from github using the given github token.' + description: 'Configure Nix to pull from GitHub using the given GitHub token.' install_url: description: 'Installation URL that will contain a script to install Nix.' install_options: @@ -16,6 +16,10 @@ inputs: description: 'Enable KVM for hardware-accelerated virtualization on Linux, if available.' required: false default: true + set_as_trusted_user: + description: 'Add current user to `trusted-users`.' + required: false + default: true branding: color: 'blue' icon: 'sun' @@ -31,4 +35,5 @@ runs: INPUT_INSTALL_URL: ${{ inputs.install_url }} INPUT_NIX_PATH: ${{ inputs.nix_path }} INPUT_ENABLE_KVM: ${{ inputs.enable_kvm }} + INPUT_SET_AS_TRUSTED_USER: ${{ inputs.set_as_trusted_user }} GITHUB_TOKEN: ${{ github.token }} diff --git a/install-nix.sh b/install-nix.sh index f25955c..e4ec849 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -34,8 +34,10 @@ add_config "max-jobs = auto" if [[ $OSTYPE =~ darwin ]]; then add_config "ssl-cert-file = /etc/ssl/cert.pem" fi -# Allow binary caches for user -add_config "trusted-users = root ${USER:-}" +# Allow binary caches specified at user level +if [[ $INPUT_SET_AS_TRUSTED_USER == 'true' ]]; then + add_config "trusted-users = root ${USER:-}" +fi # Add a GitHub access token. # Token-less access is subject to lower rate limits. if [[ -n "${INPUT_GITHUB_ACCESS_TOKEN:-}" ]]; then From f3ff3f99d80ed5a150e133764915d1b0a94da318 Mon Sep 17 00:00:00 2001 From: Victor Engmark Date: Thu, 16 Nov 2023 11:57:02 +1300 Subject: [PATCH 03/50] feat: Pin actions to hashes Done with pin-github-action 1.8.0 using `npx pin-github-action .github/workflows/*.yml`, and then manually bumping the version tag to the relevant number. This fixes the issue that it is common practice for GitHub Actions authors to move major tags when releasing new minor versions. Dependabot supports updating in the same fashion, bumping the version tag when updating the hash. --- .github/workflows/test.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6eecd5d..a39155c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Nix uses: ./ with: @@ -43,7 +43,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Nix uses: ./ with: @@ -62,7 +62,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Nix uses: ./ with: @@ -83,7 +83,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Nix uses: ./ - run: nix flake show github:NixOS/nixpkgs @@ -103,7 +103,7 @@ jobs: system: x86_64-darwin runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Run NAR server run: | curl --location https://github.com/cachix/nar-toolbox/releases/download/v0.1.0/nar-toolbox-${{ matrix.system }} -O @@ -128,7 +128,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Nix uses: ./ with: @@ -142,7 +142,7 @@ jobs: os: [ubuntu-latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash - run: docker pull ghcr.io/catthehacker/ubuntu:js-24.04 - run: | From edf986efb39c90e610aa76f32135ba35753e9b0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Mon, 7 Apr 2025 12:33:27 +0200 Subject: [PATCH 04/50] nix: 2.26.3 -> 2.28.2 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index e4ec849..3877f2e 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.26.3/install}" +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.28.2/install}" do sleep 1 ((curl_retries--)) From 9b4ef2ff2d3ee4f8f56a24c61504009201dadd94 Mon Sep 17 00:00:00 2001 From: Sander Date: Sat, 19 Apr 2025 01:26:12 +0400 Subject: [PATCH 05/50] docs: add release notes --- RELEASE.md | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 RELEASE.md diff --git a/RELEASE.md b/RELEASE.md new file mode 100644 index 0000000..6f035e5 --- /dev/null +++ b/RELEASE.md @@ -0,0 +1,44 @@ +# Release + +As of v31, releases of this action follow Semantic Versioning. + +### Publishing a new release + +#### Publish the release + +Draft [a new release on GitHub](https://github.com/cachix/install-nix-action/releases): + +- In `Choose a tag`, create a new tag, like `v31.2.1`, following semver. +- Click `Generate release notes`. +- `Set as the latest release` should be selected automatically. +- Publish release + +#### Update the major tag + +The major tag, like `v31`, allows downstream users to opt-in to automatic non-breaking updates. + +This process follows GitHub's own guidelines: +https://github.com/actions/toolkit/blob/main/docs/action-versioning.md + +##### Fetch the latest tags + +``` +git pull --tags --force +``` + +##### Move the tag + +``` +git tag -fa v31 +``` +``` +git push origin v31 --force +``` + +#### Update the release notes for the major tag + +Find the release on GitHub: https://github.com/cachix/install-nix-action/releases + +Edit the release and click `Generate release notes`. +Edit the formatting and publish. + From eafea807c1589a882490ac9966da36927d394cb4 Mon Sep 17 00:00:00 2001 From: Sander Date: Sat, 19 Apr 2025 01:29:11 +0400 Subject: [PATCH 06/50] remove unused gitignores --- .gitignore | 93 +----------------------------------------------------- 1 file changed, 1 insertion(+), 92 deletions(-) diff --git a/.gitignore b/.gitignore index ffdd18c..c5657b8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,93 +1,2 @@ -__tests__/runner/* - -# comment out in distribution branches -node_modules/ - -# Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore -# Logs -logs -*.log -npm-debug.log* -yarn-debug.log* -yarn-error.log* -lerna-debug.log* - -# Diagnostic reports (https://nodejs.org/api/report.html) -report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json - -# Runtime data -pids -*.pid -*.seed -*.pid.lock - -# Directory for instrumented libs generated by jscoverage/JSCover -lib-cov - -# Coverage directory used by tools like istanbul -coverage -*.lcov - -# nyc test coverage -.nyc_output - -# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) -.grunt - -# Bower dependency directory (https://bower.io/) -bower_components - -# node-waf configuration -.lock-wscript - -# Compiled binary addons (https://nodejs.org/api/addons.html) -build/Release - -# Dependency directories -jspm_packages/ - -# TypeScript v1 declaration files -typings/ - -# TypeScript cache -*.tsbuildinfo - -# Optional npm cache directory -.npm - -# Optional eslint cache -.eslintcache - -# Optional REPL history -.node_repl_history - -# Output of 'npm pack' -*.tgz - -# Yarn Integrity file -.yarn-integrity - # dotenv environment variables file -.env -.env.test - -# parcel-bundler cache (https://parceljs.org/) -.cache - -# next.js build output -.next - -# nuxt.js build output -.nuxt - -# vuepress build output -.vuepress/dist - -# Serverless directories -.serverless/ - -# FuseBox cache -.fusebox/ - -# DynamoDB Local files -.dynamodb/ +.env* From 83772d105a0277f40fbedafc4d2a510eb498a42c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Apr 2025 00:43:21 +0000 Subject: [PATCH 07/50] chore(deps): bump actions/checkout from 4.1.1 to 4.2.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.2.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/b4ffde65f46336ab88eb53be808477a3936bae11...11bd71901bbe5b1630ceea73d27597364c9af683) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 4.2.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/test.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a39155c..5337d38 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Nix uses: ./ with: @@ -43,7 +43,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Nix uses: ./ with: @@ -62,7 +62,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Nix uses: ./ with: @@ -83,7 +83,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Nix uses: ./ - run: nix flake show github:NixOS/nixpkgs @@ -103,7 +103,7 @@ jobs: system: x86_64-darwin runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run NAR server run: | curl --location https://github.com/cachix/nar-toolbox/releases/download/v0.1.0/nar-toolbox-${{ matrix.system }} -O @@ -128,7 +128,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Nix uses: ./ with: @@ -142,7 +142,7 @@ jobs: os: [ubuntu-latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash - run: docker pull ghcr.io/catthehacker/ubuntu:js-24.04 - run: | From 4f800b725cedc2e2ce9fe7ab2693296ba2fd559f Mon Sep 17 00:00:00 2001 From: Sander Date: Wed, 23 Apr 2025 15:17:07 +0400 Subject: [PATCH 08/50] docs: document how to provide AWS credentials to the nix-daemon Fixes #229. --- README.md | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/README.md b/README.md index 4a13410..4ac81e2 100644 --- a/README.md +++ b/README.md @@ -174,3 +174,59 @@ Or you can disable pure mode entirely with the `--impure` flag: ``` nix develop --impure ``` + +### How do I pass AWS credentials to the Nix daemon? + +In multi-user mode, Nix commands that operate on the Nix store are forwarded to a privileged daemon. This daemon runs in a separate context from your GitHub Actions workflow and cannot access the workflow's environment variables. Consequently, any secrets or credentials defined in your workflow environment will not be available to Nix operations that require store access. + +There are two ways to pass AWS credentials to the Nix daemon: + - Configure a default profile using the AWS CLI + - Install Nix in single-user mode + +#### Configure a default profile using the AWS CLI + +The Nix daemon supports reading AWS credentials from the `~/.aws/credentials` file. + +We can use the AWS CLI to configure a default profile using short-lived credentials fetched using OIDC: + +```yaml +job: + build: + runs-on: ubuntu-latest + # Required permissions to request AWS credentials + permissions: + id-token: write + contents: read + steps: + - uses: actions/checkout@v4 + - uses: cachix/install-nix-action@v31 + - name: Assume AWS Role + uses: aws-actions/configure-aws-credentials@v4.1.0 + with: + aws-region: us-east-1 + role-to-assume: arn:aws-cn:iam::123456789100:role/my-github-actions-role + - name: Make AWS Credentials accessible to nix-daemon + run: | + sudo -i aws configure set aws_access_key_id "${AWS_ACCESS_KEY_ID}" + sudo -i aws configure set aws_secret_access_key "${AWS_SECRET_ACCESS_KEY}" + sudo -i aws configure set aws_session_token "${AWS_SESSION_TOKEN}" + sudo -i aws configure set region "${AWS_REGION}" +``` + +#### Install Nix in single-user mode + +In some environments it may be possible to install Nix in single-user mode by passing the `--no-daemon` flag to the installer. +This mode is normally used on platforms without an init system, like systemd, and in containerized environments with a single user that can own the entire Nix store. + +This approach is more generic as it allows passing environment variables directly to Nix, including secrets, proxy settings, and other configuration options. + +However, it may not be suitable for all environments. [Consult the Nix manual](https://nix.dev/manual/nix/latest/installation/nix-security) for the latest restrictions and differences between the two modes. + +For example, single-user mode is currently supported on hosted Linux GitHub runners, like `ubuntu-latest`. +It is not supported on macOS runners, like `macos-latest`. + +```yaml +- uses: cachix/install-nix-action@v31 + with: + install_options: --no-daemon +``` From b2b89c6cb12d1cf229b3b605413344a7b701a4b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 30 Apr 2025 08:22:03 +0200 Subject: [PATCH 09/50] nix: 2.28.2 -> 2.28.3 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 3877f2e..879e214 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.28.2/install}" +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.28.3/install}" do sleep 1 ((curl_retries--)) From f5e4dbff3bcf3651939faa49d3cdc505d43966b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 27 May 2025 09:15:35 +0200 Subject: [PATCH 10/50] nix: 2.28.3 -> 2.29.0 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 879e214..d156496 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.28.3/install}" +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.29.0/install}" do sleep 1 ((curl_retries--)) From 129de1289fba8861699d92a10853cba82011362e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 27 May 2025 10:02:27 +0200 Subject: [PATCH 11/50] add github action to keep nix up-to-date --- .github/workflows/update-nix.yml | 31 +++++++++++++++++++++++++++++++ install-nix.sh | 3 ++- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/update-nix.yml diff --git a/.github/workflows/update-nix.yml b/.github/workflows/update-nix.yml new file mode 100644 index 0000000..3e088c3 --- /dev/null +++ b/.github/workflows/update-nix.yml @@ -0,0 +1,31 @@ +name: "Update nix" +on: + repository_dispatch: + workflow_dispatch: + schedule: + - cron: "31 2 * * *" +jobs: + update-nix-releases: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Update nix releases + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + latest_nix=$( + gh api repos/NixOS/nix/tags --paginate --jq '.[].name' | + grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' | + sort -V | + tail -n 1 + ) + if [ -z "$latest_nix" ]; then + echo "Failed to determine latest Nix version." >&2 + exit 1 + fi + sed -i -E "s/nix_version=[0-9.]+/nix_version=${latest_nix}/" ./install-nix.sh + - name: Create Pull Request + uses: peter-evans/create-pull-request@v7 + with: + title: Update nix versions + labels: dependencies diff --git a/install-nix.sh b/install-nix.sh index d156496..7198377 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,8 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.29.0/install}" +nix_version=2.29.0 +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}" do sleep 1 ((curl_retries--)) From f66ab705ed3a52427f07360ece8e4fc10be6583d Mon Sep 17 00:00:00 2001 From: sandydoo <7572407+sandydoo@users.noreply.github.com> Date: Tue, 24 Jun 2025 15:31:11 +0000 Subject: [PATCH 12/50] nix: 2.29.0 -> 2.29.1 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 7198377..efe7d17 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -nix_version=2.29.0 +nix_version=2.29.1 while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}" do sleep 1 From f0fe604f8a612776892427721526b4c7cfb23aba Mon Sep 17 00:00:00 2001 From: Sander Date: Tue, 24 Jun 2025 17:59:06 +0200 Subject: [PATCH 13/50] ci: improve the automated nix bump title and commit message --- .github/workflows/update-nix.yml | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/.github/workflows/update-nix.yml b/.github/workflows/update-nix.yml index 3e088c3..e32bb7f 100644 --- a/.github/workflows/update-nix.yml +++ b/.github/workflows/update-nix.yml @@ -23,9 +23,30 @@ jobs: echo "Failed to determine latest Nix version." >&2 exit 1 fi + current_nix=$(grep -oE 'nix_version=[0-9.]+' ./install-nix.sh | cut -d= -f2) + echo "Current Nix version: ${current_nix}" + echo "Latest Nix version: ${latest_nix}" + echo "CURRENT_NIX=${current_nix}" >> $GITHUB_ENV + echo "LATEST_NIX=${latest_nix}" >> $GITHUB_ENV sed -i -E "s/nix_version=[0-9.]+/nix_version=${latest_nix}/" ./install-nix.sh - name: Create Pull Request uses: peter-evans/create-pull-request@v7 with: - title: Update nix versions + title: "nix: ${{ env.CURRENT_NIX }} -> ${{ env.LATEST_NIX }}" + commit-message: "nix: ${{ env.CURRENT_NIX }} -> ${{ env.LATEST_NIX }}" + body: | + This PR updates the Nix version from ${{ env.CURRENT_NIX }} to ${{ env.LATEST_NIX }}. + + **To trigger the CI:** + + 1. Checkout the PR branch: + ```bash + gh pr checkout + ``` + + 2. Amend and force push: + ```bash + git commit --amend --no-edit + git push --force-with-lease + ``` labels: dependencies From 358e2ef1b2d645cda01a938f1231461a2d5f942d Mon Sep 17 00:00:00 2001 From: sandydoo <7572407+sandydoo@users.noreply.github.com> Date: Wed, 9 Jul 2025 03:03:14 +0000 Subject: [PATCH 14/50] nix: 2.29.1 -> 2.30.0 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index efe7d17..8323468 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -nix_version=2.29.1 +nix_version=2.30.0 while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}" do sleep 1 From a55d6df62f402ae44e4016f398ca82a738f77de9 Mon Sep 17 00:00:00 2001 From: Sergei Zimmerman <145775305+xokdvium@users.noreply.github.com> Date: Sat, 12 Jul 2025 15:36:19 +0300 Subject: [PATCH 15/50] nix: 2.30.0 -> 2.30.1 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 8323468..3376733 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -nix_version=2.30.0 +nix_version=2.30.1 while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}" do sleep 1 From 9d5112343e444491387aa5a8194afb10ceec6ea2 Mon Sep 17 00:00:00 2001 From: sandydoo <7572407+sandydoo@users.noreply.github.com> Date: Sat, 26 Jul 2025 03:03:24 +0000 Subject: [PATCH 16/50] nix: 2.30.1 -> 2.30.2 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 3376733..ba36ce0 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -nix_version=2.30.1 +nix_version=2.30.2 while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}" do sleep 1 From 92ffed7f0d3ff53963f49661bd58b0ad41451540 Mon Sep 17 00:00:00 2001 From: Sander Date: Tue, 29 Jul 2025 17:42:19 +0200 Subject: [PATCH 17/50] ci: make test workflow dispatchable --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5337d38..970d213 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -4,6 +4,7 @@ on: push: branches: - master + workflow_dispatch: env: nixpkgs_channel: nixpkgs=channel:nixos-24.11 From 96bd9f39e448e7b2e500161263429f67e3064111 Mon Sep 17 00:00:00 2001 From: Sander Date: Tue, 29 Jul 2025 17:42:27 +0200 Subject: [PATCH 18/50] ci: update nixpkgs channel used in tests --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 970d213..e4c1b4d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -7,7 +7,7 @@ on: workflow_dispatch: env: - nixpkgs_channel: nixpkgs=channel:nixos-24.11 + nixpkgs_channel: nixpkgs=channel:nixos-25.05 oldest_supported_installer: nix-2.8.0 jobs: From ca6a0fa53591ac959ae1008ad785e444edbef0b1 Mon Sep 17 00:00:00 2001 From: Jennings Zhang Date: Mon, 11 Aug 2025 01:52:06 -0400 Subject: [PATCH 19/50] Add example for `nix develop` --- README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/README.md b/README.md index 4ac81e2..b2f08d1 100644 --- a/README.md +++ b/README.md @@ -155,6 +155,20 @@ install-nix-action's own `extra_nix_config` input: substituters = https://hydra.iohk.io https://cache.nixos.org/ ``` +### How do I use `nix develop`? + +`nix develop` can be used for `steps[*].shell`. + +```yaml + # optional step: build devShell in advance for accuracy of subsequent step timing and result +- name: Build devShell + run: nix build --no-link .#devShell.$(uname -m)-linux + +- name: Run a command with nix develop + shell: 'nix develop -c bash -e {0}' + run: echo "hello, pure world!" +``` + ### How do I pass environment variables to commands run with `nix develop` or `nix shell`? Nix runs commands in a restricted environment by default, called `pure mode`. From b4dc1121471f39688146a7cd9adb0ed0205613ec Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Aug 2025 11:06:11 +0000 Subject: [PATCH 20/50] chore(deps): bump actions/checkout from 4 to 5 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](https://github.com/actions/checkout/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/test.yml | 14 +++++++------- .github/workflows/update-nix.yml | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e4c1b4d..2d80c58 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,7 +22,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install Nix uses: ./ with: @@ -44,7 +44,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install Nix uses: ./ with: @@ -63,7 +63,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install Nix uses: ./ with: @@ -84,7 +84,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install Nix uses: ./ - run: nix flake show github:NixOS/nixpkgs @@ -104,7 +104,7 @@ jobs: system: x86_64-darwin runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Run NAR server run: | curl --location https://github.com/cachix/nar-toolbox/releases/download/v0.1.0/nar-toolbox-${{ matrix.system }} -O @@ -129,7 +129,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install Nix uses: ./ with: @@ -143,7 +143,7 @@ jobs: os: [ubuntu-latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - run: curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash - run: docker pull ghcr.io/catthehacker/ubuntu:js-24.04 - run: | diff --git a/.github/workflows/update-nix.yml b/.github/workflows/update-nix.yml index e32bb7f..225a3ac 100644 --- a/.github/workflows/update-nix.yml +++ b/.github/workflows/update-nix.yml @@ -8,7 +8,7 @@ jobs: update-nix-releases: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Update nix releases env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From a23271bac0db40f14618c3746894ec13a5bc45cc Mon Sep 17 00:00:00 2001 From: Jennings Zhang Date: Fri, 15 Aug 2025 15:14:07 -0400 Subject: [PATCH 21/50] Reword README.md section on `nix develop` Addresses feedback from @sandydoo https://github.com/cachix/install-nix-action/pull/248#pullrequestreview-3121533041 --- README.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index b2f08d1..30be585 100644 --- a/README.md +++ b/README.md @@ -155,14 +155,16 @@ install-nix-action's own `extra_nix_config` input: substituters = https://hydra.iohk.io https://cache.nixos.org/ ``` -### How do I use `nix develop`? +### How do I configure steps to use my flake's development environment? -`nix develop` can be used for `steps[*].shell`. +You can configure [`jobs..steps[*].shell`](https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idstepsshell) +to use `nix develop`. ```yaml - # optional step: build devShell in advance for accuracy of subsequent step timing and result -- name: Build devShell - run: nix build --no-link .#devShell.$(uname -m)-linux + # (optional) pre-build the shell separately to avoid skewing the run time of the next + # step and have clear point of failure should the shell fail to build +- name: Pre-build devShell + run: nix build --no-link .#devShells.$(nix eval --impure --raw --expr 'builtins.currentSystem').default - name: Run a command with nix develop shell: 'nix develop -c bash -e {0}' From c04e864467c87a9e322e1ffcd8ec08df16647b76 Mon Sep 17 00:00:00 2001 From: sandydoo <7572407+sandydoo@users.noreply.github.com> Date: Tue, 26 Aug 2025 02:58:52 +0000 Subject: [PATCH 22/50] nix: 2.30.2 -> 2.31.0 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index ba36ce0..3cf4ec4 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -nix_version=2.30.2 +nix_version=2.31.0 while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}" do sleep 1 From f0f3cc651e014a57f851f1300c1a55404df998aa Mon Sep 17 00:00:00 2001 From: Sander Date: Thu, 28 Aug 2025 18:15:45 +0200 Subject: [PATCH 23/50] ci: adjust oldest supported installer for macos-15 --- .github/workflows/test.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2d80c58..7b3884b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -8,7 +8,6 @@ on: env: nixpkgs_channel: nixpkgs=channel:nixos-25.05 - oldest_supported_installer: nix-2.8.0 jobs: simple-build: @@ -122,11 +121,17 @@ jobs: strategy: fail-fast: false matrix: - os: - - ubuntu-latest - - ubuntu-24.04-arm - - macos-latest - - macos-13 + include: + - os: ubuntu-latest + installer_version: nix-2.8.0 + - os: ubuntu-24.04-arm + installer_version: nix-2.8.0 + - os: macos-latest + # macOS 15 Sequoia took over some of the ids previously used for _nixbld + # 2.18.6 is the oldest version that was patched for this. + installer_version: nix-2.18.6 + - os: macos-13 + installer_version: nix-2.8.0 runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -134,7 +139,7 @@ jobs: uses: ./ with: nix_path: ${{ env.nixpkgs_channel }} - install_url: https://releases.nixos.org/nix/${{ env.oldest_supported_installer }}/install + install_url: https://releases.nixos.org/nix/${{ matrix.installer_version }}/install - run: nix-build test.nix act-support: From cdda9d991c496746010c299a9f31034e3b0e0e4c Mon Sep 17 00:00:00 2001 From: sandydoo <7572407+sandydoo@users.noreply.github.com> Date: Wed, 3 Sep 2025 02:48:20 +0000 Subject: [PATCH 24/50] nix: 2.31.0 -> 2.31.1 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 3cf4ec4..2b03e30 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -nix_version=2.31.0 +nix_version=2.31.1 while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}" do sleep 1 From 7be5dee1421f63d07e71ce6e0a9f8a4b07c2a487 Mon Sep 17 00:00:00 2001 From: Sander Date: Sat, 6 Sep 2025 11:40:37 +0200 Subject: [PATCH 25/50] docs: update the readme --- README.md | 70 +++++++++++++++++++++++++++---------------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/README.md b/README.md index 30be585..ade4392 100644 --- a/README.md +++ b/README.md @@ -2,23 +2,18 @@ ![GitHub Actions badge](https://github.com/cachix/install-nix-action/workflows/install-nix-action%20test/badge.svg) -Installs [Nix](https://nixos.org/nix/) on GitHub Actions for the supported platforms: Linux and macOS. - -By default it has no nixpkgs configured, you have to set `nix_path` -by [picking a channel](https://status.nixos.org/) -or [pin nixpkgs yourself](https://nix.dev/reference/pinning-nixpkgs) -(see also [pinning tutorial](https://nix.dev/tutorials/towards-reproducibility-pinning-nixpkgs)). +Installs [Nix](https://nixos.org/nix/) on GitHub Actions runners for Linux and macOS. # Features -- Quick installation (~4s on Linux, ~20s on macOS) -- Multi-User installation (with sandboxing enabled only on Linux) -- [Self-hosted GitHub runner](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) support +- Quick installation (~4s on Linux / ~20s on macOS) +- Multi-user installation with sandboxing enabled by default on Linux +- Support for [self-hosted GitHub runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) - Allows specifying Nix installation URL via `install_url` (the oldest supported Nix version is 2.3.5) - Allows specifying extra Nix configuration options via `extra_nix_config` - Allows specifying `$NIX_PATH` and channels via `nix_path` -- Share `/nix/store` between builds using [cachix-action](https://github.com/cachix/cachix-action) for simple binary cache setup to speed up your builds and share binaries with your team - Enables KVM on supported machines: run VMs and NixOS tests with full hardware-acceleration +- Pair with a binary cache from [cachix-action](https://github.com/cachix/cachix-action) to speed up re-builds and share binaries across your team ## Usage @@ -33,7 +28,7 @@ jobs: tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: cachix/install-nix-action@v31 with: nix_path: nixpkgs=channel:nixos-unstable @@ -51,7 +46,7 @@ jobs: tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: cachix/install-nix-action@v31 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} @@ -59,23 +54,17 @@ jobs: - run: nix flake check ``` -To install Nix from any commit, go to [the corresponding installer_test action](https://github.com/NixOS/nix/runs/2219534360) and click on "Run cachix/install-nix-action@XX" step and expand the first line. +## Inputs -## Inputs (specify using `with:`) - -- `extra_nix_config`: append to `/etc/nix/nix.conf` - -- `github_access_token`: configure Nix to pull from GitHub using the given GitHub token. This helps work around rate limit issues. Has no effect when `access-tokens` is also specified in `extra_nix_config`. - -- `install_url`: specify URL to install Nix from (useful for testing non-stable releases or pinning Nix, for example https://releases.nixos.org/nix/nix-2.3.7/install) - -- `install_options`: additional installer flags passed to the installer script. - -- `nix_path`: set `NIX_PATH` environment variable, for example `nixpkgs=channel:nixos-unstable` - -- `enable_kvm`: whether to enable KVM for hardware-accelerated virtualization on Linux. Enabled by default if available. - -- `set_as_trusted_user`: whether to add the current user to `trusted-users`. Enabled by default. +| Name | Description | Default | +|------|-------------|---------| +| `install_url` | URL to install Nix from. Useful for testing non-stable releases or pinning a specific Nix version (e.g., https://releases.nixos.org/nix/nix-2.3.7/install) | `""` | +| `install_options` | Additional flags to pass to the Nix installer script | `""` | +| `extra_nix_config` | Additional configuration to append to `/etc/nix/nix.conf` | `""` | +| `nix_path` | Value to set for the `NIX_PATH` environment variable (e.g., `nixpkgs=channel:nixos-unstable`) | `""` | +| `github_access_token` | GitHub token for Nix to use when pulling from GitHub repositories. Helps work around rate limit issues. Has no effect when `access-tokens` is specified in `extra_nix_config`. | `$GITHUB_TOKEN` if available | +| `set_as_trusted_user` | Add the current user to the `trusted-users` list | `true` | +| `enable_kvm` | Enable KVM for hardware-accelerated virtualization on Linux | `true` | ## Differences from the default Nix installer @@ -106,19 +95,30 @@ Some settings have been optimised for use in CI environments: ## FAQ -### How do I print nixpkgs version I have configured? +### How do I print the nixpkgs version I've configured? ```yaml - name: Print nixpkgs version run: nix-instantiate --eval -E '(import {}).lib.version' ``` -### How do I run NixOS tests? +### How do I add a nixpkgs channel? -With the following inputs: +This action doesn't set up any channels by default. +Use `nix_path` to configure optional channels by [picking a channel](https://status.nixos.org/) or [pinning nixpkgs](https://nix.dev/reference/pinning-nixpkgs) to a specific commit. ```yaml -- uses: cachix/install-nix-action@vXX +- uses: cachix/install-nix-action@v31 + with: + nix_path: nixpkgs=channel:nixos-unstable +``` + +See also the [tutorial on pinning on nix.dev](https://nix.dev/tutorials/towards-reproducibility-pinning-nixpkgs). + +### How do I run NixOS tests on Linux? + +```yaml +- uses: cachix/install-nix-action@v31 with: enable_kvm: true extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm" @@ -137,7 +137,7 @@ using [cachix-action](https://github.com/cachix/cachix-action), you should use their `extraPullNames` input like this: ```yaml -- uses: cachix/cachix-action@vXX +- uses: cachix/cachix-action@v31 with: name: mycache authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' @@ -214,10 +214,10 @@ job: id-token: write contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: cachix/install-nix-action@v31 - name: Assume AWS Role - uses: aws-actions/configure-aws-credentials@v4.1.0 + uses: aws-actions/configure-aws-credentials@v5.0.0 with: aws-region: us-east-1 role-to-assume: arn:aws-cn:iam::123456789100:role/my-github-actions-role From d5f1c043d0bda9e9709706dd06d9db30f4a35c19 Mon Sep 17 00:00:00 2001 From: sandydoo <7572407+sandydoo@users.noreply.github.com> Date: Fri, 19 Sep 2025 02:51:48 +0000 Subject: [PATCH 26/50] nix: 2.31.1 -> 2.31.2 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 2b03e30..61356ac 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -nix_version=2.31.1 +nix_version=2.31.2 while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}" do sleep 1 From df46bbf8195f2fdd59f435919b4046ef415fc43c Mon Sep 17 00:00:00 2001 From: Sander Date: Thu, 28 Aug 2025 17:45:48 +0200 Subject: [PATCH 27/50] fix: set up the environment based on the installer shell scripts The installer scripts would normally set up the various environment variables that Nix needs. Since GitHub doesn't run any profile or rc scripts by default, we need to set these up ourselves. --- install-nix.sh | 70 +++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 64 insertions(+), 6 deletions(-) diff --git a/install-nix.sh b/install-nix.sh index 61356ac..c8124bb 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -31,6 +31,7 @@ add_config() { add_config "show-trace = true" # Set jobs to number of cores add_config "max-jobs = auto" +# TODO: is this still necessary if we set NIX_SSL_CERT_FILE below? if [[ $OSTYPE =~ darwin ]]; then add_config "ssl-cert-file = /etc/ssl/cert.pem" fi @@ -70,8 +71,14 @@ installer_options=( --nix-extra-conf-file "$workdir/nix.conf" ) -# only use the nix-daemon settings if on darwin (which get ignored) or systemd is supported +# Enable daemon on macOS and Linux systems with systemd, unless --no-daemon is specified if [[ (! $INPUT_INSTALL_OPTIONS =~ "--no-daemon") && ($OSTYPE =~ darwin || -e /run/systemd/system) ]]; then + use_daemon() { true; } +else + use_daemon() { false; } +fi + +if use_daemon; then installer_options+=( --daemon --daemon-user-count "$(python3 -c 'import multiprocessing as mp; print(mp.cpu_count() * 2)')" @@ -107,19 +114,70 @@ done sh "$workdir/install" "${installer_options[@]}" -# Set paths -echo "/nix/var/nix/profiles/default/bin" >> "$GITHUB_PATH" -# new path for nix 2.14 -echo "$HOME/.nix-profile/bin" >> "$GITHUB_PATH" +# Configure the environment +# +# Adapted from the single- and multi-user scripts: +# single-user: https://github.com/NixOS/nix/blob/master/scripts/nix-profile-daemon.sh.in +# multi-user: https://github.com/NixOS/nix/blob/master/scripts/nix-profile-daemon.sh.in +# +# These scripts would normally be evaluated as part of the user's shell profile. +# GitHub doesn't evaluate profiles or rc scripts by default, so we set up the environment manually. +echo "::debug::Nix installed, setting up environment" +# Export the path to Nix if [[ -n "${INPUT_NIX_PATH:-}" ]]; then echo "NIX_PATH=${INPUT_NIX_PATH}" >> "$GITHUB_ENV" fi -# Set temporary directory (if not already set) to fix https://github.com/cachix/install-nix-action/issues/197 +# Set temporary directory if not already set +# Fixes https://github.com/cachix/install-nix-action/issues/197 if [[ -z "${TMPDIR:-}" ]]; then echo "TMPDIR=${RUNNER_TEMP}" >> "$GITHUB_ENV" fi +# Determine NIX_LINK path (XDG spec, newer XDG-compliant, or legacy) +if [[ -n "${XDG_STATE_HOME:-}" && -e "$XDG_STATE_HOME/nix/profile" ]]; then + NIX_LINK="$XDG_STATE_HOME/nix/profile" +elif [[ -e "$HOME/.local/state/nix/profile" ]]; then + NIX_LINK="$HOME/.local/state/nix/profile" +else + NIX_LINK="$HOME/.nix-profile" +fi + +# Set Nix profiles +echo "NIX_PROFILES=/nix/var/nix/profiles/default $NIX_LINK" >> "$GITHUB_ENV" + +# Set NIX_SSL_CERT_FILE if not already configured +if [[ -z "${NIX_SSL_CERT_FILE:-}" ]]; then + # Check common SSL certificate file locations + if [[ -f "/etc/ssl/certs/ca-certificates.crt" ]]; then # NixOS, Ubuntu, Debian, Gentoo, Arch + echo "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" >> "$GITHUB_ENV" + elif [[ $OSTYPE =~ darwin && -f "/etc/ssl/cert.pem" ]]; then # macOS + echo "NIX_SSL_CERT_FILE=/etc/ssl/cert.pem" >> "$GITHUB_ENV" + elif [[ -f "/etc/ssl/ca-bundle.pem" ]]; then # openSUSE Tumbleweed + echo "NIX_SSL_CERT_FILE=/etc/ssl/ca-bundle.pem" >> "$GITHUB_ENV" + elif [[ -f "/etc/ssl/certs/ca-bundle.crt" ]]; then # Old NixOS + echo "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" >> "$GITHUB_ENV" + elif [[ -f "/etc/pki/tls/certs/ca-bundle.crt" ]]; then # Fedora, CentOS + echo "NIX_SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt" >> "$GITHUB_ENV" + elif [[ -f "/usr/local/share/certs/ca-root-nss.crt" ]]; then # FreeBSD + echo "NIX_SSL_CERT_FILE=/usr/local/share/certs/ca-root-nss.crt" >> "$GITHUB_ENV" + elif [[ -f "/etc/pki/tls/cacert.pem" ]]; then # OpenELEC + echo "NIX_SSL_CERT_FILE=/etc/pki/tls/cacert.pem" >> "$GITHUB_ENV" + elif [[ -f "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" ]]; then # fall back to cacert in default Nix profile + echo "NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" >> "$GITHUB_ENV" + elif [[ -f "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" ]]; then # fall back to cacert in user Nix profile + echo "NIX_SSL_CERT_FILE=$NIX_LINK/etc/ssl/certs/ca-bundle.crt" >> "$GITHUB_ENV" + fi +fi + +# Set paths based on the installation type +if use_daemon; then + # Multi-user daemon install - add both paths + echo "/nix/var/nix/profiles/default/bin" >> "$GITHUB_PATH" +fi +# Always add the user profile path +echo "$NIX_LINK/bin" >> "$GITHUB_PATH" + # Close the log message group which was opened above echo "::endgroup::" From e29868972558ed782b2d8f39dcf2ea4b3815445f Mon Sep 17 00:00:00 2001 From: Sander Date: Thu, 28 Aug 2025 18:07:38 +0200 Subject: [PATCH 28/50] test: validate environment variables Add a test to check that the environment is correctly set. --- .github/workflows/test.yml | 2 ++ test-env.sh | 65 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100755 test-env.sh diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7b3884b..f73594c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -26,6 +26,8 @@ jobs: uses: ./ with: nix_path: ${{ env.nixpkgs_channel }} + - name: Test environment variables + run: ./test-env.sh - run: nix-env -iA cachix -f https://cachix.org/api/v1/install - run: cat /etc/nix/nix.conf # cachix should be available and be able to configure a cache diff --git a/test-env.sh b/test-env.sh new file mode 100755 index 0000000..bdcccf7 --- /dev/null +++ b/test-env.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash + +set -euo pipefail + +echo "=== Testing Nix Environment Variables ===" +echo + +# Test NIX_PROFILES +echo "NIX_PROFILES: ${NIX_PROFILES:-}" +if [[ -n "${NIX_PROFILES:-}" ]]; then + echo "✓ NIX_PROFILES is set" +else + echo "✗ NIX_PROFILES is not set" + exit 1 +fi + +# Test NIX_SSL_CERT_FILE +echo "NIX_SSL_CERT_FILE: ${NIX_SSL_CERT_FILE:-}" +if [[ -n "${NIX_SSL_CERT_FILE:-}" ]]; then + if [[ -f "$NIX_SSL_CERT_FILE" ]]; then + echo "✓ NIX_SSL_CERT_FILE is set and file exists" + else + echo "⚠ NIX_SSL_CERT_FILE is set but file does not exist: $NIX_SSL_CERT_FILE" + fi +else + echo "⚠ NIX_SSL_CERT_FILE is not set (may be OK depending on system)" +fi + +# Test PATH contains Nix paths +echo "PATH: $PATH" +if echo "$PATH" | grep -E -q "(\.nix-profile|nix/profile)"; then + echo "✓ PATH contains Nix paths" +else + echo "✗ PATH does not contain Nix paths" + exit 1 +fi + +# Test NIX_PATH if set +if [[ -n "${NIX_PATH:-}" ]]; then + echo "NIX_PATH: $NIX_PATH" + echo "✓ NIX_PATH is set" +else + echo "NIX_PATH: " +fi + +# Test TMPDIR +echo "TMPDIR: ${TMPDIR:-}" +if [[ -n "${TMPDIR:-}" ]]; then + echo "✓ TMPDIR is set" +else + echo "⚠ TMPDIR is not set" +fi + +echo +echo "=== Testing Nix Command ===" +if command -v nix >/dev/null 2>&1; then + echo "✓ nix command is available" + echo "Nix version: $(nix --version)" +else + echo "✗ nix command is not available" + exit 1 +fi + +echo +echo "=== Environment Setup Test Complete ===" From d914f6d9e8f0954b55d937bfcf393d65f212f331 Mon Sep 17 00:00:00 2001 From: Sander Date: Sun, 21 Sep 2025 13:48:22 +0200 Subject: [PATCH 29/50] refactor: drop ssl handling for unsupported platforms --- install-nix.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/install-nix.sh b/install-nix.sh index c8124bb..86c766b 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -160,10 +160,6 @@ if [[ -z "${NIX_SSL_CERT_FILE:-}" ]]; then echo "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" >> "$GITHUB_ENV" elif [[ -f "/etc/pki/tls/certs/ca-bundle.crt" ]]; then # Fedora, CentOS echo "NIX_SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt" >> "$GITHUB_ENV" - elif [[ -f "/usr/local/share/certs/ca-root-nss.crt" ]]; then # FreeBSD - echo "NIX_SSL_CERT_FILE=/usr/local/share/certs/ca-root-nss.crt" >> "$GITHUB_ENV" - elif [[ -f "/etc/pki/tls/cacert.pem" ]]; then # OpenELEC - echo "NIX_SSL_CERT_FILE=/etc/pki/tls/cacert.pem" >> "$GITHUB_ENV" elif [[ -f "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" ]]; then # fall back to cacert in default Nix profile echo "NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" >> "$GITHUB_ENV" elif [[ -f "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" ]]; then # fall back to cacert in user Nix profile From 581a1341225b995dc4f3ee8b15657b1cd31a1146 Mon Sep 17 00:00:00 2001 From: Sander Date: Sun, 21 Sep 2025 17:13:54 +0200 Subject: [PATCH 30/50] refactor: document ssl-cert-file vs NIX_SSL_CERT_FILE --- install-nix.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/install-nix.sh b/install-nix.sh index 86c766b..46fe0e4 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -26,12 +26,13 @@ trap 'rm -rf "$workdir"' EXIT # Configure Nix add_config() { - echo "$1" >> "$workdir/nix.conf" + echo "$1" >>"$workdir/nix.conf" } add_config "show-trace = true" # Set jobs to number of cores add_config "max-jobs = auto" -# TODO: is this still necessary if we set NIX_SSL_CERT_FILE below? +# Configure the nix-daemon to use certificates. +# In multi-user installs, NIX_SSL_CERT_FILE only works if set in the daemon's service file. if [[ $OSTYPE =~ darwin ]]; then add_config "ssl-cert-file = /etc/ssl/cert.pem" fi From d487f94a7aabbac81bdda3a3209fc9b018a80e6c Mon Sep 17 00:00:00 2001 From: Sander Date: Sun, 21 Sep 2025 17:14:17 +0200 Subject: [PATCH 31/50] lint --- install-nix.sh | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/install-nix.sh b/install-nix.sh index 46fe0e4..abf5c18 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -euo pipefail -if nix_path="$(type -p nix)" ; then +if nix_path="$(type -p nix)"; then echo "Aborting: Nix is already installed at ${nix_path}" exit fi @@ -94,7 +94,7 @@ else fi if [[ -n "${INPUT_INSTALL_OPTIONS:-}" ]]; then - IFS=' ' read -r -a extra_installer_options <<< "$INPUT_INSTALL_OPTIONS" + IFS=' ' read -r -a extra_installer_options <<<"$INPUT_INSTALL_OPTIONS" installer_options=("${extra_installer_options[@]}" "${installer_options[@]}") fi @@ -103,8 +103,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 nix_version=2.31.2 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}" -do +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}"; do sleep 1 ((curl_retries--)) if [[ $curl_retries -le 0 ]]; then @@ -127,13 +126,13 @@ echo "::debug::Nix installed, setting up environment" # Export the path to Nix if [[ -n "${INPUT_NIX_PATH:-}" ]]; then - echo "NIX_PATH=${INPUT_NIX_PATH}" >> "$GITHUB_ENV" + echo "NIX_PATH=${INPUT_NIX_PATH}" >>"$GITHUB_ENV" fi # Set temporary directory if not already set # Fixes https://github.com/cachix/install-nix-action/issues/197 if [[ -z "${TMPDIR:-}" ]]; then - echo "TMPDIR=${RUNNER_TEMP}" >> "$GITHUB_ENV" + echo "TMPDIR=${RUNNER_TEMP}" >>"$GITHUB_ENV" fi # Determine NIX_LINK path (XDG spec, newer XDG-compliant, or legacy) @@ -146,35 +145,35 @@ else fi # Set Nix profiles -echo "NIX_PROFILES=/nix/var/nix/profiles/default $NIX_LINK" >> "$GITHUB_ENV" +echo "NIX_PROFILES=/nix/var/nix/profiles/default $NIX_LINK" >>"$GITHUB_ENV" # Set NIX_SSL_CERT_FILE if not already configured if [[ -z "${NIX_SSL_CERT_FILE:-}" ]]; then # Check common SSL certificate file locations if [[ -f "/etc/ssl/certs/ca-certificates.crt" ]]; then # NixOS, Ubuntu, Debian, Gentoo, Arch - echo "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" >> "$GITHUB_ENV" + echo "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" >>"$GITHUB_ENV" elif [[ $OSTYPE =~ darwin && -f "/etc/ssl/cert.pem" ]]; then # macOS - echo "NIX_SSL_CERT_FILE=/etc/ssl/cert.pem" >> "$GITHUB_ENV" + echo "NIX_SSL_CERT_FILE=/etc/ssl/cert.pem" >>"$GITHUB_ENV" elif [[ -f "/etc/ssl/ca-bundle.pem" ]]; then # openSUSE Tumbleweed - echo "NIX_SSL_CERT_FILE=/etc/ssl/ca-bundle.pem" >> "$GITHUB_ENV" + echo "NIX_SSL_CERT_FILE=/etc/ssl/ca-bundle.pem" >>"$GITHUB_ENV" elif [[ -f "/etc/ssl/certs/ca-bundle.crt" ]]; then # Old NixOS - echo "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" >> "$GITHUB_ENV" + echo "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" >>"$GITHUB_ENV" elif [[ -f "/etc/pki/tls/certs/ca-bundle.crt" ]]; then # Fedora, CentOS - echo "NIX_SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt" >> "$GITHUB_ENV" + echo "NIX_SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt" >>"$GITHUB_ENV" elif [[ -f "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" ]]; then # fall back to cacert in default Nix profile - echo "NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" >> "$GITHUB_ENV" + echo "NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" >>"$GITHUB_ENV" elif [[ -f "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" ]]; then # fall back to cacert in user Nix profile - echo "NIX_SSL_CERT_FILE=$NIX_LINK/etc/ssl/certs/ca-bundle.crt" >> "$GITHUB_ENV" + echo "NIX_SSL_CERT_FILE=$NIX_LINK/etc/ssl/certs/ca-bundle.crt" >>"$GITHUB_ENV" fi fi # Set paths based on the installation type if use_daemon; then # Multi-user daemon install - add both paths - echo "/nix/var/nix/profiles/default/bin" >> "$GITHUB_PATH" + echo "/nix/var/nix/profiles/default/bin" >>"$GITHUB_PATH" fi # Always add the user profile path -echo "$NIX_LINK/bin" >> "$GITHUB_PATH" +echo "$NIX_LINK/bin" >>"$GITHUB_PATH" # Close the log message group which was opened above echo "::endgroup::" From 7449e8905b0560e816fd9eb0bfc53b6d0d73bc73 Mon Sep 17 00:00:00 2001 From: Sander Date: Sun, 21 Sep 2025 17:20:39 +0200 Subject: [PATCH 32/50] tests: improve env tests and move to tests dir --- .github/workflows/test.yml | 12 ++++++------ test.nix => tests/test-build.nix | 0 test-env.sh => tests/test-env.sh | 8 ++++++-- 3 files changed, 12 insertions(+), 8 deletions(-) rename test.nix => tests/test-build.nix (100%) rename test-env.sh => tests/test-env.sh (90%) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f73594c..3585df0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -27,12 +27,12 @@ jobs: with: nix_path: ${{ env.nixpkgs_channel }} - name: Test environment variables - run: ./test-env.sh + run: ./tests/test-env.sh - run: nix-env -iA cachix -f https://cachix.org/api/v1/install - run: cat /etc/nix/nix.conf # cachix should be available and be able to configure a cache - run: cachix use cachix - - run: nix-build test.nix + - run: nix-build tests/test-build.nix custom-nix-path: strategy: @@ -51,7 +51,7 @@ jobs: with: nix_path: ${{ env.nixpkgs_channel }} - run: test $NIX_PATH == '${{ env.nixpkgs_channel }}' - - run: nix-build test.nix + - run: nix-build tests/test-build.nix extra-nix-config: strategy: @@ -72,7 +72,7 @@ jobs: extra_nix_config: | sandbox = relaxed - run: cat /etc/nix/nix.conf - - run: nix-build test.nix --arg noChroot true + - run: nix-build tests/test-build.nix --arg noChroot true flakes: strategy: @@ -117,7 +117,7 @@ jobs: nix_path: ${{ env.nixpkgs_channel }} install_url: https://hydra.nixos.org/job/nix/master/installerScript/latest-finished/download/1/install install_options: "--tarball-url-prefix http://localhost:8080" - - run: nix-build test.nix + - run: nix-build tests/test-build.nix oldest-supported-installer: strategy: @@ -142,7 +142,7 @@ jobs: with: nix_path: ${{ env.nixpkgs_channel }} install_url: https://releases.nixos.org/nix/${{ matrix.installer_version }}/install - - run: nix-build test.nix + - run: nix-build tests/test-build.nix act-support: strategy: diff --git a/test.nix b/tests/test-build.nix similarity index 100% rename from test.nix rename to tests/test-build.nix diff --git a/test-env.sh b/tests/test-env.sh similarity index 90% rename from test-env.sh rename to tests/test-env.sh index bdcccf7..3d2e947 100755 --- a/test-env.sh +++ b/tests/test-env.sh @@ -20,10 +20,12 @@ if [[ -n "${NIX_SSL_CERT_FILE:-}" ]]; then if [[ -f "$NIX_SSL_CERT_FILE" ]]; then echo "✓ NIX_SSL_CERT_FILE is set and file exists" else - echo "⚠ NIX_SSL_CERT_FILE is set but file does not exist: $NIX_SSL_CERT_FILE" + echo "✗ NIX_SSL_CERT_FILE is set but file does not exist: $NIX_SSL_CERT_FILE" + exit 1 fi else - echo "⚠ NIX_SSL_CERT_FILE is not set (may be OK depending on system)" + echo "✗ NIX_SSL_CERT_FILE is not set" + exit 1 fi # Test PATH contains Nix paths @@ -41,6 +43,7 @@ if [[ -n "${NIX_PATH:-}" ]]; then echo "✓ NIX_PATH is set" else echo "NIX_PATH: " + exit 1 fi # Test TMPDIR @@ -49,6 +52,7 @@ if [[ -n "${TMPDIR:-}" ]]; then echo "✓ TMPDIR is set" else echo "⚠ TMPDIR is not set" + exit 1 fi echo From 29a4dac2fa2041667aa7a202fdce30a92a77376e Mon Sep 17 00:00:00 2001 From: Sander Date: Sun, 21 Sep 2025 17:45:31 +0200 Subject: [PATCH 33/50] tests: refactor tests to run under a single matrix Add additional os versions for both linux and macos. --- .github/workflows/test-per-system.yml | 97 ++++++++++++++++ .github/workflows/test.yml | 156 +++++--------------------- 2 files changed, 124 insertions(+), 129 deletions(-) create mode 100644 .github/workflows/test-per-system.yml diff --git a/.github/workflows/test-per-system.yml b/.github/workflows/test-per-system.yml new file mode 100644 index 0000000..2c5cd87 --- /dev/null +++ b/.github/workflows/test-per-system.yml @@ -0,0 +1,97 @@ +name: Test Runner + +on: + workflow_call: + inputs: + runs-on: + description: 'GitHub Actions runner to use (e.g., ubuntu-latest, macos-13)' + required: true + type: string + system: + description: 'Target system architecture (e.g., x86_64-linux, aarch64-darwin)' + required: true + type: string + oldest_installer_version: + description: 'Oldest supported Nix installer version to test (e.g., nix-2.8.0)' + required: true + type: string + +env: + nixpkgs_channel: nixpkgs=channel:nixos-25.05 + +jobs: + simple-build: + runs-on: ${{ inputs.runs-on }} + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Install Nix + uses: ./ + with: + nix_path: ${{ env.nixpkgs_channel }} + - name: Test environment variables + run: ./tests/test-env.sh + - run: nix-env -iA cachix -f https://cachix.org/api/v1/install + - run: cat /etc/nix/nix.conf + # cachix should be available and be able to configure a cache + - run: cachix use cachix + - run: nix-build tests/test-build.nix + + custom-nix-path: + runs-on: ${{ inputs.runs-on }} + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Install Nix + uses: ./ + with: + nix_path: ${{ env.nixpkgs_channel }} + - run: test $NIX_PATH == '${{ env.nixpkgs_channel }}' + - run: nix-build tests/test-build.nix + + extra-nix-config: + runs-on: ${{ inputs.runs-on }} + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Install Nix + uses: ./ + with: + nix_path: ${{ env.nixpkgs_channel }} + extra_nix_config: | + sandbox = relaxed + - run: cat /etc/nix/nix.conf + - run: nix-build tests/test-build.nix --arg noChroot true + + flakes: + runs-on: ${{ inputs.runs-on }} + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Install Nix + uses: ./ + - run: nix flake show github:NixOS/nixpkgs + + latest-installer: + runs-on: ${{ inputs.runs-on }} + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Run NAR server + run: | + curl --location https://github.com/cachix/nar-toolbox/releases/download/v0.1.0/nar-toolbox-${{ inputs.system }} -O + chmod +x ./nar-toolbox-${{ inputs.system }} + ./nar-toolbox-${{ inputs.system }} serve https://cache.nixos.org & + - name: Install Nix + uses: ./ + with: + nix_path: ${{ env.nixpkgs_channel }} + install_url: https://hydra.nixos.org/job/nix/master/installerScript/latest-finished/download/1/install + install_options: "--tarball-url-prefix http://localhost:8080" + - run: nix-build tests/test-build.nix + + oldest-supported-installer: + runs-on: ${{ inputs.runs-on }} + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Install Nix + uses: ./ + with: + nix_path: ${{ env.nixpkgs_channel }} + install_url: https://releases.nixos.org/nix/${{ inputs.oldest_installer_version }}/install + - run: nix-build tests/test-build.nix \ No newline at end of file diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3585df0..6542c67 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,145 +10,43 @@ env: nixpkgs_channel: nixpkgs=channel:nixos-25.05 jobs: - simple-build: - strategy: - fail-fast: false - matrix: - os: - - ubuntu-latest - - ubuntu-24.04-arm - - macos-latest - - macos-13 - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Install Nix - uses: ./ - with: - nix_path: ${{ env.nixpkgs_channel }} - - name: Test environment variables - run: ./tests/test-env.sh - - run: nix-env -iA cachix -f https://cachix.org/api/v1/install - - run: cat /etc/nix/nix.conf - # cachix should be available and be able to configure a cache - - run: cachix use cachix - - run: nix-build tests/test-build.nix - - custom-nix-path: - strategy: - fail-fast: false - matrix: - os: - - ubuntu-latest - - ubuntu-24.04-arm - - macos-latest - - macos-13 - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Install Nix - uses: ./ - with: - nix_path: ${{ env.nixpkgs_channel }} - - run: test $NIX_PATH == '${{ env.nixpkgs_channel }}' - - run: nix-build tests/test-build.nix - - extra-nix-config: - strategy: - fail-fast: false - matrix: - os: - - ubuntu-latest - - ubuntu-24.04-arm - - macos-latest - - macos-13 - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Install Nix - uses: ./ - with: - nix_path: ${{ env.nixpkgs_channel }} - extra_nix_config: | - sandbox = relaxed - - run: cat /etc/nix/nix.conf - - run: nix-build tests/test-build.nix --arg noChroot true - - flakes: - strategy: - fail-fast: false - matrix: - os: - - ubuntu-latest - - ubuntu-24.04-arm - - macos-latest - - macos-13 - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Install Nix - uses: ./ - - run: nix flake show github:NixOS/nixpkgs - - latest-installer: + test: strategy: fail-fast: false matrix: include: - - os: ubuntu-latest + - runs-on: ubuntu-latest system: x86_64-linux - - os: ubuntu-24.04-arm + oldest_installer_version: nix-2.8.0 + - runs-on: ubuntu-24.04-arm system: aarch64-linux - - os: macos-latest + oldest_installer_version: nix-2.8.0 + - runs-on: ubuntu-22.04 + system: x86_64-linux + oldest_installer_version: nix-2.8.0 + - runs-on: macos-latest system: aarch64-darwin - - os: macos-13 + oldest_installer_version: nix-2.18.6 + - runs-on: macos-26 + system: aarch64-darwin + oldest_installer_version: nix-2.18.6 + - runs-on: macos-15 + system: aarch64-darwin + oldest_installer_version: nix-2.18.6 + - runs-on: macos-14 + system: aarch64-darwin + oldest_installer_version: nix-2.8.0 + - runs-on: macos-13 system: x86_64-darwin - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Run NAR server - run: | - curl --location https://github.com/cachix/nar-toolbox/releases/download/v0.1.0/nar-toolbox-${{ matrix.system }} -O - chmod +x ./nar-toolbox-${{ matrix.system }} - ./nar-toolbox-${{ matrix.system }} serve https://cache.nixos.org & - - name: Install Nix - uses: ./ - with: - nix_path: ${{ env.nixpkgs_channel }} - install_url: https://hydra.nixos.org/job/nix/master/installerScript/latest-finished/download/1/install - install_options: "--tarball-url-prefix http://localhost:8080" - - run: nix-build tests/test-build.nix - - oldest-supported-installer: - strategy: - fail-fast: false - matrix: - include: - - os: ubuntu-latest - installer_version: nix-2.8.0 - - os: ubuntu-24.04-arm - installer_version: nix-2.8.0 - - os: macos-latest - # macOS 15 Sequoia took over some of the ids previously used for _nixbld - # 2.18.6 is the oldest version that was patched for this. - installer_version: nix-2.18.6 - - os: macos-13 - installer_version: nix-2.8.0 - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Install Nix - uses: ./ - with: - nix_path: ${{ env.nixpkgs_channel }} - install_url: https://releases.nixos.org/nix/${{ matrix.installer_version }}/install - - run: nix-build tests/test-build.nix + oldest_installer_version: nix-2.8.0 + uses: ./.github/workflows/test-per-system.yml + with: + runs-on: ${{ matrix.runs-on }} + system: ${{ matrix.system }} + oldest_installer_version: ${{ matrix.oldest_installer_version }} act-support: - strategy: - matrix: - os: [ubuntu-latest] - runs-on: ${{ matrix.os }} + runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - run: curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash From 6676c23a719464ea6737a19b762b349adfb6b96c Mon Sep 17 00:00:00 2001 From: Sander Date: Mon, 22 Sep 2025 23:35:06 +0200 Subject: [PATCH 34/50] ci: add ubuntu-22.04-arm --- .github/workflows/test.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6542c67..6ad3a7c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -18,11 +18,14 @@ jobs: - runs-on: ubuntu-latest system: x86_64-linux oldest_installer_version: nix-2.8.0 + - runs-on: ubuntu-22.04 + system: x86_64-linux + oldest_installer_version: nix-2.8.0 - runs-on: ubuntu-24.04-arm system: aarch64-linux oldest_installer_version: nix-2.8.0 - - runs-on: ubuntu-22.04 - system: x86_64-linux + - runs-on: ubuntu-22.04-arm + system: aarch64-linux oldest_installer_version: nix-2.8.0 - runs-on: macos-latest system: aarch64-darwin From eb0f6c7357f23dc03126e4986b2329b13f86d1cf Mon Sep 17 00:00:00 2001 From: Sander Date: Mon, 22 Sep 2025 23:37:09 +0200 Subject: [PATCH 35/50] ci: document where to find available images to test against --- .github/workflows/test.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6ad3a7c..d122210 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,6 +13,9 @@ jobs: test: strategy: fail-fast: false + # For the list of available images: + # GitHub images: https://github.com/actions/runner-images?tab=readme-ov-file#available-images + # Partner images: https://github.com/actions/partner-runner-images?tab=readme-ov-file#available-images matrix: include: - runs-on: ubuntu-latest From effa594a17fc9b99b2ab4a94ebb246b976327414 Mon Sep 17 00:00:00 2001 From: Sander Date: Wed, 24 Sep 2025 21:43:51 +0200 Subject: [PATCH 36/50] fix: simplify setting the user profile --- install-nix.sh | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/install-nix.sh b/install-nix.sh index abf5c18..b0a7e96 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -135,11 +135,17 @@ if [[ -z "${TMPDIR:-}" ]]; then echo "TMPDIR=${RUNNER_TEMP}" >>"$GITHUB_ENV" fi -# Determine NIX_LINK path (XDG spec, newer XDG-compliant, or legacy) -if [[ -n "${XDG_STATE_HOME:-}" && -e "$XDG_STATE_HOME/nix/profile" ]]; then - NIX_LINK="$XDG_STATE_HOME/nix/profile" -elif [[ -e "$HOME/.local/state/nix/profile" ]]; then - NIX_LINK="$HOME/.local/state/nix/profile" +# Determine the profile path. +# +# Different versions of Nix support (from newest to oldest): +# - NIX_STATE_HOME to fully control the location of home files +# - XDG_STATE_HOME, defaulting to .local/state/nix/profile +# - $HOME/.nix-profile +# +# These directories are created by calling `nix profile`, so they don't exist at this point. +# Without parsing the Nix version, our best bet is the legacy-ish ~/.nix-profile. +if [[ -n "${NIX_STATE_HOME:-}" ]]; then + NIX_LINK="$NIX_STATE_HOME/profile" else NIX_LINK="$HOME/.nix-profile" fi From 9280e7aca88deada44c930f1e2c78e21c3ae3edd Mon Sep 17 00:00:00 2001 From: Sander Date: Wed, 24 Sep 2025 21:44:33 +0200 Subject: [PATCH 37/50] fix: use -e to check for certs --- install-nix.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/install-nix.sh b/install-nix.sh index b0a7e96..c72765b 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -156,19 +156,19 @@ echo "NIX_PROFILES=/nix/var/nix/profiles/default $NIX_LINK" >>"$GITHUB_ENV" # Set NIX_SSL_CERT_FILE if not already configured if [[ -z "${NIX_SSL_CERT_FILE:-}" ]]; then # Check common SSL certificate file locations - if [[ -f "/etc/ssl/certs/ca-certificates.crt" ]]; then # NixOS, Ubuntu, Debian, Gentoo, Arch + if [[ -e "/etc/ssl/certs/ca-certificates.crt" ]]; then # NixOS, Ubuntu, Debian, Gentoo, Arch echo "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" >>"$GITHUB_ENV" - elif [[ $OSTYPE =~ darwin && -f "/etc/ssl/cert.pem" ]]; then # macOS + elif [[ $OSTYPE =~ darwin && -e "/etc/ssl/cert.pem" ]]; then # macOS echo "NIX_SSL_CERT_FILE=/etc/ssl/cert.pem" >>"$GITHUB_ENV" - elif [[ -f "/etc/ssl/ca-bundle.pem" ]]; then # openSUSE Tumbleweed + elif [[ -e "/etc/ssl/ca-bundle.pem" ]]; then # openSUSE Tumbleweed echo "NIX_SSL_CERT_FILE=/etc/ssl/ca-bundle.pem" >>"$GITHUB_ENV" - elif [[ -f "/etc/ssl/certs/ca-bundle.crt" ]]; then # Old NixOS + elif [[ -e "/etc/ssl/certs/ca-bundle.crt" ]]; then # Old NixOS echo "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" >>"$GITHUB_ENV" - elif [[ -f "/etc/pki/tls/certs/ca-bundle.crt" ]]; then # Fedora, CentOS + elif [[ -e "/etc/pki/tls/certs/ca-bundle.crt" ]]; then # Fedora, CentOS echo "NIX_SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt" >>"$GITHUB_ENV" - elif [[ -f "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" ]]; then # fall back to cacert in default Nix profile + elif [[ -e "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" ]]; then # fall back to cacert in default Nix profile echo "NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" >>"$GITHUB_ENV" - elif [[ -f "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" ]]; then # fall back to cacert in user Nix profile + elif [[ -e "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" ]]; then # fall back to cacert in user Nix profile echo "NIX_SSL_CERT_FILE=$NIX_LINK/etc/ssl/certs/ca-bundle.crt" >>"$GITHUB_ENV" fi fi From 0b43574e96db6352c6d9332aeeabb688780fd300 Mon Sep 17 00:00:00 2001 From: Sander Date: Thu, 2 Oct 2025 22:18:42 +0200 Subject: [PATCH 38/50] ci: add macos-15-intel runner --- .github/workflows/test.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d122210..88c5440 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -42,6 +42,10 @@ jobs: - runs-on: macos-14 system: aarch64-darwin oldest_installer_version: nix-2.8.0 + - runs-on: macos-15-intel + system: x86_64-darwin + oldest_installer_version: nix-2.18.0 + # macos13 will be retired on 04/12/2025 - runs-on: macos-13 system: x86_64-darwin oldest_installer_version: nix-2.8.0 From 0ef05056dac6b5a0a2d438dfa61457b0816c91a7 Mon Sep 17 00:00:00 2001 From: Sander Date: Thu, 2 Oct 2025 23:22:01 +0200 Subject: [PATCH 39/50] ci: adjust oldest supported version for macos-15 --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 88c5440..340b54d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -44,7 +44,7 @@ jobs: oldest_installer_version: nix-2.8.0 - runs-on: macos-15-intel system: x86_64-darwin - oldest_installer_version: nix-2.18.0 + oldest_installer_version: nix-2.18.6 # macos13 will be retired on 04/12/2025 - runs-on: macos-13 system: x86_64-darwin From b8a94d36142a266bd57204a628092fe741baa9ab Mon Sep 17 00:00:00 2001 From: Sander Date: Wed, 8 Oct 2025 04:22:39 +0200 Subject: [PATCH 40/50] ci: pass correct args to the act test --- .github/workflows/test-per-system.yml | 5 +++-- .github/workflows/test.yml | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test-per-system.yml b/.github/workflows/test-per-system.yml index 2c5cd87..c0686cd 100644 --- a/.github/workflows/test-per-system.yml +++ b/.github/workflows/test-per-system.yml @@ -13,7 +13,8 @@ on: type: string oldest_installer_version: description: 'Oldest supported Nix installer version to test (e.g., nix-2.8.0)' - required: true + required: false + default: 'nix-2.8.0' type: string env: @@ -94,4 +95,4 @@ jobs: with: nix_path: ${{ env.nixpkgs_channel }} install_url: https://releases.nixos.org/nix/${{ inputs.oldest_installer_version }}/install - - run: nix-build tests/test-build.nix \ No newline at end of file + - run: nix-build tests/test-build.nix diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 340b54d..fb25d14 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -65,4 +65,5 @@ jobs: ./bin/act push \ -P ubuntu-latest=ghcr.io/catthehacker/ubuntu:js-24.04 \ -j simple-build \ - --matrix os:ubuntu-latest + --matrix runs-on:ubuntu-latest \ + --matrix system:x86_64-linux From 0b2de19be54b10cd0041f28eccb4e33050f6cf26 Mon Sep 17 00:00:00 2001 From: Sander Date: Wed, 8 Oct 2025 04:26:29 +0200 Subject: [PATCH 41/50] docs: update the ci badge --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index ade4392..70a9836 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # install-nix-action -![GitHub Actions badge](https://github.com/cachix/install-nix-action/workflows/install-nix-action%20test/badge.svg) +[![Tests](https://github.com/cachix/install-nix-action/actions/workflows/test.yml/badge.svg)](https://github.com/cachix/install-nix-action/actions/workflows/test.yml) Installs [Nix](https://nixos.org/nix/) on GitHub Actions runners for Linux and macOS. @@ -58,7 +58,7 @@ jobs: | Name | Description | Default | |------|-------------|---------| -| `install_url` | URL to install Nix from. Useful for testing non-stable releases or pinning a specific Nix version (e.g., https://releases.nixos.org/nix/nix-2.3.7/install) | `""` | +| `install_url` | URL to install Nix from. Useful for testing non-stable releases or pinning a specific Nix version (e.g., ) | `""` | | `install_options` | Additional flags to pass to the Nix installer script | `""` | | `extra_nix_config` | Additional configuration to append to `/etc/nix/nix.conf` | `""` | | `nix_path` | Value to set for the `NIX_PATH` environment variable (e.g., `nixpkgs=channel:nixos-unstable`) | `""` | @@ -66,7 +66,6 @@ jobs: | `set_as_trusted_user` | Add the current user to the `trusted-users` list | `true` | | `enable_kvm` | Enable KVM for hardware-accelerated virtualization on Linux | `true` | - ## Differences from the default Nix installer Some settings have been optimised for use in CI environments: @@ -196,8 +195,9 @@ nix develop --impure In multi-user mode, Nix commands that operate on the Nix store are forwarded to a privileged daemon. This daemon runs in a separate context from your GitHub Actions workflow and cannot access the workflow's environment variables. Consequently, any secrets or credentials defined in your workflow environment will not be available to Nix operations that require store access. There are two ways to pass AWS credentials to the Nix daemon: - - Configure a default profile using the AWS CLI - - Install Nix in single-user mode + +- Configure a default profile using the AWS CLI +- Install Nix in single-user mode #### Configure a default profile using the AWS CLI From a8518315386edcda124d3a3086a044897a068c67 Mon Sep 17 00:00:00 2001 From: sandydoo <7572407+sandydoo@users.noreply.github.com> Date: Wed, 8 Oct 2025 02:49:37 +0000 Subject: [PATCH 42/50] nix: 2.31.2 -> 2.32.0 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index c72765b..05d00c0 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -102,7 +102,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -nix_version=2.31.2 +nix_version=2.32.0 while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}"; do sleep 1 ((curl_retries--)) From a55fd2d8473faff7049af67d80774e2a3dcb055a Mon Sep 17 00:00:00 2001 From: sandydoo <7572407+sandydoo@users.noreply.github.com> Date: Wed, 15 Oct 2025 02:55:04 +0000 Subject: [PATCH 43/50] nix: 2.32.0 -> 2.32.1 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 05d00c0..591e684 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -102,7 +102,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -nix_version=2.32.0 +nix_version=2.32.1 while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}"; do sleep 1 ((curl_retries--)) From 0cacfe0f2ae51187068ad04c6b735aefdeb60cfb Mon Sep 17 00:00:00 2001 From: sandydoo <7572407+sandydoo@users.noreply.github.com> Date: Tue, 28 Oct 2025 02:56:48 +0000 Subject: [PATCH 44/50] nix: 2.32.1 -> 2.32.2 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 591e684..3731171 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -102,7 +102,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -nix_version=2.32.1 +nix_version=2.32.2 while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}"; do sleep 1 ((curl_retries--)) From 5afc2ac89deaab04f30843a4f55e40ba2b2b6bca Mon Sep 17 00:00:00 2001 From: sandydoo <7572407+sandydoo@users.noreply.github.com> Date: Sat, 8 Nov 2025 02:52:36 +0000 Subject: [PATCH 45/50] nix: 2.32.2 -> 2.32.3 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 3731171..57a83a4 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -102,7 +102,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -nix_version=2.32.2 +nix_version=2.32.3 while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}"; do sleep 1 ((curl_retries--)) From 16d2e3294de3e9c90868e217896f706d634faa79 Mon Sep 17 00:00:00 2001 From: sandydoo <7572407+sandydoo@users.noreply.github.com> Date: Wed, 12 Nov 2025 03:00:07 +0000 Subject: [PATCH 46/50] nix: 2.32.3 -> 2.32.4 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 57a83a4..007b399 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -102,7 +102,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -nix_version=2.32.3 +nix_version=2.32.4 while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}"; do sleep 1 ((curl_retries--)) From 7e5978947b7efba56e96c43fd785691980aca924 Mon Sep 17 00:00:00 2001 From: Sander Date: Tue, 18 Nov 2025 13:10:54 +0100 Subject: [PATCH 47/50] ci: drop macos-13 runner This runner will be removed next month. We now test x86_64-darwin on macos-15-intel. That runner will be supported until fall of 2027. --- .github/workflows/test-per-system.yml | 2 +- .github/workflows/test.yml | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/test-per-system.yml b/.github/workflows/test-per-system.yml index c0686cd..d0597fd 100644 --- a/.github/workflows/test-per-system.yml +++ b/.github/workflows/test-per-system.yml @@ -4,7 +4,7 @@ on: workflow_call: inputs: runs-on: - description: 'GitHub Actions runner to use (e.g., ubuntu-latest, macos-13)' + description: 'GitHub Actions runner to use (e.g., ubuntu-latest, macos-latest)' required: true type: string system: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index fb25d14..1383c94 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -45,10 +45,6 @@ jobs: - runs-on: macos-15-intel system: x86_64-darwin oldest_installer_version: nix-2.18.6 - # macos13 will be retired on 04/12/2025 - - runs-on: macos-13 - system: x86_64-darwin - oldest_installer_version: nix-2.8.0 uses: ./.github/workflows/test-per-system.yml with: runs-on: ${{ matrix.runs-on }} From 523410fd45d63195103608faab1e96d7034e901a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 21 Nov 2025 00:01:03 +0000 Subject: [PATCH 48/50] chore(deps): bump actions/checkout from 5 to 6 Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](https://github.com/actions/checkout/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/test-per-system.yml | 12 ++++++------ .github/workflows/test.yml | 2 +- .github/workflows/update-nix.yml | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/test-per-system.yml b/.github/workflows/test-per-system.yml index d0597fd..f3550f9 100644 --- a/.github/workflows/test-per-system.yml +++ b/.github/workflows/test-per-system.yml @@ -24,7 +24,7 @@ jobs: simple-build: runs-on: ${{ inputs.runs-on }} steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Install Nix uses: ./ with: @@ -40,7 +40,7 @@ jobs: custom-nix-path: runs-on: ${{ inputs.runs-on }} steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Install Nix uses: ./ with: @@ -51,7 +51,7 @@ jobs: extra-nix-config: runs-on: ${{ inputs.runs-on }} steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Install Nix uses: ./ with: @@ -64,7 +64,7 @@ jobs: flakes: runs-on: ${{ inputs.runs-on }} steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Install Nix uses: ./ - run: nix flake show github:NixOS/nixpkgs @@ -72,7 +72,7 @@ jobs: latest-installer: runs-on: ${{ inputs.runs-on }} steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Run NAR server run: | curl --location https://github.com/cachix/nar-toolbox/releases/download/v0.1.0/nar-toolbox-${{ inputs.system }} -O @@ -89,7 +89,7 @@ jobs: oldest-supported-installer: runs-on: ${{ inputs.runs-on }} steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Install Nix uses: ./ with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1383c94..e974b11 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -54,7 +54,7 @@ jobs: act-support: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - run: curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash - run: docker pull ghcr.io/catthehacker/ubuntu:js-24.04 - run: | diff --git a/.github/workflows/update-nix.yml b/.github/workflows/update-nix.yml index 225a3ac..ad4766c 100644 --- a/.github/workflows/update-nix.yml +++ b/.github/workflows/update-nix.yml @@ -8,7 +8,7 @@ jobs: update-nix-releases: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Update nix releases env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 15a7ab2c661e3857aae3815f2e7af8e9fa274be7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Dec 2025 00:00:59 +0000 Subject: [PATCH 49/50] chore(deps): bump peter-evans/create-pull-request from 7 to 8 Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 7 to 8. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/v7...v8) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/update-nix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-nix.yml b/.github/workflows/update-nix.yml index 225a3ac..edd9809 100644 --- a/.github/workflows/update-nix.yml +++ b/.github/workflows/update-nix.yml @@ -30,7 +30,7 @@ jobs: echo "LATEST_NIX=${latest_nix}" >> $GITHUB_ENV sed -i -E "s/nix_version=[0-9.]+/nix_version=${latest_nix}/" ./install-nix.sh - name: Create Pull Request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@v8 with: title: "nix: ${{ env.CURRENT_NIX }} -> ${{ env.LATEST_NIX }}" commit-message: "nix: ${{ env.CURRENT_NIX }} -> ${{ env.LATEST_NIX }}" From 72e7d4072fae04f94feac051666687091cf5149b Mon Sep 17 00:00:00 2001 From: sandydoo <7572407+sandydoo@users.noreply.github.com> Date: Thu, 11 Dec 2025 03:04:03 +0000 Subject: [PATCH 50/50] nix: 2.32.4 -> 2.33.0 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 007b399..01bc178 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -102,7 +102,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -nix_version=2.32.4 +nix_version=2.33.0 while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}"; do sleep 1 ((curl_retries--))