Merge pull request #236 from Mic92/nix-2.28.3

Fixes #229.

.editorconfig

@@ -0,0 +1,15 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 2
+indent_style = space
+insert_final_newline = true
+
+[LICENSE]
+indent_size = unset

.github/workflows/test.yml

@@ -5,48 +5,68 @@ on:
     branches:
       - master
 
+env:
+  nixpkgs_channel: nixpkgs=channel:nixos-24.11
+  oldest_supported_installer: nix-2.8.0
+
 jobs:
   simple-build:
     strategy:
+      fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        os:
+        - ubuntu-latest
+        - ubuntu-24.04-arm
+        - macos-latest
+        - macos-13
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Install Nix
       uses: ./
       with:
-        nix_path: nixpkgs=channel:nixos-20.03
+        nix_path: ${{ env.nixpkgs_channel }}
     - run: nix-env -iA cachix -f https://cachix.org/api/v1/install
     - run: cat /etc/nix/nix.conf
     # cachix should be available and be able to configure a cache
     - run: cachix use cachix
     - run: nix-build test.nix
+
   custom-nix-path:
     strategy:
+      fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        os:
+        - ubuntu-latest
+        - ubuntu-24.04-arm
+        - macos-latest
+        - macos-13
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Install Nix
       uses: ./
       with:
-        nix_path: nixpkgs=channel:nixos-20.03
-    - run: test $NIX_PATH == "nixpkgs=channel:nixos-20.03"
+        nix_path: ${{ env.nixpkgs_channel }}
+    - run: test $NIX_PATH == '${{ env.nixpkgs_channel }}'
     - run: nix-build test.nix
 
   extra-nix-config:
     strategy:
+      fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        os:
+        - ubuntu-latest
+        - ubuntu-24.04-arm
+        - macos-latest
+        - macos-13
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Install Nix
       uses: ./
       with:
-        nix_path: nixpkgs=channel:nixos-20.03
+        nix_path: ${{ env.nixpkgs_channel }}
         extra_nix_config: |
           sandbox = relaxed
     - run: cat /etc/nix/nix.conf
@@ -54,42 +74,66 @@ jobs:
 
   flakes:
     strategy:
+      fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        os:
+        - ubuntu-latest
+        - ubuntu-24.04-arm
+        - macos-latest
+        - macos-13
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Install Nix
       uses: ./
     - run: nix flake show github:NixOS/nixpkgs
 
-  installer-options:
+  latest-installer:
     strategy:
+      fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        include:
+          - os: ubuntu-latest
+            system: x86_64-linux
+          - os: ubuntu-24.04-arm
+            system: aarch64-linux
+          - os: macos-latest
+            system: aarch64-darwin
+          - os: macos-13
+            system: x86_64-darwin
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: Run NAR server
+      run: |
+        curl --location https://github.com/cachix/nar-toolbox/releases/download/v0.1.0/nar-toolbox-${{ matrix.system }} -O
+        chmod +x ./nar-toolbox-${{ matrix.system }}
+        ./nar-toolbox-${{ matrix.system }} serve https://cache.nixos.org &
     - name: Install Nix
       uses: ./
       with:
-        nix_path: nixpkgs=channel:nixos-22.05
-        install_options: --tarball-url-prefix https://nixos-nix-install-tests.cachix.org/serve
-        install_url: https://nixos-nix-install-tests.cachix.org/serve/s62m7lc0q0mz2mxxm9q0kkrcg90njzhq/install
+        nix_path: ${{ env.nixpkgs_channel }}
+        install_url: https://hydra.nixos.org/job/nix/master/installerScript/latest-finished/download/1/install
+        install_options: "--tarball-url-prefix http://localhost:8080"
     - run: nix-build test.nix
 
   oldest-supported-installer:
     strategy:
+      fail-fast: false
       matrix:
-          os: [ubuntu-latest, macos-latest]
+        os:
+        - ubuntu-latest
+        - ubuntu-24.04-arm
+        - macos-latest
+        - macos-13
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Install Nix
       uses: ./
       with:
-        nix_path: nixpkgs=channel:nixos-22.05
-        install_url: https://releases.nixos.org/nix/nix-2.8.0/install
+        nix_path: ${{ env.nixpkgs_channel }}
+        install_url: https://releases.nixos.org/nix/${{ env.oldest_supported_installer }}/install
     - run: nix-build test.nix
 
   act-support:
@@ -98,7 +142,11 @@ jobs:
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - run: curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash
-    - run: docker pull ghcr.io/catthehacker/ubuntu:js-20.04
-    - run: ./bin/act -P ubuntu-latest=ghcr.io/catthehacker/ubuntu:js-20.04 push -j simple-build
+    - run: docker pull ghcr.io/catthehacker/ubuntu:js-24.04
+    - run: |
+        ./bin/act push \
+          -P ubuntu-latest=ghcr.io/catthehacker/ubuntu:js-24.04 \
+          -j simple-build \
+          --matrix os:ubuntu-latest

.gitignore

@@ -1,93 +1,2 @@
-__tests__/runner/*
-
-# comment out in distribution branches
-node_modules/
-
-# Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore
-# Logs
-logs
-*.log
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-lerna-debug.log*
-
-# Diagnostic reports (https://nodejs.org/api/report.html)
-report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
-
-# Runtime data
-pids
-*.pid
-*.seed
-*.pid.lock
-
-# Directory for instrumented libs generated by jscoverage/JSCover
-lib-cov
-
-# Coverage directory used by tools like istanbul
-coverage
-*.lcov
-
-# nyc test coverage
-.nyc_output
-
-# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
-.grunt
-
-# Bower dependency directory (https://bower.io/)
-bower_components
-
-# node-waf configuration
-.lock-wscript
-
-# Compiled binary addons (https://nodejs.org/api/addons.html)
-build/Release
-
-# Dependency directories
-jspm_packages/
-
-# TypeScript v1 declaration files
-typings/
-
-# TypeScript cache
-*.tsbuildinfo
-
-# Optional npm cache directory
-.npm
-
-# Optional eslint cache
-.eslintcache
-
-# Optional REPL history
-.node_repl_history
-
-# Output of 'npm pack'
-*.tgz
-
-# Yarn Integrity file
-.yarn-integrity
-
 # dotenv environment variables file
-.env
-.env.test
-
-# parcel-bundler cache (https://parceljs.org/)
-.cache
-
-# next.js build output
-.next
-
-# nuxt.js build output
-.nuxt
-
-# vuepress build output
-.vuepress/dist
-
-# Serverless directories
-.serverless/
-
-# FuseBox cache
-.fusebox/
-
-# DynamoDB Local files
-.dynamodb/
+.env*

README.md

@@ -6,8 +6,8 @@ Installs [Nix](https://nixos.org/nix/) on GitHub Actions for the supported platf
 
 By default it has no nixpkgs configured, you have to set `nix_path`
 by [picking a channel](https://status.nixos.org/)
-or [pin nixpkgs yourself](https://nix.dev/reference/pinning-nixpkgs.html)
-(see also [pinning tutorial](https://nix.dev/tutorials/towards-reproducibility-pinning-nixpkgs.html)).
+or [pin nixpkgs yourself](https://nix.dev/reference/pinning-nixpkgs)
+(see also [pinning tutorial](https://nix.dev/tutorials/towards-reproducibility-pinning-nixpkgs)).
 
 # Features
 
@@ -18,7 +18,7 @@ or [pin nixpkgs yourself](https://nix.dev/reference/pinning-nixpkgs.html)
 - Allows specifying extra Nix configuration options via `extra_nix_config`
 - Allows specifying `$NIX_PATH` and channels via `nix_path`
 - Share `/nix/store` between builds using [cachix-action](https://github.com/cachix/cachix-action) for simple binary cache setup to speed up your builds and share binaries with your team
-- Enables `flakes` and `nix-command` experimental features by default (to disable, set `experimental-features` via `extra_nix_config`)
+- Enables KVM on supported machines: run VMs and NixOS tests with full hardware-acceleration
 
 ## Usage
 
@@ -33,8 +33,8 @@ jobs:
   tests:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - uses: cachix/install-nix-action@v18
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@v31
       with:
         nix_path: nixpkgs=channel:nixos-unstable
     - run: nix-build
@@ -51,8 +51,8 @@ jobs:
   tests:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - uses: cachix/install-nix-action@v18
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@v31
       with:
         github_access_token: ${{ secrets.GITHUB_TOKEN }}
     - run: nix build
@@ -73,6 +73,35 @@ To install Nix from any commit, go to [the corresponding installer_test action](
 
 - `nix_path`: set `NIX_PATH` environment variable, for example `nixpkgs=channel:nixos-unstable`
 
+- `enable_kvm`: whether to enable KVM for hardware-accelerated virtualization on Linux. Enabled by default if available.
+
+- `set_as_trusted_user`: whether to add the current user to `trusted-users`. Enabled by default.
+
+
+## Differences from the default Nix installer
+
+Some settings have been optimised for use in CI environments:
+
+- `nix.conf` settings. Override these defaults with `extra_nix_config`:
+
+  - The experimental `flakes` and `nix-command` features are enabled. Disable by overriding `experimental-features` in `extra_nix_config`.
+
+  - `max-jobs` is set to `auto`.
+
+  - `show-trace` is set to `true`.
+
+  - `$USER` is added to `trusted-users`.
+
+  - `$GITHUB_TOKEN` is added to `access_tokens` if no other `github_access_token` is provided.
+
+  - `always-allow-substitutes` is set to `true`.
+
+  - `ssl-cert-file` is set to `/etc/ssl/cert.pem` on macOS.
+
+- KVM is enabled on Linux if available. Disable by setting `enable_kvm: false`.
+
+- `$TMPDIR` is set to `$RUNNER_TEMP` if empty.
+
 ---
 
 ## FAQ
@@ -84,19 +113,18 @@ To install Nix from any commit, go to [the corresponding installer_test action](
   run: nix-instantiate --eval -E '(import <nixpkgs> {}).lib.version'
 ```
 
-### How can I run NixOS tests?
+### How do I run NixOS tests?
 
 With the following inputs:
 
 ```yaml
 - uses: cachix/install-nix-action@vXX
   with:
+    enable_kvm: true
     extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm"
 ```
 
-[Note that there's no hardware acceleration on GitHub Actions.](https://github.com/actions/virtual-environments/issues/183#issuecomment-610723516).
-
-### How can I install packages via nix-env from the specified `nix_path`?
+### How do I install packages via nix-env from the specified `nix_path`?
 
 ```
 nix-env -i mypackage -f '<nixpkgs>'
@@ -120,29 +148,85 @@ Otherwise, you can add any binary cache to nix.conf using
 install-nix-action's own `extra_nix_config` input:
 
 ```yaml
-- uses: cachix/install-nix-action@v18
+- uses: cachix/install-nix-action@v31
   with:
     extra_nix_config: |
       trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
       substituters = https://hydra.iohk.io https://cache.nixos.org/
 ```
 
-## Hacking
+### How do I pass environment variables to commands run with `nix develop` or `nix shell`?
 
-Install the dependencies
+Nix runs commands in a restricted environment by default, called `pure mode`.
+In pure mode, environment variables are not passed through to improve the reproducibility of the shell.
 
-```bash
-$ yarn install
+You can use the `--keep / -k` flag to keep certain environment variables:
+
+```yaml
+- name: Run a command with nix develop
+  run: nix develop --ignore-environment --keep MY_ENV_VAR --command echo $MY_ENV_VAR
+  env:
+    MY_ENV_VAR: "hello world"
 ```
 
-Build the typescript
+Or you can disable pure mode entirely with the `--impure` flag:
 
-```bash
-$ yarn build
+```
+nix develop --impure
 ```
 
-Run the tests :heavy_check_mark:
+### How do I pass AWS credentials to the Nix daemon?
 
-```bash
-$ yarn test
+In multi-user mode, Nix commands that operate on the Nix store are forwarded to a privileged daemon. This daemon runs in a separate context from your GitHub Actions workflow and cannot access the workflow's environment variables. Consequently, any secrets or credentials defined in your workflow environment will not be available to Nix operations that require store access.
+
+There are two ways to pass AWS credentials to the Nix daemon:
+  - Configure a default profile using the AWS CLI
+  - Install Nix in single-user mode
+
+#### Configure a default profile using the AWS CLI
+
+The Nix daemon supports reading AWS credentials from the `~/.aws/credentials` file.
+
+We can use the AWS CLI to configure a default profile using short-lived credentials fetched using OIDC:
+
+```yaml
+job:
+  build:
+    runs-on: ubuntu-latest
+    # Required permissions to request AWS credentials
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v31
+      - name: Assume AWS Role
+        uses: aws-actions/configure-aws-credentials@v4.1.0
+        with:
+          aws-region: us-east-1
+          role-to-assume: arn:aws-cn:iam::123456789100:role/my-github-actions-role
+      - name: Make AWS Credentials accessible to nix-daemon
+        run: |
+          sudo -i aws configure set aws_access_key_id "${AWS_ACCESS_KEY_ID}"
+          sudo -i aws configure set aws_secret_access_key "${AWS_SECRET_ACCESS_KEY}"
+          sudo -i aws configure set aws_session_token "${AWS_SESSION_TOKEN}"
+          sudo -i aws configure set region "${AWS_REGION}"
+```
+
+#### Install Nix in single-user mode
+
+In some environments it may be possible to install Nix in single-user mode by passing the `--no-daemon` flag to the installer.
+This mode is normally used on platforms without an init system, like systemd, and in containerized environments with a single user that can own the entire Nix store.
+
+This approach is more generic as it allows passing environment variables directly to Nix, including secrets, proxy settings, and other configuration options.
+
+However, it may not be suitable for all environments. [Consult the Nix manual](https://nix.dev/manual/nix/latest/installation/nix-security) for the latest restrictions and differences between the two modes.
+
+For example, single-user mode is currently supported on hosted Linux GitHub runners, like `ubuntu-latest`.
+It is not supported on macOS runners, like `macos-latest`.
+
+```yaml
+- uses: cachix/install-nix-action@v31
+  with:
+    install_options: --no-daemon
 ```

RELEASE.md

@@ -0,0 +1,44 @@
+# Release
+
+As of v31, releases of this action follow Semantic Versioning.
+
+### Publishing a new release
+
+#### Publish the release
+
+Draft [a new release on GitHub](https://github.com/cachix/install-nix-action/releases):
+
+- In `Choose a tag`, create a new tag, like `v31.2.1`, following semver.
+- Click `Generate release notes`.
+- `Set as the latest release` should be selected automatically.
+- Publish release
+
+#### Update the major tag
+
+The major tag, like `v31`, allows downstream users to opt-in to automatic non-breaking updates.
+
+This process follows GitHub's own guidelines:
+https://github.com/actions/toolkit/blob/main/docs/action-versioning.md
+
+##### Fetch the latest tags
+
+```
+git pull --tags --force
+```
+
+##### Move the tag
+
+```
+git tag -fa v31
+```
+```
+git push origin v31 --force
+```
+
+#### Update the release notes for the major tag
+
+Find the release on GitHub: https://github.com/cachix/install-nix-action/releases
+
+Edit the release and click `Generate release notes`.
+Edit the formatting and publish.
+

action.yml

@@ -5,20 +5,28 @@ inputs:
   extra_nix_config:
     description: 'Gets appended to `/etc/nix/nix.conf` if passed.'
   github_access_token:
-    description: 'Configure nix to pull from github using the given github token.'
+    description: 'Configure Nix to pull from GitHub using the given GitHub token.'
   install_url:
     description: 'Installation URL that will contain a script to install Nix.'
   install_options:
     description: 'Additional installer flags passed to the installer script.'
   nix_path:
     description: 'Set NIX_PATH environment variable.'
+  enable_kvm:
+    description: 'Enable KVM for hardware-accelerated virtualization on Linux, if available.'
+    required: false
+    default: true
+  set_as_trusted_user:
+    description: 'Add current user to `trusted-users`.'
+    required: false
+    default: true
 branding:
   color: 'blue'
   icon: 'sun'
 runs:
   using: 'composite'
   steps:
-    - run : ${{ github.action_path }}/install-nix.sh
+    - run : ${GITHUB_ACTION_PATH}/install-nix.sh
       shell: bash
       env:
         INPUT_EXTRA_NIX_CONFIG: ${{ inputs.extra_nix_config }}
@@ -26,4 +34,6 @@ runs:
         INPUT_INSTALL_OPTIONS: ${{ inputs.install_options }}
         INPUT_INSTALL_URL: ${{ inputs.install_url }}
         INPUT_NIX_PATH: ${{ inputs.nix_path }}
+        INPUT_ENABLE_KVM: ${{ inputs.enable_kvm }}
+        INPUT_SET_AS_TRUSTED_USER: ${{ inputs.set_as_trusted_user }}
         GITHUB_TOKEN: ${{ github.token }}

install-nix.sh

@@ -1,11 +1,22 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-if type -p nix &>/dev/null ; then
-  echo "Aborting: Nix is already installed at $(type -p nix)"
+if nix_path="$(type -p nix)" ; then
+  echo "Aborting: Nix is already installed at ${nix_path}"
   exit
 fi
 
+if [[ ($OSTYPE =~ linux) && ($INPUT_ENABLE_KVM == 'true') ]]; then
+  enable_kvm() {
+    echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-install-nix-action-kvm.rules
+    sudo udevadm control --reload-rules && sudo udevadm trigger --name-match=kvm
+  }
+
+  echo '::group::Enabling KVM support'
+  enable_kvm && echo 'Enabled KVM' || echo 'KVM is not available'
+  echo '::endgroup::'
+fi
+
 # GitHub command to put the following log messages into a group which is collapsed by default
 echo "::group::Installing Nix"
 
@@ -15,30 +26,47 @@ trap 'rm -rf "$workdir"' EXIT
 
 # Configure Nix
 add_config() {
-  echo "$1" | tee -a "$workdir/nix.conf" >/dev/null
+  echo "$1" >> "$workdir/nix.conf"
 }
+add_config "show-trace = true"
 # Set jobs to number of cores
 add_config "max-jobs = auto"
-# Allow binary caches for user
-add_config "trusted-users = root $USER"
-# Add github access token
+if [[ $OSTYPE =~ darwin ]]; then
+  add_config "ssl-cert-file = /etc/ssl/cert.pem"
+fi
+# Allow binary caches specified at user level
+if [[ $INPUT_SET_AS_TRUSTED_USER == 'true' ]]; then
+  add_config "trusted-users = root ${USER:-}"
+fi
+# Add a GitHub access token.
+# Token-less access is subject to lower rate limits.
 if [[ -n "${INPUT_GITHUB_ACCESS_TOKEN:-}" ]]; then
+  echo "::debug::Using the provided github_access_token for github.com"
   add_config "access-tokens = github.com=$INPUT_GITHUB_ACCESS_TOKEN"
-elif [[ -n "${GITHUB_TOKEN:-}" ]]; then
+# Use the default GitHub token if available.
+# Skip this step if running an Enterprise instance. The default token there does not work for github.com.
+elif [[ -n "${GITHUB_TOKEN:-}" && $GITHUB_SERVER_URL == "https://github.com" ]]; then
+  echo "::debug::Using the default GITHUB_TOKEN for github.com"
   add_config "access-tokens = github.com=$GITHUB_TOKEN"
+else
+  echo "::debug::Continuing without a GitHub access token"
 fi
 # Append extra nix configuration if provided
-if [[ $INPUT_EXTRA_NIX_CONFIG != "" ]]; then
+if [[ -n "${INPUT_EXTRA_NIX_CONFIG:-}" ]]; then
   add_config "$INPUT_EXTRA_NIX_CONFIG"
 fi
 if [[ ! $INPUT_EXTRA_NIX_CONFIG =~ "experimental-features" ]]; then
   add_config "experimental-features = nix-command flakes"
 fi
+# Always allow substituting from the cache, even if the derivation has `allowSubstitutes = false`.
+# This is a CI optimisation to avoid having to download the inputs for already-cached derivations to rebuild trivial text files.
+if [[ ! $INPUT_EXTRA_NIX_CONFIG =~ "always-allow-substitutes" ]]; then
+  add_config "always-allow-substitutes = true"
+fi
 
 # Nix installer flags
 installer_options=(
   --no-channel-add
-  --darwin-use-unencrypted-nix-store-volume
   --nix-extra-conf-file "$workdir/nix.conf"
 )
 
@@ -54,10 +82,10 @@ else
   add_config "build-users-group ="
   sudo mkdir -p /etc/nix
   sudo chmod 0755 /etc/nix
-  sudo cp $workdir/nix.conf /etc/nix/nix.conf
+  sudo cp "$workdir/nix.conf" /etc/nix/nix.conf
 fi
 
-if [[ $INPUT_INSTALL_OPTIONS != "" ]]; then
+if [[ -n "${INPUT_INSTALL_OPTIONS:-}" ]]; then
   IFS=' ' read -r -a extra_installer_options <<< "$INPUT_INSTALL_OPTIONS"
   installer_options=("${extra_installer_options[@]}" "${installer_options[@]}")
 fi
@@ -66,7 +94,7 @@ echo "installer options: ${installer_options[*]}"
 
 # There is --retry-on-errors, but only newer curl versions support that
 curl_retries=5
-while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://nixos.org/nix/install}"
+while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.28.3/install}"
 do
   sleep 1
   ((curl_retries--))
@@ -78,21 +106,19 @@ done
 
 sh "$workdir/install" "${installer_options[@]}"
 
-if [[ $OSTYPE =~ darwin ]]; then
-  # macOS needs certificates hints
-  cert_file=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
-  echo "NIX_SSL_CERT_FILE=$cert_file" >> "$GITHUB_ENV"
-  export NIX_SSL_CERT_FILE=$cert_file
-  sudo launchctl setenv NIX_SSL_CERT_FILE "$cert_file"
-fi
-
 # Set paths
 echo "/nix/var/nix/profiles/default/bin" >> "$GITHUB_PATH"
-echo "/nix/var/nix/profiles/per-user/$USER/profile/bin" >> "$GITHUB_PATH"
+# new path for nix 2.14
+echo "$HOME/.nix-profile/bin" >> "$GITHUB_PATH"
 
-if [[ $INPUT_NIX_PATH != "" ]]; then
+if [[ -n "${INPUT_NIX_PATH:-}" ]]; then
   echo "NIX_PATH=${INPUT_NIX_PATH}" >> "$GITHUB_ENV"
 fi
 
+# Set temporary directory (if not already set) to fix https://github.com/cachix/install-nix-action/issues/197
+if [[ -z "${TMPDIR:-}" ]]; then
+  echo "TMPDIR=${RUNNER_TEMP}" >> "$GITHUB_ENV"
+fi
+
 # Close the log message group which was opened above
 echo "::endgroup::"