Skip to content

Commit ddfca32

Browse files
grahamclucperkins
grahamc
and
lucperkins
authored
Convert flakehub: true to determinate: true (#123)
* Drop the flakehub param to deprecated, use determinate, and log in to flakehub * Expand the test suite to cover determinate on all our targets --------- Co-authored-by: Luc Perkins <lucperkins@gmail.com>
1 parent da36cb6 commit ddfca32

File tree

5 files changed

+159
-182
lines changed

5 files changed

+159
-182
lines changed

.github/workflows/ci.yml

+29-88
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,9 @@ jobs:
1111
runs-on: ubuntu-22.04
1212
needs:
1313
- check-dist-up-to-date
14-
- install-nix-linux
15-
- install-nix-macos
14+
- install-nix
1615
- install-with-non-default-source-inputs
16+
- install-no-id-token
1717
# NOTE(cole-h): GitHub treats "skipped" as "OK" for the purposes of required checks on branch
1818
# protection, so we take advantage of this fact and fail if any of the dependent actions failed,
1919
# or "skip" (which is a success for GHA's purposes) if none of them did.
@@ -44,14 +44,21 @@ jobs:
4444
- name: Ensure no staged changes
4545
run: git diff --exit-code
4646

47-
install-nix-linux:
48-
name: Run test suite for Linux systems
47+
install-nix:
48+
name: "Test: ${{ matrix.runner }}${{ matrix.determinate && ' with determinate' || '' }}"
4949
strategy:
5050
matrix:
5151
runner:
5252
- ubuntu-latest
5353
- nscloud-ubuntu-22.04-amd64-4x16
5454
- namespace-profile-default-arm64
55+
# - macos-12-large # determinate-nixd is broken on macos-12
56+
- macos-13-large
57+
- macos-14-large
58+
- macos-14-xlarge # arm64
59+
determinate:
60+
- true
61+
- false
5562
runs-on: ${{ matrix.runner }}
5663
permissions:
5764
contents: read
@@ -65,6 +72,7 @@ jobs:
6572
log-directives: nix_installer=trace
6673
backtrace: full
6774
_internal-strict-mode: true
75+
determinate: ${{ matrix.determinate }}
6876
- name: echo $PATH
6977
run: echo $PATH
7078

@@ -82,85 +90,6 @@ jobs:
8290
nix store gc
8391
nix run nixpkgs#hello
8492
85-
- name: Test bash
86-
run: nix-instantiate -E 'builtins.currentTime' --eval
87-
if: success() || failure()
88-
shell: bash --login {0}
89-
- name: Test sh
90-
run: nix-instantiate -E 'builtins.currentTime' --eval
91-
if: success() || failure()
92-
shell: sh -l {0}
93-
- name: Install Nix again (noop)
94-
uses: ./
95-
with:
96-
logger: pretty
97-
log-directives: nix_installer=trace
98-
backtrace: full
99-
_internal-strict-mode: true
100-
- name: Test `nix` with `$GITHUB_PATH`
101-
if: success() || failure()
102-
run: |
103-
nix run nixpkgs#hello
104-
nix profile install nixpkgs#hello
105-
hello
106-
nix store gc
107-
nix run nixpkgs#hello
108-
- name: Reinstall Nix
109-
uses: ./
110-
with:
111-
logger: pretty
112-
log-directives: nix_installer=trace
113-
backtrace: full
114-
reinstall: true
115-
extra-conf: |
116-
use-sqlite-wal = true
117-
_internal-strict-mode: true
118-
- name: Test `nix` with `$GITHUB_PATH`
119-
if: success() || failure()
120-
run: |
121-
nix run nixpkgs#hello
122-
nix profile install nixpkgs#hello
123-
hello
124-
nix store gc
125-
nix run nixpkgs#hello
126-
- name: Verify the generated nix.conf
127-
run: |
128-
cat -n /etc/nix/nix.conf
129-
grep -E "^trusted-users = .*$USER" /etc/nix/nix.conf
130-
grep -E "^use-sqlite-wal = true" /etc/nix/nix.conf
131-
132-
install-nix-macos:
133-
name: Run test suite for macOS systems
134-
strategy:
135-
matrix:
136-
runner:
137-
# x86_64-darwin
138-
- macos-12
139-
# aarch64-darwin
140-
- macos-latest-xlarge
141-
runs-on: ${{ matrix.runner }}
142-
permissions:
143-
contents: read
144-
id-token: write
145-
steps:
146-
- uses: actions/checkout@v4
147-
- name: Install Nix
148-
uses: ./
149-
with:
150-
logger: pretty
151-
log-directives: nix_installer=trace
152-
backtrace: full
153-
_internal-strict-mode: true
154-
- name: echo $PATH
155-
run: echo $PATH
156-
- name: Test `nix` with `$GITHUB_PATH`
157-
if: success() || failure()
158-
run: |
159-
nix run nixpkgs#hello
160-
nix profile install nixpkgs#hello
161-
hello
162-
nix store gc
163-
nix run nixpkgs#hello
16493
- name: Test bash
16594
run: nix-instantiate -E 'builtins.currentTime' --eval
16695
if: success() || failure()
@@ -170,16 +99,16 @@ jobs:
17099
if: success() || failure()
171100
shell: sh -l {0}
172101
- name: Test zsh
173-
run: nix-instantiate -E 'builtins.currentTime' --eval
102+
run: if (zsh --help > /dev/null); then zsh --login --interactive -c "nix-instantiate -E 'builtins.currentTime' --eval"; fi
174103
if: success() || failure()
175-
shell: zsh --login --interactive {0}
176104
- name: Install Nix again (noop)
177105
uses: ./
178106
with:
179107
logger: pretty
180108
log-directives: nix_installer=trace
181109
backtrace: full
182110
_internal-strict-mode: true
111+
determinate: ${{ matrix.determinate }}
183112
- name: Test `nix` with `$GITHUB_PATH`
184113
if: success() || failure()
185114
run: |
@@ -198,6 +127,7 @@ jobs:
198127
extra-conf: |
199128
use-sqlite-wal = true
200129
_internal-strict-mode: true
130+
determinate: ${{ matrix.determinate }}
201131
- name: Test `nix` with `$GITHUB_PATH`
202132
if: success() || failure()
203133
run: |
@@ -208,9 +138,10 @@ jobs:
208138
nix run nixpkgs#hello
209139
- name: Verify the generated nix.conf
210140
run: |
211-
cat /etc/nix/nix.conf
212-
grep -E "^trusted-users = .*$USER" /etc/nix/nix.conf
213-
grep -E "^use-sqlite-wal = true" /etc/nix/nix.conf
141+
nix config show
142+
cat -n /etc/nix/nix.conf
143+
nix config show | grep -E "^trusted-users = .*$USER"
144+
nix config show | grep -E "^use-sqlite-wal = true"
214145
215146
install-with-non-default-source-inputs:
216147
name: Install Nix using non-default source-${{ matrix.inputs.key }}
@@ -236,3 +167,13 @@ jobs:
236167
_internal-strict-mode: true
237168
- name: Ensure that the expected Nix version ${{ matrix.inputs.nix-version }} is installed via alternative source-${{ matrix.inputs.key }}
238169
run: .github/verify-version.sh ${{ matrix.inputs.nix-version }}
170+
171+
install-no-id-token:
172+
name: Install Nix without an ID token
173+
runs-on: ubuntu-22.04
174+
steps:
175+
- uses: actions/checkout@v4
176+
- uses: ./
177+
with:
178+
_internal-strict-mode: true
179+
determinate: true

README.md

+4-3
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ jobs:
3434
3535
### With FlakeHub
3636
37-
To fetch private flakes from FlakeHub, update the `permissions` block and pass `flakehub: true`:
37+
To fetch private flakes from FlakeHub and Nix builds from FlakeHub Cache, update the `permissions` block and pass `determinate: true`:
3838

3939
```yaml
4040
on:
@@ -53,7 +53,7 @@ jobs:
5353
- uses: actions/checkout@v4
5454
- uses: DeterminateSystems/nix-installer-action@main
5555
with:
56-
flakehub: true
56+
determinate: true
5757
- run: nix build .
5858
```
5959

@@ -85,9 +85,10 @@ Differing from the upstream [Nix](https://github.com/NixOS/nix) installer script
8585
| Parameter | Description | Type | Default |
8686
| :---------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------- | :------------------------------------------------------------- |
8787
| `backtrace` | The setting for [`RUST_BACKTRACE`][backtrace] | string | |
88+
| `determinate` | Whether to install [Determinate Nix](https://determinate.systems/enterprise) and log in to FlakeHub for private Flakes and binary caches. | Boolean | `false` |
8889
| `extra-args` | Extra arguments to pass to the planner (prefer using structured `with:` arguments unless using a custom [planner]!) | string | |
8990
| `extra-conf` | Extra configuration lines for `/etc/nix/nix.conf` (includes `access-tokens` with `secrets.GITHUB_TOKEN` automatically if `github-token` is set) | string | |
90-
| `flakehub` | Log in to FlakeHub to pull private flakes using the GitHub Actions [JSON Web Token](https://jwt.io) (JWT), which is bound to the `api.flakehub.com` audience. | Boolean | `false` |
91+
| `flakehub` | Deprecated. Implies `determinate`. | Boolean | `false` |
9192
| `force-docker-shim` | Force the use of Docker as a process supervisor. This setting is automatically enabled when necessary. | Boolean | `false` |
9293
| `github-token` | A [GitHub token] for making authenticated requests (which have a higher rate-limit quota than unauthenticated requests) | string | `${{ github.token }}` |
9394
| `github-server-url` | The URL for the GitHub server, to use with the `github-token` token. Defaults to the current GitHub server, supporting GitHub Enterprise Server automatically. Only change this value if the provided `github-token` is for a different GitHub server than the current server. | string | `${{ github.server }}` |

action.yml

+5-1
Original file line numberDiff line numberDiff line change
@@ -7,14 +7,18 @@ inputs:
77
backtrace:
88
description: The setting for `RUST_BACKTRACE` (see https://doc.rust-lang.org/std/backtrace/index.html#environment-variables)
99
required: false
10+
determinate:
11+
description: |
12+
Whether to install [Determinate Nix](https://determinate.systems/enterprise) and log in to FlakeHub for private Flakes and binary caches.
13+
default: false
1014
extra-args:
1115
description: Extra args to pass to the planner (prefer using structured `with:` arguments unless using a custom planner!)
1216
required: false
1317
extra-conf:
1418
description: Extra configuration lines for `/etc/nix/nix.conf` (includes `access-tokens` with `secrets.GITHUB_TOKEN` automatically if `github-token` is set)
1519
required: false
1620
flakehub:
17-
description: Automatically log in to your [FlakeHub](https://flakehub.com) account, for accessing private flakes.
21+
description: Deprecated. Implies `determinate`.
1822
required: false
1923
default: false
2024
force-docker-shim:

0 commit comments

Comments
 (0)