mirror of
https://github.com/cachix/install-nix-action.git
synced 2025-09-21 15:49:12 +00:00
9c4488f07a
The installer scripts would normally set up the various environment variables that Nix needs. Since GitHub doesn't run any profile or rc scripts by default, we need to set these up ourselves.
183 lines
7 KiB
Bash
Executable file
183 lines
7 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
if nix_path="$(type -p nix)" ; then
|
|
echo "Aborting: Nix is already installed at ${nix_path}"
|
|
exit
|
|
fi
|
|
|
|
if [[ ($OSTYPE =~ linux) && ($INPUT_ENABLE_KVM == 'true') ]]; then
|
|
enable_kvm() {
|
|
echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-install-nix-action-kvm.rules
|
|
sudo udevadm control --reload-rules && sudo udevadm trigger --name-match=kvm
|
|
}
|
|
|
|
echo '::group::Enabling KVM support'
|
|
enable_kvm && echo 'Enabled KVM' || echo 'KVM is not available'
|
|
echo '::endgroup::'
|
|
fi
|
|
|
|
# GitHub command to put the following log messages into a group which is collapsed by default
|
|
echo "::group::Installing Nix"
|
|
|
|
# Create a temporary workdir
|
|
workdir=$(mktemp -d)
|
|
trap 'rm -rf "$workdir"' EXIT
|
|
|
|
# Configure Nix
|
|
add_config() {
|
|
echo "$1" >> "$workdir/nix.conf"
|
|
}
|
|
add_config "show-trace = true"
|
|
# Set jobs to number of cores
|
|
add_config "max-jobs = auto"
|
|
# TODO: is this still necessary if we set NIX_SSL_CERT_FILE below?
|
|
if [[ $OSTYPE =~ darwin ]]; then
|
|
add_config "ssl-cert-file = /etc/ssl/cert.pem"
|
|
fi
|
|
# Allow binary caches specified at user level
|
|
if [[ $INPUT_SET_AS_TRUSTED_USER == 'true' ]]; then
|
|
add_config "trusted-users = root ${USER:-}"
|
|
fi
|
|
# Add a GitHub access token.
|
|
# Token-less access is subject to lower rate limits.
|
|
if [[ -n "${INPUT_GITHUB_ACCESS_TOKEN:-}" ]]; then
|
|
echo "::debug::Using the provided github_access_token for github.com"
|
|
add_config "access-tokens = github.com=$INPUT_GITHUB_ACCESS_TOKEN"
|
|
# Use the default GitHub token if available.
|
|
# Skip this step if running an Enterprise instance. The default token there does not work for github.com.
|
|
elif [[ -n "${GITHUB_TOKEN:-}" && $GITHUB_SERVER_URL == "https://github.com" ]]; then
|
|
echo "::debug::Using the default GITHUB_TOKEN for github.com"
|
|
add_config "access-tokens = github.com=$GITHUB_TOKEN"
|
|
else
|
|
echo "::debug::Continuing without a GitHub access token"
|
|
fi
|
|
# Append extra nix configuration if provided
|
|
if [[ -n "${INPUT_EXTRA_NIX_CONFIG:-}" ]]; then
|
|
add_config "$INPUT_EXTRA_NIX_CONFIG"
|
|
fi
|
|
if [[ ! $INPUT_EXTRA_NIX_CONFIG =~ "experimental-features" ]]; then
|
|
add_config "experimental-features = nix-command flakes"
|
|
fi
|
|
# Always allow substituting from the cache, even if the derivation has `allowSubstitutes = false`.
|
|
# This is a CI optimisation to avoid having to download the inputs for already-cached derivations to rebuild trivial text files.
|
|
if [[ ! $INPUT_EXTRA_NIX_CONFIG =~ "always-allow-substitutes" ]]; then
|
|
add_config "always-allow-substitutes = true"
|
|
fi
|
|
|
|
# Nix installer flags
|
|
installer_options=(
|
|
--no-channel-add
|
|
--nix-extra-conf-file "$workdir/nix.conf"
|
|
)
|
|
|
|
# Enable daemon on macOS and Linux systems with systemd, unless --no-daemon is specified
|
|
if [[ (! $INPUT_INSTALL_OPTIONS =~ "--no-daemon") && ($OSTYPE =~ darwin || -e /run/systemd/system) ]]; then
|
|
use_daemon() { true; }
|
|
else
|
|
use_daemon() { false; }
|
|
fi
|
|
|
|
if use_daemon; then
|
|
installer_options+=(
|
|
--daemon
|
|
--daemon-user-count "$(python3 -c 'import multiprocessing as mp; print(mp.cpu_count() * 2)')"
|
|
)
|
|
else
|
|
# "fix" the following error when running nix*
|
|
# error: the group 'nixbld' specified in 'build-users-group' does not exist
|
|
add_config "build-users-group ="
|
|
sudo mkdir -p /etc/nix
|
|
sudo chmod 0755 /etc/nix
|
|
sudo cp "$workdir/nix.conf" /etc/nix/nix.conf
|
|
fi
|
|
|
|
if [[ -n "${INPUT_INSTALL_OPTIONS:-}" ]]; then
|
|
IFS=' ' read -r -a extra_installer_options <<< "$INPUT_INSTALL_OPTIONS"
|
|
installer_options=("${extra_installer_options[@]}" "${installer_options[@]}")
|
|
fi
|
|
|
|
echo "installer options: ${installer_options[*]}"
|
|
|
|
# There is --retry-on-errors, but only newer curl versions support that
|
|
curl_retries=5
|
|
nix_version=2.31.0
|
|
while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-${nix_version}/install}"
|
|
do
|
|
sleep 1
|
|
((curl_retries--))
|
|
if [[ $curl_retries -le 0 ]]; then
|
|
echo "curl retries failed" >&2
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
sh "$workdir/install" "${installer_options[@]}"
|
|
|
|
# Configure the environment
|
|
#
|
|
# Adapted from the single- and multi-user scripts:
|
|
# single-user: https://github.com/NixOS/nix/blob/master/scripts/nix-profile-daemon.sh.in
|
|
# multi-user: https://github.com/NixOS/nix/blob/master/scripts/nix-profile-daemon.sh.in
|
|
#
|
|
# These scripts would normally be evaluated as part of the user's shell profile.
|
|
# GitHub doesn't evaluate profiles or rc scripts by default, so we set up the environment manually.
|
|
echo "::debug::Nix installed, setting up environment"
|
|
|
|
# Export the path to Nix
|
|
if [[ -n "${INPUT_NIX_PATH:-}" ]]; then
|
|
echo "NIX_PATH=${INPUT_NIX_PATH}" >> "$GITHUB_ENV"
|
|
fi
|
|
|
|
# Set temporary directory if not already set
|
|
# Fixes https://github.com/cachix/install-nix-action/issues/197
|
|
if [[ -z "${TMPDIR:-}" ]]; then
|
|
echo "TMPDIR=${RUNNER_TEMP}" >> "$GITHUB_ENV"
|
|
fi
|
|
|
|
# Determine NIX_LINK path (XDG spec, newer XDG-compliant, or legacy)
|
|
if [[ -n "${XDG_STATE_HOME:-}" && -e "$XDG_STATE_HOME/nix/profile" ]]; then
|
|
NIX_LINK="$XDG_STATE_HOME/nix/profile"
|
|
elif [[ -e "$HOME/.local/state/nix/profile" ]]; then
|
|
NIX_LINK="$HOME/.local/state/nix/profile"
|
|
else
|
|
NIX_LINK="$HOME/.nix-profile"
|
|
fi
|
|
|
|
# Set Nix profiles
|
|
echo "NIX_PROFILES=/nix/var/nix/profiles/default $NIX_LINK" >> "$GITHUB_ENV"
|
|
|
|
# Set NIX_SSL_CERT_FILE if not already configured
|
|
if [[ -z "${NIX_SSL_CERT_FILE:-}" ]]; then
|
|
# Check common SSL certificate file locations
|
|
if [[ -f "/etc/ssl/certs/ca-certificates.crt" ]]; then # NixOS, Ubuntu, Debian, Gentoo, Arch
|
|
echo "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" >> "$GITHUB_ENV"
|
|
elif [[ $OSTYPE =~ darwin && -f "/etc/ssl/cert.pem" ]]; then # macOS
|
|
echo "NIX_SSL_CERT_FILE=/etc/ssl/cert.pem" >> "$GITHUB_ENV"
|
|
elif [[ -f "/etc/ssl/ca-bundle.pem" ]]; then # openSUSE Tumbleweed
|
|
echo "NIX_SSL_CERT_FILE=/etc/ssl/ca-bundle.pem" >> "$GITHUB_ENV"
|
|
elif [[ -f "/etc/ssl/certs/ca-bundle.crt" ]]; then # Old NixOS
|
|
echo "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" >> "$GITHUB_ENV"
|
|
elif [[ -f "/etc/pki/tls/certs/ca-bundle.crt" ]]; then # Fedora, CentOS
|
|
echo "NIX_SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt" >> "$GITHUB_ENV"
|
|
elif [[ -f "/usr/local/share/certs/ca-root-nss.crt" ]]; then # FreeBSD
|
|
echo "NIX_SSL_CERT_FILE=/usr/local/share/certs/ca-root-nss.crt" >> "$GITHUB_ENV"
|
|
elif [[ -f "/etc/pki/tls/cacert.pem" ]]; then # OpenELEC
|
|
echo "NIX_SSL_CERT_FILE=/etc/pki/tls/cacert.pem" >> "$GITHUB_ENV"
|
|
elif [[ -f "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" ]]; then # fall back to cacert in default Nix profile
|
|
echo "NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" >> "$GITHUB_ENV"
|
|
elif [[ -f "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" ]]; then # fall back to cacert in user Nix profile
|
|
echo "NIX_SSL_CERT_FILE=$NIX_LINK/etc/ssl/certs/ca-bundle.crt" >> "$GITHUB_ENV"
|
|
fi
|
|
fi
|
|
|
|
# Set paths based on the installation type
|
|
if use_daemon; then
|
|
# Multi-user daemon install - add both paths
|
|
echo "/nix/var/nix/profiles/default/bin" >> "$GITHUB_PATH"
|
|
fi
|
|
# Always add the user profile path
|
|
echo "$NIX_LINK/bin" >> "$GITHUB_PATH"
|
|
|
|
# Close the log message group which was opened above
|
|
echo "::endgroup::"
|