Merge pull request #241 from Mic92/nix-updates

Automate nix updates in CI
Merge pull request #239 from Mic92/nix-2.29
2025-06-07 17:44:28 +00:00 · 2025-05-27 14:18:05 +04:00 · 2025-05-27 14:01:10 +04:00 · 2025-05-27 10:17:04 +02:00 · 2025-05-27 09:15:38 +02:00 · 2025-04-30 19:55:33 +04:00
6 changed files with 141 additions and 100 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -21,7 +21,7 @@ jobs:
        - macos-13
    runs-on: ${{ matrix.os }}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Install Nix
      uses: ./
      with:
@ -43,7 +43,7 @@ jobs:
        - macos-13
    runs-on: ${{ matrix.os }}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Install Nix
      uses: ./
      with:
@ -62,7 +62,7 @@ jobs:
        - macos-13
    runs-on: ${{ matrix.os }}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Install Nix
      uses: ./
      with:
@ -83,7 +83,7 @@ jobs:
        - macos-13
    runs-on: ${{ matrix.os }}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Install Nix
      uses: ./
    - run: nix flake show github:NixOS/nixpkgs
@ -103,7 +103,7 @@ jobs:
            system: x86_64-darwin
    runs-on: ${{ matrix.os }}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Run NAR server
      run: |
        curl --location https://github.com/cachix/nar-toolbox/releases/download/v0.1.0/nar-toolbox-${{ matrix.system }} -O
@ -128,7 +128,7 @@ jobs:
        - macos-13
    runs-on: ${{ matrix.os }}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Install Nix
      uses: ./
      with:
@ -142,7 +142,7 @@ jobs:
        os: [ubuntu-latest]
    runs-on: ${{ matrix.os }}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - run: curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash
    - run: docker pull ghcr.io/catthehacker/ubuntu:js-24.04
    - run: |
--- a/.github/workflows/update-nix.yml
+++ b/.github/workflows/update-nix.yml
@ -0,0 +1,31 @@
+name: "Update nix"
+on:
+  repository_dispatch:
+  workflow_dispatch:
+  schedule:
+    - cron: "31 2 * * *"
+jobs:
+  update-nix-releases:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Update nix releases
+        env:
+         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          latest_nix=$(
+            gh api repos/NixOS/nix/tags --paginate --jq '.[].name' |
+            grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' |
+            sort -V |
+            tail -n 1
+          )
+          if [ -z "$latest_nix" ]; then
+            echo "Failed to determine latest Nix version." >&2
+            exit 1
+          fi
+          sed -i -E "s/nix_version=[0-9.]+/nix_version=${latest_nix}/" ./install-nix.sh
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          title: Update nix versions
+          labels: dependencies
--- a/.gitignore
+++ b/.gitignore
@ -1,93 +1,2 @@
-__tests__/runner/*
-
-# comment out in distribution branches
-node_modules/
-
-# Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore
-# Logs
-logs
-*.log
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-lerna-debug.log*
-
-# Diagnostic reports (https://nodejs.org/api/report.html)
-report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
-
-# Runtime data
-pids
-*.pid
-*.seed
-*.pid.lock
-
-# Directory for instrumented libs generated by jscoverage/JSCover
-lib-cov
-
-# Coverage directory used by tools like istanbul
-coverage
-*.lcov
-
-# nyc test coverage
-.nyc_output
-
-# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
-.grunt
-
-# Bower dependency directory (https://bower.io/)
-bower_components
-
-# node-waf configuration
-.lock-wscript
-
-# Compiled binary addons (https://nodejs.org/api/addons.html)
-build/Release
-
-# Dependency directories
-jspm_packages/
-
-# TypeScript v1 declaration files
-typings/
-
-# TypeScript cache
-*.tsbuildinfo
-
-# Optional npm cache directory
-.npm
-
-# Optional eslint cache
-.eslintcache
-
-# Optional REPL history
-.node_repl_history
-
-# Output of 'npm pack'
-*.tgz
-
-# Yarn Integrity file
-.yarn-integrity
-
 # dotenv environment variables file
-.env
-.env.test
-
-# parcel-bundler cache (https://parceljs.org/)
-.cache
-
-# next.js build output
-.next
-
-# nuxt.js build output
-.nuxt
-
-# vuepress build output
-.vuepress/dist
-
-# Serverless directories
-.serverless/
-
-# FuseBox cache
-.fusebox/
-
-# DynamoDB Local files
-.dynamodb/
+.env*
--- a/README.md
+++ b/README.md
@ -174,3 +174,59 @@ Or you can disable pure mode entirely with the `--impure` flag:
 ```
 nix develop --impure
 ```
+
+### How do I pass AWS credentials to the Nix daemon?
+
+In multi-user mode, Nix commands that operate on the Nix store are forwarded to a privileged daemon. This daemon runs in a separate context from your GitHub Actions workflow and cannot access the workflow's environment variables. Consequently, any secrets or credentials defined in your workflow environment will not be available to Nix operations that require store access.
+
+There are two ways to pass AWS credentials to the Nix daemon:
+  - Configure a default profile using the AWS CLI
+  - Install Nix in single-user mode
+
+#### Configure a default profile using the AWS CLI
+
+The Nix daemon supports reading AWS credentials from the `~/.aws/credentials` file.
+
+We can use the AWS CLI to configure a default profile using short-lived credentials fetched using OIDC:
+
+```yaml
+job:
+  build:
+    runs-on: ubuntu-latest
+    # Required permissions to request AWS credentials
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v31
+      - name: Assume AWS Role
+        uses: aws-actions/configure-aws-credentials@v4.1.0
+        with:
+          aws-region: us-east-1
+          role-to-assume: arn:aws-cn:iam::123456789100:role/my-github-actions-role
+      - name: Make AWS Credentials accessible to nix-daemon
+        run: |
+          sudo -i aws configure set aws_access_key_id "${AWS_ACCESS_KEY_ID}"
+          sudo -i aws configure set aws_secret_access_key "${AWS_SECRET_ACCESS_KEY}"
+          sudo -i aws configure set aws_session_token "${AWS_SESSION_TOKEN}"
+          sudo -i aws configure set region "${AWS_REGION}"
+```
+
+#### Install Nix in single-user mode
+
+In some environments it may be possible to install Nix in single-user mode by passing the `--no-daemon` flag to the installer.
+This mode is normally used on platforms without an init system, like systemd, and in containerized environments with a single user that can own the entire Nix store.
+
+This approach is more generic as it allows passing environment variables directly to Nix, including secrets, proxy settings, and other configuration options.
+
+However, it may not be suitable for all environments. [Consult the Nix manual](https://nix.dev/manual/nix/latest/installation/nix-security) for the latest restrictions and differences between the two modes.
+
+For example, single-user mode is currently supported on hosted Linux GitHub runners, like `ubuntu-latest`.
+It is not supported on macOS runners, like `macos-latest`.
+
+```yaml
+- uses: cachix/install-nix-action@v31
+  with:
+    install_options: --no-daemon
+```
--- a/RELEASE.md
+++ b/RELEASE.md
@ -0,0 +1,44 @@
+# Release
+
+As of v31, releases of this action follow Semantic Versioning.
+
+### Publishing a new release
+
+#### Publish the release
+
+Draft [a new release on GitHub](https://github.com/cachix/install-nix-action/releases):
+
+- In `Choose a tag`, create a new tag, like `v31.2.1`, following semver.
+- Click `Generate release notes`.
+- `Set as the latest release` should be selected automatically.
+- Publish release
+
+#### Update the major tag
+
+The major tag, like `v31`, allows downstream users to opt-in to automatic non-breaking updates.
+
+This process follows GitHub's own guidelines:
+https://github.com/actions/toolkit/blob/main/docs/action-versioning.md
+
+##### Fetch the latest tags
+
+```
+git pull --tags --force
+```
+
+##### Move the tag
+
+```
+git tag -fa v31
+```
+```
+git push origin v31 --force
+```
+
+#### Update the release notes for the major tag
+
+Find the release on GitHub: https://github.com/cachix/install-nix-action/releases
+
+Edit the release and click `Generate release notes`.
+Edit the formatting and publish.
+
--- a/install-nix.sh
+++ b/install-nix.sh
@ -94,7 +94,8 @@ echo "installer options: ${installer_options[*]}"

 # There is --retry-on-errors, but only newer curl versions support that
 curl_retries=5
-while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.28.2/install}"
+nix_version=2.29.0
+while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}"
 do
  sleep 1
  ((curl_retries--))
Author	SHA1	Message	Date
sander	17fe5fb4a2	Merge pull request #241 from Mic92/nix-updates Automate nix updates in CI	2025-05-27 14:18:05 +04:00
sander	86a92fee0d	Merge pull request #239 from Mic92/nix-2.29 nix: 2.28.3 -> 2.29.0	2025-05-27 14:01:10 +04:00
Jörg Thalheim	129de1289f	add github action to keep nix up-to-date	2025-05-27 10:17:04 +02:00
Jörg Thalheim	f5e4dbff3b	nix: 2.28.3 -> 2.29.0	2025-05-27 09:15:38 +02:00
sander	5261181216	Merge pull request #236 from Mic92/nix-2.28.3	2025-04-30 19:55:33 +04:00
Jörg Thalheim	b2b89c6cb1	nix: 2.28.2 -> 2.28.3	2025-04-30 08:22:03 +02:00
sander	0c65bbe3c1	Merge pull request #235 from cachix/docs-aws-creds	2025-04-24 09:43:50 +02:00
Sander	4f800b725c	docs: document how to provide AWS credentials to the nix-daemon Fixes #229.	2025-04-23 15:21:58 +04:00
sander	80f8d94dab	Merge pull request #234 from cachix/dependabot/github_actions/actions/checkout-4.2.2 chore(deps): bump actions/checkout from 4.1.1 to 4.2.2	2025-04-23 13:18:03 +02:00
dependabot[bot]	83772d105a	chore(deps): bump actions/checkout from 4.1.1 to 4.2.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.2.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](`b4ffde65f4...11bd71901b`) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 4.2.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2025-04-21 00:43:21 +00:00
sander	48cf9b5849	Merge pull request #201 from l0b0/feat/pin-actions feat: Pin actions to hashes	2025-04-18 23:30:19 +02:00
Sander	eafea807c1	remove unused gitignores	2025-04-19 01:29:11 +04:00
Sander	9b4ef2ff2d	docs: add release notes	2025-04-19 01:26:12 +04:00
Victor Engmark	f3ff3f99d8	feat: Pin actions to hashes Done with pin-github-action <https://github.com/mheap/pin-github-action> 1.8.0 using `npx pin-github-action .github/workflows/*.yml`, and then manually bumping the version tag to the relevant number. This fixes the issue that it is common practice for GitHub Actions authors to move major tags when releasing new minor versions. Dependabot supports updating in the same fashion, bumping the version tag when updating the hash.	2025-04-07 17:54:09 +02:00