From f3ff3f99d80ed5a150e133764915d1b0a94da318 Mon Sep 17 00:00:00 2001 From: Victor Engmark Date: Thu, 16 Nov 2023 11:57:02 +1300 Subject: [PATCH 1/9] feat: Pin actions to hashes Done with pin-github-action 1.8.0 using `npx pin-github-action .github/workflows/*.yml`, and then manually bumping the version tag to the relevant number. This fixes the issue that it is common practice for GitHub Actions authors to move major tags when releasing new minor versions. Dependabot supports updating in the same fashion, bumping the version tag when updating the hash. --- .github/workflows/test.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6eecd5d..a39155c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Nix uses: ./ with: @@ -43,7 +43,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Nix uses: ./ with: @@ -62,7 +62,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Nix uses: ./ with: @@ -83,7 +83,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Nix uses: ./ - run: nix flake show github:NixOS/nixpkgs @@ -103,7 +103,7 @@ jobs: system: x86_64-darwin runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Run NAR server run: | curl --location https://github.com/cachix/nar-toolbox/releases/download/v0.1.0/nar-toolbox-${{ matrix.system }} -O @@ -128,7 +128,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Nix uses: ./ with: @@ -142,7 +142,7 @@ jobs: os: [ubuntu-latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash - run: docker pull ghcr.io/catthehacker/ubuntu:js-24.04 - run: | From edf986efb39c90e610aa76f32135ba35753e9b0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Mon, 7 Apr 2025 12:33:27 +0200 Subject: [PATCH 2/9] nix: 2.26.3 -> 2.28.2 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index e4ec849..3877f2e 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.26.3/install}" +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.28.2/install}" do sleep 1 ((curl_retries--)) From 9b4ef2ff2d3ee4f8f56a24c61504009201dadd94 Mon Sep 17 00:00:00 2001 From: Sander Date: Sat, 19 Apr 2025 01:26:12 +0400 Subject: [PATCH 3/9] docs: add release notes --- RELEASE.md | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 RELEASE.md diff --git a/RELEASE.md b/RELEASE.md new file mode 100644 index 0000000..6f035e5 --- /dev/null +++ b/RELEASE.md @@ -0,0 +1,44 @@ +# Release + +As of v31, releases of this action follow Semantic Versioning. + +### Publishing a new release + +#### Publish the release + +Draft [a new release on GitHub](https://github.com/cachix/install-nix-action/releases): + +- In `Choose a tag`, create a new tag, like `v31.2.1`, following semver. +- Click `Generate release notes`. +- `Set as the latest release` should be selected automatically. +- Publish release + +#### Update the major tag + +The major tag, like `v31`, allows downstream users to opt-in to automatic non-breaking updates. + +This process follows GitHub's own guidelines: +https://github.com/actions/toolkit/blob/main/docs/action-versioning.md + +##### Fetch the latest tags + +``` +git pull --tags --force +``` + +##### Move the tag + +``` +git tag -fa v31 +``` +``` +git push origin v31 --force +``` + +#### Update the release notes for the major tag + +Find the release on GitHub: https://github.com/cachix/install-nix-action/releases + +Edit the release and click `Generate release notes`. +Edit the formatting and publish. + From eafea807c1589a882490ac9966da36927d394cb4 Mon Sep 17 00:00:00 2001 From: Sander Date: Sat, 19 Apr 2025 01:29:11 +0400 Subject: [PATCH 4/9] remove unused gitignores --- .gitignore | 93 +----------------------------------------------------- 1 file changed, 1 insertion(+), 92 deletions(-) diff --git a/.gitignore b/.gitignore index ffdd18c..c5657b8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,93 +1,2 @@ -__tests__/runner/* - -# comment out in distribution branches -node_modules/ - -# Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore -# Logs -logs -*.log -npm-debug.log* -yarn-debug.log* -yarn-error.log* -lerna-debug.log* - -# Diagnostic reports (https://nodejs.org/api/report.html) -report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json - -# Runtime data -pids -*.pid -*.seed -*.pid.lock - -# Directory for instrumented libs generated by jscoverage/JSCover -lib-cov - -# Coverage directory used by tools like istanbul -coverage -*.lcov - -# nyc test coverage -.nyc_output - -# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) -.grunt - -# Bower dependency directory (https://bower.io/) -bower_components - -# node-waf configuration -.lock-wscript - -# Compiled binary addons (https://nodejs.org/api/addons.html) -build/Release - -# Dependency directories -jspm_packages/ - -# TypeScript v1 declaration files -typings/ - -# TypeScript cache -*.tsbuildinfo - -# Optional npm cache directory -.npm - -# Optional eslint cache -.eslintcache - -# Optional REPL history -.node_repl_history - -# Output of 'npm pack' -*.tgz - -# Yarn Integrity file -.yarn-integrity - # dotenv environment variables file -.env -.env.test - -# parcel-bundler cache (https://parceljs.org/) -.cache - -# next.js build output -.next - -# nuxt.js build output -.nuxt - -# vuepress build output -.vuepress/dist - -# Serverless directories -.serverless/ - -# FuseBox cache -.fusebox/ - -# DynamoDB Local files -.dynamodb/ +.env* From 83772d105a0277f40fbedafc4d2a510eb498a42c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Apr 2025 00:43:21 +0000 Subject: [PATCH 5/9] chore(deps): bump actions/checkout from 4.1.1 to 4.2.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.2.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/b4ffde65f46336ab88eb53be808477a3936bae11...11bd71901bbe5b1630ceea73d27597364c9af683) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 4.2.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/test.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a39155c..5337d38 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Nix uses: ./ with: @@ -43,7 +43,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Nix uses: ./ with: @@ -62,7 +62,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Nix uses: ./ with: @@ -83,7 +83,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Nix uses: ./ - run: nix flake show github:NixOS/nixpkgs @@ -103,7 +103,7 @@ jobs: system: x86_64-darwin runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run NAR server run: | curl --location https://github.com/cachix/nar-toolbox/releases/download/v0.1.0/nar-toolbox-${{ matrix.system }} -O @@ -128,7 +128,7 @@ jobs: - macos-13 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Nix uses: ./ with: @@ -142,7 +142,7 @@ jobs: os: [ubuntu-latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash - run: docker pull ghcr.io/catthehacker/ubuntu:js-24.04 - run: | From 4f800b725cedc2e2ce9fe7ab2693296ba2fd559f Mon Sep 17 00:00:00 2001 From: Sander Date: Wed, 23 Apr 2025 15:17:07 +0400 Subject: [PATCH 6/9] docs: document how to provide AWS credentials to the nix-daemon Fixes #229. --- README.md | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/README.md b/README.md index 4a13410..4ac81e2 100644 --- a/README.md +++ b/README.md @@ -174,3 +174,59 @@ Or you can disable pure mode entirely with the `--impure` flag: ``` nix develop --impure ``` + +### How do I pass AWS credentials to the Nix daemon? + +In multi-user mode, Nix commands that operate on the Nix store are forwarded to a privileged daemon. This daemon runs in a separate context from your GitHub Actions workflow and cannot access the workflow's environment variables. Consequently, any secrets or credentials defined in your workflow environment will not be available to Nix operations that require store access. + +There are two ways to pass AWS credentials to the Nix daemon: + - Configure a default profile using the AWS CLI + - Install Nix in single-user mode + +#### Configure a default profile using the AWS CLI + +The Nix daemon supports reading AWS credentials from the `~/.aws/credentials` file. + +We can use the AWS CLI to configure a default profile using short-lived credentials fetched using OIDC: + +```yaml +job: + build: + runs-on: ubuntu-latest + # Required permissions to request AWS credentials + permissions: + id-token: write + contents: read + steps: + - uses: actions/checkout@v4 + - uses: cachix/install-nix-action@v31 + - name: Assume AWS Role + uses: aws-actions/configure-aws-credentials@v4.1.0 + with: + aws-region: us-east-1 + role-to-assume: arn:aws-cn:iam::123456789100:role/my-github-actions-role + - name: Make AWS Credentials accessible to nix-daemon + run: | + sudo -i aws configure set aws_access_key_id "${AWS_ACCESS_KEY_ID}" + sudo -i aws configure set aws_secret_access_key "${AWS_SECRET_ACCESS_KEY}" + sudo -i aws configure set aws_session_token "${AWS_SESSION_TOKEN}" + sudo -i aws configure set region "${AWS_REGION}" +``` + +#### Install Nix in single-user mode + +In some environments it may be possible to install Nix in single-user mode by passing the `--no-daemon` flag to the installer. +This mode is normally used on platforms without an init system, like systemd, and in containerized environments with a single user that can own the entire Nix store. + +This approach is more generic as it allows passing environment variables directly to Nix, including secrets, proxy settings, and other configuration options. + +However, it may not be suitable for all environments. [Consult the Nix manual](https://nix.dev/manual/nix/latest/installation/nix-security) for the latest restrictions and differences between the two modes. + +For example, single-user mode is currently supported on hosted Linux GitHub runners, like `ubuntu-latest`. +It is not supported on macOS runners, like `macos-latest`. + +```yaml +- uses: cachix/install-nix-action@v31 + with: + install_options: --no-daemon +``` From b2b89c6cb12d1cf229b3b605413344a7b701a4b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 30 Apr 2025 08:22:03 +0200 Subject: [PATCH 7/9] nix: 2.28.2 -> 2.28.3 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 3877f2e..879e214 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.28.2/install}" +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.28.3/install}" do sleep 1 ((curl_retries--)) From f5e4dbff3bcf3651939faa49d3cdc505d43966b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 27 May 2025 09:15:35 +0200 Subject: [PATCH 8/9] nix: 2.28.3 -> 2.29.0 --- install-nix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install-nix.sh b/install-nix.sh index 879e214..d156496 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,7 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.28.3/install}" +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.29.0/install}" do sleep 1 ((curl_retries--)) From 129de1289fba8861699d92a10853cba82011362e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 27 May 2025 10:02:27 +0200 Subject: [PATCH 9/9] add github action to keep nix up-to-date --- .github/workflows/update-nix.yml | 31 +++++++++++++++++++++++++++++++ install-nix.sh | 3 ++- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/update-nix.yml diff --git a/.github/workflows/update-nix.yml b/.github/workflows/update-nix.yml new file mode 100644 index 0000000..3e088c3 --- /dev/null +++ b/.github/workflows/update-nix.yml @@ -0,0 +1,31 @@ +name: "Update nix" +on: + repository_dispatch: + workflow_dispatch: + schedule: + - cron: "31 2 * * *" +jobs: + update-nix-releases: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Update nix releases + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + latest_nix=$( + gh api repos/NixOS/nix/tags --paginate --jq '.[].name' | + grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' | + sort -V | + tail -n 1 + ) + if [ -z "$latest_nix" ]; then + echo "Failed to determine latest Nix version." >&2 + exit 1 + fi + sed -i -E "s/nix_version=[0-9.]+/nix_version=${latest_nix}/" ./install-nix.sh + - name: Create Pull Request + uses: peter-evans/create-pull-request@v7 + with: + title: Update nix versions + labels: dependencies diff --git a/install-nix.sh b/install-nix.sh index d156496..7198377 100755 --- a/install-nix.sh +++ b/install-nix.sh @@ -94,7 +94,8 @@ echo "installer options: ${installer_options[*]}" # There is --retry-on-errors, but only newer curl versions support that curl_retries=5 -while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.29.0/install}" +nix_version=2.29.0 +while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}" do sleep 1 ((curl_retries--))