Merge pull request #262 from cachix/dependabot/github_actions/actions/checkout-6

chore(deps): bump actions/checkout from 5 to 6

.github/workflows/test-per-system.yml

@@ -0,0 +1,98 @@
+name: Test Runner
+
+on:
+  workflow_call:
+    inputs:
+      runs-on:
+        description: 'GitHub Actions runner to use (e.g., ubuntu-latest, macos-latest)'
+        required: true
+        type: string
+      system:
+        description: 'Target system architecture (e.g., x86_64-linux, aarch64-darwin)'
+        required: true
+        type: string
+      oldest_installer_version:
+        description: 'Oldest supported Nix installer version to test (e.g., nix-2.8.0)'
+        required: false
+        default: 'nix-2.8.0'
+        type: string
+
+env:
+  nixpkgs_channel: nixpkgs=channel:nixos-25.05
+
+jobs:
+  simple-build:
+    runs-on: ${{ inputs.runs-on }}
+    steps:
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+    - name: Install Nix
+      uses: ./
+      with:
+        nix_path: ${{ env.nixpkgs_channel }}
+    - name: Test environment variables
+      run: ./tests/test-env.sh
+    - run: nix-env -iA cachix -f https://cachix.org/api/v1/install
+    - run: cat /etc/nix/nix.conf
+    # cachix should be available and be able to configure a cache
+    - run: cachix use cachix
+    - run: nix-build tests/test-build.nix
+
+  custom-nix-path:
+    runs-on: ${{ inputs.runs-on }}
+    steps:
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+    - name: Install Nix
+      uses: ./
+      with:
+        nix_path: ${{ env.nixpkgs_channel }}
+    - run: test $NIX_PATH == '${{ env.nixpkgs_channel }}'
+    - run: nix-build tests/test-build.nix
+
+  extra-nix-config:
+    runs-on: ${{ inputs.runs-on }}
+    steps:
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+    - name: Install Nix
+      uses: ./
+      with:
+        nix_path: ${{ env.nixpkgs_channel }}
+        extra_nix_config: |
+          sandbox = relaxed
+    - run: cat /etc/nix/nix.conf
+    - run: nix-build tests/test-build.nix --arg noChroot true
+
+  flakes:
+    runs-on: ${{ inputs.runs-on }}
+    steps:
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+    - name: Install Nix
+      uses: ./
+    - run: nix flake show github:NixOS/nixpkgs
+
+  latest-installer:
+    runs-on: ${{ inputs.runs-on }}
+    steps:
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+    - name: Run NAR server
+      run: |
+        curl --location https://github.com/cachix/nar-toolbox/releases/download/v0.1.0/nar-toolbox-${{ inputs.system }} -O
+        chmod +x ./nar-toolbox-${{ inputs.system }}
+        ./nar-toolbox-${{ inputs.system }} serve https://cache.nixos.org &
+    - name: Install Nix
+      uses: ./
+      with:
+        nix_path: ${{ env.nixpkgs_channel }}
+        install_url: https://hydra.nixos.org/job/nix/master/installerScript/latest-finished/download/1/install
+        install_options: "--tarball-url-prefix http://localhost:8080"
+    - run: nix-build tests/test-build.nix
+
+  oldest-supported-installer:
+    runs-on: ${{ inputs.runs-on }}
+    steps:
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+    - name: Install Nix
+      uses: ./
+      with:
+        nix_path: ${{ env.nixpkgs_channel }}
+        install_url: https://releases.nixos.org/nix/${{ inputs.oldest_installer_version }}/install
+    - run: nix-build tests/test-build.nix

.github/workflows/test.yml

@@ -4,133 +4,62 @@ on:
   push:
     branches:
       - master
+  workflow_dispatch:
 
 env:
-  nixpkgs_channel: nixpkgs=channel:nixos-24.05
+  nixpkgs_channel: nixpkgs=channel:nixos-25.05
-  oldest_supported_installer: nix-2.8.0
-  # Fetch new versions from the Nix CI run: https://github.com/NixOS/nix/blob/master/.github/workflows/ci.yml
-  # TODO: add pinning upstream or rethink this
-  pinned_installer_hash: zfzfrbb59jsqrfkldwj8drcr9nhhc49k
 
 jobs:
-  simple-build:
+  test:
     strategy:
       fail-fast: false
+      # For the list of available images:
+      #   GitHub images: https://github.com/actions/runner-images?tab=readme-ov-file#available-images
+      #   Partner images: https://github.com/actions/partner-runner-images?tab=readme-ov-file#available-images
       matrix:
-        os:
+        include:
-        - ubuntu-latest
+          - runs-on: ubuntu-latest
-        - macos-latest
+            system: x86_64-linux
-        - macos-13
+            oldest_installer_version: nix-2.8.0
-    runs-on: ${{ matrix.os }}
+          - runs-on: ubuntu-22.04
-    steps:
+            system: x86_64-linux
-    - uses: actions/checkout@v4
+            oldest_installer_version: nix-2.8.0
-    - name: Install Nix
+          - runs-on: ubuntu-24.04-arm
-      uses: ./
+            system: aarch64-linux
+            oldest_installer_version: nix-2.8.0
+          - runs-on: ubuntu-22.04-arm
+            system: aarch64-linux
+            oldest_installer_version: nix-2.8.0
+          - runs-on: macos-latest
+            system: aarch64-darwin
+            oldest_installer_version: nix-2.18.6
+          - runs-on: macos-26
+            system: aarch64-darwin
+            oldest_installer_version: nix-2.18.6
+          - runs-on: macos-15
+            system: aarch64-darwin
+            oldest_installer_version: nix-2.18.6
+          - runs-on: macos-14
+            system: aarch64-darwin
+            oldest_installer_version: nix-2.8.0
+          - runs-on: macos-15-intel
+            system: x86_64-darwin
+            oldest_installer_version: nix-2.18.6
+    uses: ./.github/workflows/test-per-system.yml
     with:
-        nix_path: ${{ env.nixpkgs_channel }}
+      runs-on: ${{ matrix.runs-on }}
-    - run: nix-env -iA cachix -f https://cachix.org/api/v1/install
+      system: ${{ matrix.system }}
-    - run: cat /etc/nix/nix.conf
+      oldest_installer_version: ${{ matrix.oldest_installer_version }}
-    # cachix should be available and be able to configure a cache
-    - run: cachix use cachix
-    - run: nix-build test.nix
-
-  custom-nix-path:
-    strategy:
-      fail-fast: false
-      matrix:
-        os:
-        - ubuntu-latest
-        - macos-latest
-        - macos-13
-    runs-on: ${{ matrix.os }}
-    steps:
-    - uses: actions/checkout@v4
-    - name: Install Nix
-      uses: ./
-      with:
-        nix_path: ${{ env.nixpkgs_channel }}
-    - run: test $NIX_PATH == '${{ env.nixpkgs_channel }}'
-    - run: nix-build test.nix
-
-  extra-nix-config:
-    strategy:
-      fail-fast: false
-      matrix:
-        os:
-        - ubuntu-latest
-        - macos-latest
-        - macos-13
-    runs-on: ${{ matrix.os }}
-    steps:
-    - uses: actions/checkout@v4
-    - name: Install Nix
-      uses: ./
-      with:
-        nix_path: ${{ env.nixpkgs_channel }}
-        extra_nix_config: |
-          sandbox = relaxed
-    - run: cat /etc/nix/nix.conf
-    - run: nix-build test.nix --arg noChroot true
-
-  flakes:
-    strategy:
-      fail-fast: false
-      matrix:
-        os:
-        - ubuntu-latest
-        - macos-latest
-        - macos-13
-    runs-on: ${{ matrix.os }}
-    steps:
-    - uses: actions/checkout@v4
-    - name: Install Nix
-      uses: ./
-    - run: nix flake show github:NixOS/nixpkgs
-
-  installer-options:
-    strategy:
-      fail-fast: false
-      matrix:
-        os:
-        - ubuntu-latest
-        # - macos-latest missing installer for aarch64-darwin
-        - macos-13
-    runs-on: ${{ matrix.os }}
-    steps:
-    - uses: actions/checkout@v4
-    - name: Install Nix
-      uses: ./
-      with:
-        nix_path: ${{ env.nixpkgs_channel }}
-        install_options: --tarball-url-prefix https://nixos-nix-install-tests.cachix.org/serve
-        install_url: https://nixos-nix-install-tests.cachix.org/serve/${{ env.pinned_installer_hash }}/install
-    - run: nix-build test.nix
-
-  oldest-supported-installer:
-    strategy:
-      fail-fast: false
-      matrix:
-        os:
-        - ubuntu-latest
-        - macos-latest
-        - macos-13
-    runs-on: ${{ matrix.os }}
-    steps:
-    - uses: actions/checkout@v4
-    - name: Install Nix
-      uses: ./
-      with:
-        nix_path: ${{ env.nixpkgs_channel }}
-        install_url: https://releases.nixos.org/nix/${{ env.oldest_supported_installer }}/install
-    - run: nix-build test.nix
 
   act-support:
-    strategy:
+    runs-on: ubuntu-latest
-      matrix:
-        os: [ubuntu-latest]
-    runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
     - run: curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash
-    - run: docker pull ghcr.io/catthehacker/ubuntu:js-20.04
+    - run: docker pull ghcr.io/catthehacker/ubuntu:js-24.04
-    - run: ./bin/act -P ubuntu-latest=ghcr.io/catthehacker/ubuntu:js-20.04 push -j simple-build
+    - run: |
+        ./bin/act push \
+          -P ubuntu-latest=ghcr.io/catthehacker/ubuntu:js-24.04 \
+          -j simple-build \
+          --matrix runs-on:ubuntu-latest \
+          --matrix system:x86_64-linux

.github/workflows/update-nix.yml

@@ -0,0 +1,52 @@
+name: "Update nix"
+on:
+  repository_dispatch:
+  workflow_dispatch:
+  schedule:
+    - cron: "31 2 * * *"
+jobs:
+  update-nix-releases:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Update nix releases
+        env:
+         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          latest_nix=$(
+            gh api repos/NixOS/nix/tags --paginate --jq '.[].name' |
+            grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' |
+            sort -V |
+            tail -n 1
+          )
+          if [ -z "$latest_nix" ]; then
+            echo "Failed to determine latest Nix version." >&2
+            exit 1
+          fi
+          current_nix=$(grep -oE 'nix_version=[0-9.]+' ./install-nix.sh | cut -d= -f2)
+          echo "Current Nix version: ${current_nix}"
+          echo "Latest Nix version: ${latest_nix}"
+          echo "CURRENT_NIX=${current_nix}" >> $GITHUB_ENV
+          echo "LATEST_NIX=${latest_nix}" >> $GITHUB_ENV
+          sed -i -E "s/nix_version=[0-9.]+/nix_version=${latest_nix}/" ./install-nix.sh
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v8
+        with:
+          title: "nix: ${{ env.CURRENT_NIX }} -> ${{ env.LATEST_NIX }}"
+          commit-message: "nix: ${{ env.CURRENT_NIX }} -> ${{ env.LATEST_NIX }}"
+          body: |
+            This PR updates the Nix version from ${{ env.CURRENT_NIX }} to ${{ env.LATEST_NIX }}.
+
+            **To trigger the CI:**
+
+            1. Checkout the PR branch:
+               ```bash
+               gh pr checkout <pr-number>
+               ```
+
+            2. Amend and force push:
+               ```bash
+               git commit --amend --no-edit
+               git push --force-with-lease
+               ```
+          labels: dependencies

.gitignore

@@ -1,93 +1,2 @@
-__tests__/runner/*
-
-# comment out in distribution branches
-node_modules/
-
-# Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore
-# Logs
-logs
-*.log
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-lerna-debug.log*
-
-# Diagnostic reports (https://nodejs.org/api/report.html)
-report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
-
-# Runtime data
-pids
-*.pid
-*.seed
-*.pid.lock
-
-# Directory for instrumented libs generated by jscoverage/JSCover
-lib-cov
-
-# Coverage directory used by tools like istanbul
-coverage
-*.lcov
-
-# nyc test coverage
-.nyc_output
-
-# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
-.grunt
-
-# Bower dependency directory (https://bower.io/)
-bower_components
-
-# node-waf configuration
-.lock-wscript
-
-# Compiled binary addons (https://nodejs.org/api/addons.html)
-build/Release
-
-# Dependency directories
-jspm_packages/
-
-# TypeScript v1 declaration files
-typings/
-
-# TypeScript cache
-*.tsbuildinfo
-
-# Optional npm cache directory
-.npm
-
-# Optional eslint cache
-.eslintcache
-
-# Optional REPL history
-.node_repl_history
-
-# Output of 'npm pack'
-*.tgz
-
-# Yarn Integrity file
-.yarn-integrity
-
 # dotenv environment variables file
-.env
+.env*
-.env.test
-
-# parcel-bundler cache (https://parceljs.org/)
-.cache
-
-# next.js build output
-.next
-
-# nuxt.js build output
-.nuxt
-
-# vuepress build output
-.vuepress/dist
-
-# Serverless directories
-.serverless/
-
-# FuseBox cache
-.fusebox/
-
-# DynamoDB Local files
-.dynamodb/

README.md

@@ -1,24 +1,19 @@
 # install-nix-action
 
-![GitHub Actions badge](https://github.com/cachix/install-nix-action/workflows/install-nix-action%20test/badge.svg)
+[![Tests](https://github.com/cachix/install-nix-action/actions/workflows/test.yml/badge.svg)](https://github.com/cachix/install-nix-action/actions/workflows/test.yml)
 
-Installs [Nix](https://nixos.org/nix/) on GitHub Actions for the supported platforms: Linux and macOS.
+Installs [Nix](https://nixos.org/nix/) on GitHub Actions runners for Linux and macOS.
-
-By default it has no nixpkgs configured, you have to set `nix_path`
-by [picking a channel](https://status.nixos.org/)
-or [pin nixpkgs yourself](https://nix.dev/reference/pinning-nixpkgs)
-(see also [pinning tutorial](https://nix.dev/tutorials/towards-reproducibility-pinning-nixpkgs)).
 
 # Features
 
-- Quick installation (~4s on Linux, ~20s on macOS)
+- Quick installation (~4s on Linux / ~20s on macOS)
-- Multi-User installation (with sandboxing enabled only on Linux)
+- Multi-user installation with sandboxing enabled by default on Linux
-- [Self-hosted GitHub runner](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) support
+- Support for [self-hosted GitHub runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners)
 - Allows specifying Nix installation URL via `install_url` (the oldest supported Nix version is 2.3.5)
 - Allows specifying extra Nix configuration options via `extra_nix_config`
 - Allows specifying `$NIX_PATH` and channels via `nix_path`
-- Share `/nix/store` between builds using [cachix-action](https://github.com/cachix/cachix-action) for simple binary cache setup to speed up your builds and share binaries with your team
 - Enables KVM on supported machines: run VMs and NixOS tests with full hardware-acceleration
+- Pair with a binary cache from [cachix-action](https://github.com/cachix/cachix-action) to speed up re-builds and share binaries across your team
 
 ## Usage
 
@@ -33,8 +28,8 @@ jobs:
   tests:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
-    - uses: cachix/install-nix-action@v27
+    - uses: cachix/install-nix-action@v31
       with:
         nix_path: nixpkgs=channel:nixos-unstable
     - run: nix-build
@@ -51,30 +46,25 @@ jobs:
   tests:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
-    - uses: cachix/install-nix-action@v27
+    - uses: cachix/install-nix-action@v31
       with:
         github_access_token: ${{ secrets.GITHUB_TOKEN }}
     - run: nix build
     - run: nix flake check
 ```
 
-To install Nix from any commit, go to [the corresponding installer_test action](https://github.com/NixOS/nix/runs/2219534360) and click on "Run cachix/install-nix-action@XX" step and expand the first line.
+## Inputs
-
-## Inputs (specify using `with:`)
-
-- `extra_nix_config`: append to `/etc/nix/nix.conf`
-
-- `github_access_token`: configure Nix to pull from GitHub using the given GitHub token. This helps work around rate limit issues. Has no effect when `access-tokens` is also specified in `extra_nix_config`.
-
-- `install_url`: specify URL to install Nix from (useful for testing non-stable releases or pinning Nix, for example https://releases.nixos.org/nix/nix-2.3.7/install)
-
-- `install_options`: additional installer flags passed to the installer script.
-
-- `nix_path`: set `NIX_PATH` environment variable, for example `nixpkgs=channel:nixos-unstable`
-
-- `enable_kvm`: whether to enable KVM for hardware-accelerated virtualization on Linux. Enabled by default if available.
 
+| Name | Description | Default |
+|------|-------------|---------|
+| `install_url` | URL to install Nix from. Useful for testing non-stable releases or pinning a specific Nix version (e.g., <https://releases.nixos.org/nix/nix-2.3.7/install>) | `""` |
+| `install_options` | Additional flags to pass to the Nix installer script | `""` |
+| `extra_nix_config` | Additional configuration to append to `/etc/nix/nix.conf` | `""` |
+| `nix_path` | Value to set for the `NIX_PATH` environment variable (e.g., `nixpkgs=channel:nixos-unstable`) | `""` |
+| `github_access_token` | GitHub token for Nix to use when pulling from GitHub repositories. Helps work around rate limit issues. Has no effect when `access-tokens` is specified in `extra_nix_config`. | `$GITHUB_TOKEN` if available |
+| `set_as_trusted_user` | Add the current user to the `trusted-users` list | `true` |
+| `enable_kvm` | Enable KVM for hardware-accelerated virtualization on Linux | `true` |
 
 ## Differences from the default Nix installer
 
@@ -104,19 +94,30 @@ Some settings have been optimised for use in CI environments:
 
 ## FAQ
 
-### How do I print nixpkgs version I have configured?
+### How do I print the nixpkgs version I've configured?
 
 ```yaml
 - name: Print nixpkgs version
   run: nix-instantiate --eval -E '(import <nixpkgs> {}).lib.version'
 ```
 
-### How do I run NixOS tests?
+### How do I add a nixpkgs channel?
 
-With the following inputs:
+This action doesn't set up any channels by default.
+Use `nix_path` to configure optional channels by [picking a channel](https://status.nixos.org/) or [pinning nixpkgs](https://nix.dev/reference/pinning-nixpkgs) to a specific commit.
 
 ```yaml
-- uses: cachix/install-nix-action@vXX
+- uses: cachix/install-nix-action@v31
+  with:
+    nix_path: nixpkgs=channel:nixos-unstable
+```
+
+See also the [tutorial on pinning on nix.dev](https://nix.dev/tutorials/towards-reproducibility-pinning-nixpkgs).
+
+### How do I run NixOS tests on Linux?
+
+```yaml
+- uses: cachix/install-nix-action@v31
   with:
     enable_kvm: true
     extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm"
@@ -135,7 +136,7 @@ using [cachix-action](https://github.com/cachix/cachix-action), you
 should use their `extraPullNames` input like this:
 
 ```yaml
-- uses: cachix/cachix-action@vXX
+- uses: cachix/cachix-action@v31
    with:
      name: mycache
      authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
@@ -146,13 +147,29 @@ Otherwise, you can add any binary cache to nix.conf using
 install-nix-action's own `extra_nix_config` input:
 
 ```yaml
-- uses: cachix/install-nix-action@v27
+- uses: cachix/install-nix-action@v31
   with:
     extra_nix_config: |
       trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
       substituters = https://hydra.iohk.io https://cache.nixos.org/
 ```
 
+### How do I configure steps to use my flake's development environment?
+
+You can configure [`jobs.<job_id>.steps[*].shell`](https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idstepsshell)
+to use `nix develop`.
+
+```yaml
+  # (optional) pre-build the shell separately to avoid skewing the run time of the next
+  #            step and have clear point of failure should the shell fail to build
+- name: Pre-build devShell
+  run: nix build --no-link .#devShells.$(nix eval --impure --raw --expr 'builtins.currentSystem').default
+
+- name: Run a command with nix develop
+  shell: 'nix develop -c bash -e {0}'
+  run: echo "hello, pure world!"
+```
+
 ### How do I pass environment variables to commands run with `nix develop` or `nix shell`?
 
 Nix runs commands in a restricted environment by default, called `pure mode`.
@@ -172,3 +189,60 @@ Or you can disable pure mode entirely with the `--impure` flag:
 ```
 nix develop --impure
 ```
+
+### How do I pass AWS credentials to the Nix daemon?
+
+In multi-user mode, Nix commands that operate on the Nix store are forwarded to a privileged daemon. This daemon runs in a separate context from your GitHub Actions workflow and cannot access the workflow's environment variables. Consequently, any secrets or credentials defined in your workflow environment will not be available to Nix operations that require store access.
+
+There are two ways to pass AWS credentials to the Nix daemon:
+
+- Configure a default profile using the AWS CLI
+- Install Nix in single-user mode
+
+#### Configure a default profile using the AWS CLI
+
+The Nix daemon supports reading AWS credentials from the `~/.aws/credentials` file.
+
+We can use the AWS CLI to configure a default profile using short-lived credentials fetched using OIDC:
+
+```yaml
+job:
+  build:
+    runs-on: ubuntu-latest
+    # Required permissions to request AWS credentials
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v5
+      - uses: cachix/install-nix-action@v31
+      - name: Assume AWS Role
+        uses: aws-actions/configure-aws-credentials@v5.0.0
+        with:
+          aws-region: us-east-1
+          role-to-assume: arn:aws-cn:iam::123456789100:role/my-github-actions-role
+      - name: Make AWS Credentials accessible to nix-daemon
+        run: |
+          sudo -i aws configure set aws_access_key_id "${AWS_ACCESS_KEY_ID}"
+          sudo -i aws configure set aws_secret_access_key "${AWS_SECRET_ACCESS_KEY}"
+          sudo -i aws configure set aws_session_token "${AWS_SESSION_TOKEN}"
+          sudo -i aws configure set region "${AWS_REGION}"
+```
+
+#### Install Nix in single-user mode
+
+In some environments it may be possible to install Nix in single-user mode by passing the `--no-daemon` flag to the installer.
+This mode is normally used on platforms without an init system, like systemd, and in containerized environments with a single user that can own the entire Nix store.
+
+This approach is more generic as it allows passing environment variables directly to Nix, including secrets, proxy settings, and other configuration options.
+
+However, it may not be suitable for all environments. [Consult the Nix manual](https://nix.dev/manual/nix/latest/installation/nix-security) for the latest restrictions and differences between the two modes.
+
+For example, single-user mode is currently supported on hosted Linux GitHub runners, like `ubuntu-latest`.
+It is not supported on macOS runners, like `macos-latest`.
+
+```yaml
+- uses: cachix/install-nix-action@v31
+  with:
+    install_options: --no-daemon
+```

RELEASE.md

@@ -0,0 +1,44 @@
+# Release
+
+As of v31, releases of this action follow Semantic Versioning.
+
+### Publishing a new release
+
+#### Publish the release
+
+Draft [a new release on GitHub](https://github.com/cachix/install-nix-action/releases):
+
+- In `Choose a tag`, create a new tag, like `v31.2.1`, following semver.
+- Click `Generate release notes`.
+- `Set as the latest release` should be selected automatically.
+- Publish release
+
+#### Update the major tag
+
+The major tag, like `v31`, allows downstream users to opt-in to automatic non-breaking updates.
+
+This process follows GitHub's own guidelines:
+https://github.com/actions/toolkit/blob/main/docs/action-versioning.md
+
+##### Fetch the latest tags
+
+```
+git pull --tags --force
+```
+
+##### Move the tag
+
+```
+git tag -fa v31
+```
+```
+git push origin v31 --force
+```
+
+#### Update the release notes for the major tag
+
+Find the release on GitHub: https://github.com/cachix/install-nix-action/releases
+
+Edit the release and click `Generate release notes`.
+Edit the formatting and publish.
+

action.yml

@@ -5,7 +5,7 @@ inputs:
   extra_nix_config:
     description: 'Gets appended to `/etc/nix/nix.conf` if passed.'
   github_access_token:
-    description: 'Configure nix to pull from github using the given github token.'
+    description: 'Configure Nix to pull from GitHub using the given GitHub token.'
   install_url:
     description: 'Installation URL that will contain a script to install Nix.'
   install_options:
@@ -16,6 +16,10 @@ inputs:
     description: 'Enable KVM for hardware-accelerated virtualization on Linux, if available.'
     required: false
     default: true
+  set_as_trusted_user:
+    description: 'Add current user to `trusted-users`.'
+    required: false
+    default: true
 branding:
   color: 'blue'
   icon: 'sun'
@@ -31,4 +35,5 @@ runs:
         INPUT_INSTALL_URL: ${{ inputs.install_url }}
         INPUT_NIX_PATH: ${{ inputs.nix_path }}
         INPUT_ENABLE_KVM: ${{ inputs.enable_kvm }}
+        INPUT_SET_AS_TRUSTED_USER: ${{ inputs.set_as_trusted_user }}
         GITHUB_TOKEN: ${{ github.token }}

install-nix.sh

@@ -31,11 +31,15 @@ add_config() {
 add_config "show-trace = true"
 # Set jobs to number of cores
 add_config "max-jobs = auto"
+# Configure the nix-daemon to use certificates.
+# In multi-user installs, NIX_SSL_CERT_FILE only works if set in the daemon's service file.
 if [[ $OSTYPE =~ darwin ]]; then
   add_config "ssl-cert-file = /etc/ssl/cert.pem"
 fi
-# Allow binary caches for user
+# Allow binary caches specified at user level
+if [[ $INPUT_SET_AS_TRUSTED_USER == 'true' ]]; then
   add_config "trusted-users = root ${USER:-}"
+fi
 # Add a GitHub access token.
 # Token-less access is subject to lower rate limits.
 if [[ -n "${INPUT_GITHUB_ACCESS_TOKEN:-}" ]]; then
@@ -65,12 +69,17 @@ fi
 # Nix installer flags
 installer_options=(
   --no-channel-add
-  --darwin-use-unencrypted-nix-store-volume
   --nix-extra-conf-file "$workdir/nix.conf"
 )
 
-# only use the nix-daemon settings if on darwin (which get ignored) or systemd is supported
+# Enable daemon on macOS and Linux systems with systemd, unless --no-daemon is specified
 if [[ (! $INPUT_INSTALL_OPTIONS =~ "--no-daemon") && ($OSTYPE =~ darwin || -e /run/systemd/system) ]]; then
+  use_daemon() { true; }
+else
+  use_daemon() { false; }
+fi
+
+if use_daemon; then
   installer_options+=(
     --daemon
     --daemon-user-count "$(python3 -c 'import multiprocessing as mp; print(mp.cpu_count() * 2)')"
@@ -93,8 +102,8 @@ echo "installer options: ${installer_options[*]}"
 
 # There is --retry-on-errors, but only newer curl versions support that
 curl_retries=5
-while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.24.7/install}"
+nix_version=2.33.0
-do
+while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}"; do
   sleep 1
   ((curl_retries--))
   if [[ $curl_retries -le 0 ]]; then
@@ -105,19 +114,72 @@ done
 
 sh "$workdir/install" "${installer_options[@]}"
 
-# Set paths
+# Configure the environment
-echo "/nix/var/nix/profiles/default/bin" >> "$GITHUB_PATH"
+#
-# new path for nix 2.14
+# Adapted from the single- and multi-user scripts:
-echo "$HOME/.nix-profile/bin" >> "$GITHUB_PATH"
+#   single-user: https://github.com/NixOS/nix/blob/master/scripts/nix-profile-daemon.sh.in
+#   multi-user: https://github.com/NixOS/nix/blob/master/scripts/nix-profile-daemon.sh.in
+#
+# These scripts would normally be evaluated as part of the user's shell profile.
+# GitHub doesn't evaluate profiles or rc scripts by default, so we set up the environment manually.
+echo "::debug::Nix installed, setting up environment"
 
+# Export the path to Nix
 if [[ -n "${INPUT_NIX_PATH:-}" ]]; then
   echo "NIX_PATH=${INPUT_NIX_PATH}" >>"$GITHUB_ENV"
 fi
 
-# Set temporary directory (if not already set) to fix https://github.com/cachix/install-nix-action/issues/197
+# Set temporary directory if not already set
+# Fixes https://github.com/cachix/install-nix-action/issues/197
 if [[ -z "${TMPDIR:-}" ]]; then
   echo "TMPDIR=${RUNNER_TEMP}" >>"$GITHUB_ENV"
 fi
 
+# Determine the profile path.
+#
+# Different versions of Nix support (from newest to oldest):
+#   - NIX_STATE_HOME to fully control the location of home files
+#   - XDG_STATE_HOME, defaulting to .local/state/nix/profile
+#   - $HOME/.nix-profile
+#
+# These directories are created by calling `nix profile`, so they don't exist at this point.
+# Without parsing the Nix version, our best bet is the legacy-ish ~/.nix-profile.
+if [[ -n "${NIX_STATE_HOME:-}" ]]; then
+  NIX_LINK="$NIX_STATE_HOME/profile"
+else
+  NIX_LINK="$HOME/.nix-profile"
+fi
+
+# Set Nix profiles
+echo "NIX_PROFILES=/nix/var/nix/profiles/default $NIX_LINK" >>"$GITHUB_ENV"
+
+# Set NIX_SSL_CERT_FILE if not already configured
+if [[ -z "${NIX_SSL_CERT_FILE:-}" ]]; then
+  # Check common SSL certificate file locations
+  if [[ -e "/etc/ssl/certs/ca-certificates.crt" ]]; then # NixOS, Ubuntu, Debian, Gentoo, Arch
+    echo "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" >>"$GITHUB_ENV"
+  elif [[ $OSTYPE =~ darwin && -e "/etc/ssl/cert.pem" ]]; then # macOS
+    echo "NIX_SSL_CERT_FILE=/etc/ssl/cert.pem" >>"$GITHUB_ENV"
+  elif [[ -e "/etc/ssl/ca-bundle.pem" ]]; then # openSUSE Tumbleweed
+    echo "NIX_SSL_CERT_FILE=/etc/ssl/ca-bundle.pem" >>"$GITHUB_ENV"
+  elif [[ -e "/etc/ssl/certs/ca-bundle.crt" ]]; then # Old NixOS
+    echo "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" >>"$GITHUB_ENV"
+  elif [[ -e "/etc/pki/tls/certs/ca-bundle.crt" ]]; then # Fedora, CentOS
+    echo "NIX_SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt" >>"$GITHUB_ENV"
+  elif [[ -e "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" ]]; then # fall back to cacert in default Nix profile
+    echo "NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" >>"$GITHUB_ENV"
+  elif [[ -e "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" ]]; then # fall back to cacert in user Nix profile
+    echo "NIX_SSL_CERT_FILE=$NIX_LINK/etc/ssl/certs/ca-bundle.crt" >>"$GITHUB_ENV"
+  fi
+fi
+
+# Set paths based on the installation type
+if use_daemon; then
+  # Multi-user daemon install - add both paths
+  echo "/nix/var/nix/profiles/default/bin" >>"$GITHUB_PATH"
+fi
+# Always add the user profile path
+echo "$NIX_LINK/bin" >>"$GITHUB_PATH"
+
 # Close the log message group which was opened above
 echo "::endgroup::"

tests/test-env.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+echo "=== Testing Nix Environment Variables ==="
+echo
+
+# Test NIX_PROFILES
+echo "NIX_PROFILES: ${NIX_PROFILES:-<not set>}"
+if [[ -n "${NIX_PROFILES:-}" ]]; then
+  echo "✓ NIX_PROFILES is set"
+else
+  echo "✗ NIX_PROFILES is not set"
+  exit 1
+fi
+
+# Test NIX_SSL_CERT_FILE
+echo "NIX_SSL_CERT_FILE: ${NIX_SSL_CERT_FILE:-<not set>}"
+if [[ -n "${NIX_SSL_CERT_FILE:-}" ]]; then
+  if [[ -f "$NIX_SSL_CERT_FILE" ]]; then
+    echo "✓ NIX_SSL_CERT_FILE is set and file exists"
+  else
+    echo "✗ NIX_SSL_CERT_FILE is set but file does not exist: $NIX_SSL_CERT_FILE"
+    exit 1
+  fi
+else
+  echo "✗ NIX_SSL_CERT_FILE is not set"
+  exit 1
+fi
+
+# Test PATH contains Nix paths
+echo "PATH: $PATH"
+if echo "$PATH" | grep -E -q "(\.nix-profile|nix/profile)"; then
+  echo "✓ PATH contains Nix paths"
+else
+  echo "✗ PATH does not contain Nix paths"
+  exit 1
+fi
+
+# Test NIX_PATH if set
+if [[ -n "${NIX_PATH:-}" ]]; then
+  echo "NIX_PATH: $NIX_PATH"
+  echo "✓ NIX_PATH is set"
+else
+  echo "NIX_PATH: <not set>"
+  exit 1
+fi
+
+# Test TMPDIR
+echo "TMPDIR: ${TMPDIR:-<not set>}"
+if [[ -n "${TMPDIR:-}" ]]; then
+  echo "✓ TMPDIR is set"
+else
+  echo "⚠ TMPDIR is not set"
+  exit 1
+fi
+
+echo
+echo "=== Testing Nix Command ==="
+if command -v nix >/dev/null 2>&1; then
+  echo "✓ nix command is available"
+  echo "Nix version: $(nix --version)"
+else
+  echo "✗ nix command is not available"
+  exit 1
+fi
+
+echo
+echo "=== Environment Setup Test Complete ==="