Merge pull request #236 from Mic92/nix-2.28.3

Fixes #229.

.github/workflows/test.yml

@@ -5,48 +5,68 @@ on:
     branches:
       - master
 
+env:
+  nixpkgs_channel: nixpkgs=channel:nixos-24.11
+  oldest_supported_installer: nix-2.8.0
+
 jobs:
   simple-build:
     strategy:
+      fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        os:
+        - ubuntu-latest
+        - ubuntu-24.04-arm
+        - macos-latest
+        - macos-13
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Install Nix
       uses: ./
       with:
-        nix_path: nixpkgs=channel:nixos-22.11
+        nix_path: ${{ env.nixpkgs_channel }}
     - run: nix-env -iA cachix -f https://cachix.org/api/v1/install
     - run: cat /etc/nix/nix.conf
     # cachix should be available and be able to configure a cache
     - run: cachix use cachix
     - run: nix-build test.nix
+
   custom-nix-path:
     strategy:
+      fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        os:
+        - ubuntu-latest
+        - ubuntu-24.04-arm
+        - macos-latest
+        - macos-13
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Install Nix
       uses: ./
       with:
-        nix_path: nixpkgs=channel:nixos-20.03
-    - run: test $NIX_PATH == "nixpkgs=channel:nixos-20.03"
+        nix_path: ${{ env.nixpkgs_channel }}
+    - run: test $NIX_PATH == '${{ env.nixpkgs_channel }}'
     - run: nix-build test.nix
 
   extra-nix-config:
     strategy:
+      fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        os:
+        - ubuntu-latest
+        - ubuntu-24.04-arm
+        - macos-latest
+        - macos-13
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Install Nix
       uses: ./
       with:
-        nix_path: nixpkgs=channel:nixos-22.11
+        nix_path: ${{ env.nixpkgs_channel }}
         extra_nix_config: |
           sandbox = relaxed
     - run: cat /etc/nix/nix.conf
@@ -54,51 +74,79 @@ jobs:
 
   flakes:
     strategy:
+      fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        os:
+        - ubuntu-latest
+        - ubuntu-24.04-arm
+        - macos-latest
+        - macos-13
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Install Nix
       uses: ./
     - run: nix flake show github:NixOS/nixpkgs
 
-  installer-options:
+  latest-installer:
     strategy:
+      fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        include:
+          - os: ubuntu-latest
+            system: x86_64-linux
+          - os: ubuntu-24.04-arm
+            system: aarch64-linux
+          - os: macos-latest
+            system: aarch64-darwin
+          - os: macos-13
+            system: x86_64-darwin
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: Run NAR server
+      run: |
+        curl --location https://github.com/cachix/nar-toolbox/releases/download/v0.1.0/nar-toolbox-${{ matrix.system }} -O
+        chmod +x ./nar-toolbox-${{ matrix.system }}
+        ./nar-toolbox-${{ matrix.system }} serve https://cache.nixos.org &
     - name: Install Nix
       uses: ./
       with:
-        nix_path: nixpkgs=channel:nixos-22.11
-        install_options: --tarball-url-prefix https://nixos-nix-install-tests.cachix.org/serve
-        install_url: https://nixos-nix-install-tests.cachix.org/serve/s62m7lc0q0mz2mxxm9q0kkrcg90njzhq/install
+        nix_path: ${{ env.nixpkgs_channel }}
+        install_url: https://hydra.nixos.org/job/nix/master/installerScript/latest-finished/download/1/install
+        install_options: "--tarball-url-prefix http://localhost:8080"
     - run: nix-build test.nix
 
   oldest-supported-installer:
     strategy:
-        matrix:
-          os: [ubuntu-latest, macos-latest]
+      fail-fast: false
+      matrix:
+        os:
+        - ubuntu-latest
+        - ubuntu-24.04-arm
+        - macos-latest
+        - macos-13
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Install Nix
       uses: ./
       with:
-        nix_path: nixpkgs=channel:nixos-22.11
-        install_url: https://releases.nixos.org/nix/nix-2.8.0/install
+        nix_path: ${{ env.nixpkgs_channel }}
+        install_url: https://releases.nixos.org/nix/${{ env.oldest_supported_installer }}/install
     - run: nix-build test.nix
 
   act-support:
     strategy:
-        matrix:
-          os: [ubuntu-latest]
+      matrix:
+        os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - run: curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash
-    - run: docker pull ghcr.io/catthehacker/ubuntu:js-20.04
-    - run: ./bin/act -P ubuntu-latest=ghcr.io/catthehacker/ubuntu:js-20.04 push -j simple-build
+    - run: docker pull ghcr.io/catthehacker/ubuntu:js-24.04
+    - run: |
+        ./bin/act push \
+          -P ubuntu-latest=ghcr.io/catthehacker/ubuntu:js-24.04 \
+          -j simple-build \
+          --matrix os:ubuntu-latest

.gitignore

@@ -1,93 +1,2 @@
-__tests__/runner/*
-
-# comment out in distribution branches
-node_modules/
-
-# Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore
-# Logs
-logs
-*.log
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-lerna-debug.log*
-
-# Diagnostic reports (https://nodejs.org/api/report.html)
-report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
-
-# Runtime data
-pids
-*.pid
-*.seed
-*.pid.lock
-
-# Directory for instrumented libs generated by jscoverage/JSCover
-lib-cov
-
-# Coverage directory used by tools like istanbul
-coverage
-*.lcov
-
-# nyc test coverage
-.nyc_output
-
-# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
-.grunt
-
-# Bower dependency directory (https://bower.io/)
-bower_components
-
-# node-waf configuration
-.lock-wscript
-
-# Compiled binary addons (https://nodejs.org/api/addons.html)
-build/Release
-
-# Dependency directories
-jspm_packages/
-
-# TypeScript v1 declaration files
-typings/
-
-# TypeScript cache
-*.tsbuildinfo
-
-# Optional npm cache directory
-.npm
-
-# Optional eslint cache
-.eslintcache
-
-# Optional REPL history
-.node_repl_history
-
-# Output of 'npm pack'
-*.tgz
-
-# Yarn Integrity file
-.yarn-integrity
-
 # dotenv environment variables file
-.env
-.env.test
-
-# parcel-bundler cache (https://parceljs.org/)
-.cache
-
-# next.js build output
-.next
-
-# nuxt.js build output
-.nuxt
-
-# vuepress build output
-.vuepress/dist
-
-# Serverless directories
-.serverless/
-
-# FuseBox cache
-.fusebox/
-
-# DynamoDB Local files
-.dynamodb/
+.env*

README.md

@@ -18,7 +18,7 @@ or [pin nixpkgs yourself](https://nix.dev/reference/pinning-nixpkgs)
 - Allows specifying extra Nix configuration options via `extra_nix_config`
 - Allows specifying `$NIX_PATH` and channels via `nix_path`
 - Share `/nix/store` between builds using [cachix-action](https://github.com/cachix/cachix-action) for simple binary cache setup to speed up your builds and share binaries with your team
-- Enables `flakes` and `nix-command` experimental features by default (to disable, set `experimental-features` via `extra_nix_config`)
+- Enables KVM on supported machines: run VMs and NixOS tests with full hardware-acceleration
 
 ## Usage
 
@@ -33,8 +33,8 @@ jobs:
   tests:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - uses: cachix/install-nix-action@v22
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@v31
       with:
         nix_path: nixpkgs=channel:nixos-unstable
     - run: nix-build
@@ -51,8 +51,8 @@ jobs:
   tests:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - uses: cachix/install-nix-action@v22
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@v31
       with:
         github_access_token: ${{ secrets.GITHUB_TOKEN }}
     - run: nix build
@@ -73,6 +73,35 @@ To install Nix from any commit, go to [the corresponding installer_test action](
 
 - `nix_path`: set `NIX_PATH` environment variable, for example `nixpkgs=channel:nixos-unstable`
 
+- `enable_kvm`: whether to enable KVM for hardware-accelerated virtualization on Linux. Enabled by default if available.
+
+- `set_as_trusted_user`: whether to add the current user to `trusted-users`. Enabled by default.
+
+
+## Differences from the default Nix installer
+
+Some settings have been optimised for use in CI environments:
+
+- `nix.conf` settings. Override these defaults with `extra_nix_config`:
+
+  - The experimental `flakes` and `nix-command` features are enabled. Disable by overriding `experimental-features` in `extra_nix_config`.
+
+  - `max-jobs` is set to `auto`.
+
+  - `show-trace` is set to `true`.
+
+  - `$USER` is added to `trusted-users`.
+
+  - `$GITHUB_TOKEN` is added to `access_tokens` if no other `github_access_token` is provided.
+
+  - `always-allow-substitutes` is set to `true`.
+
+  - `ssl-cert-file` is set to `/etc/ssl/cert.pem` on macOS.
+
+- KVM is enabled on Linux if available. Disable by setting `enable_kvm: false`.
+
+- `$TMPDIR` is set to `$RUNNER_TEMP` if empty.
+
 ---
 
 ## FAQ
@@ -91,11 +120,10 @@ With the following inputs:
 ```yaml
 - uses: cachix/install-nix-action@vXX
   with:
+    enable_kvm: true
     extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm"
 ```
 
-[Note that there's no hardware acceleration on GitHub Actions.](https://github.com/actions/virtual-environments/issues/183#issuecomment-610723516).
-
 ### How do I install packages via nix-env from the specified `nix_path`?
 
 ```
@@ -120,7 +148,7 @@ Otherwise, you can add any binary cache to nix.conf using
 install-nix-action's own `extra_nix_config` input:
 
 ```yaml
-- uses: cachix/install-nix-action@v22
+- uses: cachix/install-nix-action@v31
   with:
     extra_nix_config: |
       trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
@@ -146,3 +174,59 @@ Or you can disable pure mode entirely with the `--impure` flag:
 ```
 nix develop --impure
 ```
+
+### How do I pass AWS credentials to the Nix daemon?
+
+In multi-user mode, Nix commands that operate on the Nix store are forwarded to a privileged daemon. This daemon runs in a separate context from your GitHub Actions workflow and cannot access the workflow's environment variables. Consequently, any secrets or credentials defined in your workflow environment will not be available to Nix operations that require store access.
+
+There are two ways to pass AWS credentials to the Nix daemon:
+  - Configure a default profile using the AWS CLI
+  - Install Nix in single-user mode
+
+#### Configure a default profile using the AWS CLI
+
+The Nix daemon supports reading AWS credentials from the `~/.aws/credentials` file.
+
+We can use the AWS CLI to configure a default profile using short-lived credentials fetched using OIDC:
+
+```yaml
+job:
+  build:
+    runs-on: ubuntu-latest
+    # Required permissions to request AWS credentials
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v31
+      - name: Assume AWS Role
+        uses: aws-actions/configure-aws-credentials@v4.1.0
+        with:
+          aws-region: us-east-1
+          role-to-assume: arn:aws-cn:iam::123456789100:role/my-github-actions-role
+      - name: Make AWS Credentials accessible to nix-daemon
+        run: |
+          sudo -i aws configure set aws_access_key_id "${AWS_ACCESS_KEY_ID}"
+          sudo -i aws configure set aws_secret_access_key "${AWS_SECRET_ACCESS_KEY}"
+          sudo -i aws configure set aws_session_token "${AWS_SESSION_TOKEN}"
+          sudo -i aws configure set region "${AWS_REGION}"
+```
+
+#### Install Nix in single-user mode
+
+In some environments it may be possible to install Nix in single-user mode by passing the `--no-daemon` flag to the installer.
+This mode is normally used on platforms without an init system, like systemd, and in containerized environments with a single user that can own the entire Nix store.
+
+This approach is more generic as it allows passing environment variables directly to Nix, including secrets, proxy settings, and other configuration options.
+
+However, it may not be suitable for all environments. [Consult the Nix manual](https://nix.dev/manual/nix/latest/installation/nix-security) for the latest restrictions and differences between the two modes.
+
+For example, single-user mode is currently supported on hosted Linux GitHub runners, like `ubuntu-latest`.
+It is not supported on macOS runners, like `macos-latest`.
+
+```yaml
+- uses: cachix/install-nix-action@v31
+  with:
+    install_options: --no-daemon
+```

RELEASE.md

@@ -0,0 +1,44 @@
+# Release
+
+As of v31, releases of this action follow Semantic Versioning.
+
+### Publishing a new release
+
+#### Publish the release
+
+Draft [a new release on GitHub](https://github.com/cachix/install-nix-action/releases):
+
+- In `Choose a tag`, create a new tag, like `v31.2.1`, following semver.
+- Click `Generate release notes`.
+- `Set as the latest release` should be selected automatically.
+- Publish release
+
+#### Update the major tag
+
+The major tag, like `v31`, allows downstream users to opt-in to automatic non-breaking updates.
+
+This process follows GitHub's own guidelines:
+https://github.com/actions/toolkit/blob/main/docs/action-versioning.md
+
+##### Fetch the latest tags
+
+```
+git pull --tags --force
+```
+
+##### Move the tag
+
+```
+git tag -fa v31
+```
+```
+git push origin v31 --force
+```
+
+#### Update the release notes for the major tag
+
+Find the release on GitHub: https://github.com/cachix/install-nix-action/releases
+
+Edit the release and click `Generate release notes`.
+Edit the formatting and publish.
+

action.yml

@@ -5,13 +5,21 @@ inputs:
   extra_nix_config:
     description: 'Gets appended to `/etc/nix/nix.conf` if passed.'
   github_access_token:
-    description: 'Configure nix to pull from github using the given github token.'
+    description: 'Configure Nix to pull from GitHub using the given GitHub token.'
   install_url:
     description: 'Installation URL that will contain a script to install Nix.'
   install_options:
     description: 'Additional installer flags passed to the installer script.'
   nix_path:
     description: 'Set NIX_PATH environment variable.'
+  enable_kvm:
+    description: 'Enable KVM for hardware-accelerated virtualization on Linux, if available.'
+    required: false
+    default: true
+  set_as_trusted_user:
+    description: 'Add current user to `trusted-users`.'
+    required: false
+    default: true
 branding:
   color: 'blue'
   icon: 'sun'
@@ -26,4 +34,6 @@ runs:
         INPUT_INSTALL_OPTIONS: ${{ inputs.install_options }}
         INPUT_INSTALL_URL: ${{ inputs.install_url }}
         INPUT_NIX_PATH: ${{ inputs.nix_path }}
+        INPUT_ENABLE_KVM: ${{ inputs.enable_kvm }}
+        INPUT_SET_AS_TRUSTED_USER: ${{ inputs.set_as_trusted_user }}
         GITHUB_TOKEN: ${{ github.token }}

install-nix.sh

@@ -6,6 +6,17 @@ if nix_path="$(type -p nix)" ; then
   exit
 fi
 
+if [[ ($OSTYPE =~ linux) && ($INPUT_ENABLE_KVM == 'true') ]]; then
+  enable_kvm() {
+    echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-install-nix-action-kvm.rules
+    sudo udevadm control --reload-rules && sudo udevadm trigger --name-match=kvm
+  }
+
+  echo '::group::Enabling KVM support'
+  enable_kvm && echo 'Enabled KVM' || echo 'KVM is not available'
+  echo '::endgroup::'
+fi
+
 # GitHub command to put the following log messages into a group which is collapsed by default
 echo "::group::Installing Nix"
 
@@ -23,13 +34,22 @@ add_config "max-jobs = auto"
 if [[ $OSTYPE =~ darwin ]]; then
   add_config "ssl-cert-file = /etc/ssl/cert.pem"
 fi
-# Allow binary caches for user
-add_config "trusted-users = root ${USER:-}"
-# Add github access token
+# Allow binary caches specified at user level
+if [[ $INPUT_SET_AS_TRUSTED_USER == 'true' ]]; then
+  add_config "trusted-users = root ${USER:-}"
+fi
+# Add a GitHub access token.
+# Token-less access is subject to lower rate limits.
 if [[ -n "${INPUT_GITHUB_ACCESS_TOKEN:-}" ]]; then
+  echo "::debug::Using the provided github_access_token for github.com"
   add_config "access-tokens = github.com=$INPUT_GITHUB_ACCESS_TOKEN"
-elif [[ -n "${GITHUB_TOKEN:-}" ]]; then
+# Use the default GitHub token if available.
+# Skip this step if running an Enterprise instance. The default token there does not work for github.com.
+elif [[ -n "${GITHUB_TOKEN:-}" && $GITHUB_SERVER_URL == "https://github.com" ]]; then
+  echo "::debug::Using the default GITHUB_TOKEN for github.com"
   add_config "access-tokens = github.com=$GITHUB_TOKEN"
+else
+  echo "::debug::Continuing without a GitHub access token"
 fi
 # Append extra nix configuration if provided
 if [[ -n "${INPUT_EXTRA_NIX_CONFIG:-}" ]]; then
@@ -38,11 +58,15 @@ fi
 if [[ ! $INPUT_EXTRA_NIX_CONFIG =~ "experimental-features" ]]; then
   add_config "experimental-features = nix-command flakes"
 fi
+# Always allow substituting from the cache, even if the derivation has `allowSubstitutes = false`.
+# This is a CI optimisation to avoid having to download the inputs for already-cached derivations to rebuild trivial text files.
+if [[ ! $INPUT_EXTRA_NIX_CONFIG =~ "always-allow-substitutes" ]]; then
+  add_config "always-allow-substitutes = true"
+fi
 
 # Nix installer flags
 installer_options=(
   --no-channel-add
-  --darwin-use-unencrypted-nix-store-volume
   --nix-extra-conf-file "$workdir/nix.conf"
 )
 
@@ -70,7 +94,7 @@ echo "installer options: ${installer_options[*]}"
 
 # There is --retry-on-errors, but only newer curl versions support that
 curl_retries=5
-while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.17.0/install}"
+while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.28.3/install}"
 do
   sleep 1
   ((curl_retries--))
@@ -91,5 +115,10 @@ if [[ -n "${INPUT_NIX_PATH:-}" ]]; then
   echo "NIX_PATH=${INPUT_NIX_PATH}" >> "$GITHUB_ENV"
 fi
 
+# Set temporary directory (if not already set) to fix https://github.com/cachix/install-nix-action/issues/197
+if [[ -z "${TMPDIR:-}" ]]; then
+  echo "TMPDIR=${RUNNER_TEMP}" >> "$GITHUB_ENV"
+fi
+
 # Close the log message group which was opened above
 echo "::endgroup::"