Don't leak file handles

* Update `detsys-ts` for: `Ignore hyphen-sep'd diags (#83)` (`07c7fc924119a8d9879c1c164ae593049d47f648`)

* Wait for the socket to appear

* ...

---------

Co-authored-by: grahamc <76716+grahamc@users.noreply.github.com>
Co-authored-by: Graham Christensen <graham@grahamc.com>

.editorconfig

@@ -0,0 +1,10 @@
+# https://editorconfig.org
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true

.eslintrc.json

@@ -29,6 +29,7 @@
         "accessibility": "no-public"
       }
     ],
+    "@typescript-eslint/no-base-to-string": "error",
     "@typescript-eslint/no-require-imports": "error",
     "@typescript-eslint/array-type": "error",
     "@typescript-eslint/await-thenable": "error",

.github/verify-version.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+# This script verifies that the version of Nix installed on the runner
+# matches the version supplied in the first argument.
+
+EXPECTED_VERSION="${1}"
+
+INSTALLED_NIX_VERSION_OUTPUT=$(nix --version)
+INSTALLED_NIX_VERSION=$(echo "${INSTALLED_NIX_VERSION_OUTPUT}" | awk '{print $NF}')
+EXPECTED_OUTPUT="nix (Nix) ${EXPECTED_VERSION}"
+
+if [ "${INSTALLED_NIX_VERSION_OUTPUT}" != "${EXPECTED_OUTPUT}" ]; then
+  echo "Nix version ${INSTALLED_NIX_VERSION} didn't match expected version ${EXPECTED_VERSION}"
+  exit 1
+else
+  echo "Success! Nix version ${INSTALLED_NIX_VERSION} installed as expected"
+  exit 0
+fi

.github/workflows/ci.yml

@@ -3,7 +3,7 @@ name: CI
 on:
   pull_request:
   push:
-    branches: [main]
+    branches: [main, curl-data]
   workflow_dispatch:
 
 jobs:
@@ -13,7 +13,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: DeterminateSystems/flakehub-cache-action@main
       - name: pnpm install
         run: nix develop --command pnpm install
       - name: prettier format
@@ -28,14 +28,16 @@ jobs:
         run: git status --porcelain=v1
       - name: Ensure no staged changes
         run: git diff --exit-code
-  run-test-suite:
-    name: Run test suite
+
+  install-nix:
+    name: "Test: ${{ matrix.runner }}${{ matrix.determinate && ' with determinate' || '' }}"
     strategy:
+      fail-fast: false
       matrix:
         runner:
           - ubuntu-latest
-          - nscloud-ubuntu-22.04-amd64-4x16
-          - namespace-profile-default-arm64
+        determinate:
+          - true
     runs-on: ${{ matrix.runner }}
     permissions:
       contents: read
@@ -48,6 +50,14 @@ jobs:
           logger: pretty
           log-directives: nix_installer=trace
           backtrace: full
+          _internal-strict-mode: true
+          determinate: ${{ matrix.determinate }}
+        # - name: Breakpoint if tests failed
+        #   uses: namespacelabs/breakpoint-action@v0
+        #   with:
+        #     duration: 30m
+        #     authorized-users: grahamc
+
       - name: echo $PATH
         run: echo $PATH
 
@@ -65,81 +75,6 @@ jobs:
           nix store gc
           nix run nixpkgs#hello
 
-      - name: Test bash
-        run: nix-instantiate -E 'builtins.currentTime' --eval
-        if: success() || failure()
-        shell: bash --login {0}
-      - name: Test sh
-        run: nix-instantiate -E 'builtins.currentTime' --eval
-        if: success() || failure()
-        shell: sh -l {0}
-      - name: Install Nix again (noop)
-        uses: ./
-        with:
-          logger: pretty
-          log-directives: nix_installer=trace
-          backtrace: full
-      - name: Test `nix` with `$GITHUB_PATH`
-        if: success() || failure()
-        run: |
-          nix run nixpkgs#hello
-          nix profile install nixpkgs#hello
-          hello
-          nix store gc
-          nix run nixpkgs#hello
-      - name: Reinstall Nix
-        uses: ./
-        with:
-          logger: pretty
-          log-directives: nix_installer=trace
-          backtrace: full
-          reinstall: true
-          extra-conf: |
-            use-sqlite-wal = true
-      - name: Test `nix` with `$GITHUB_PATH`
-        if: success() || failure()
-        run: |
-          nix run nixpkgs#hello
-          nix profile install nixpkgs#hello
-          hello
-          nix store gc
-          nix run nixpkgs#hello
-      - name: Verify the generated nix.conf
-        run: |
-          cat -n /etc/nix/nix.conf
-          grep -E "^trusted-users = .*$USER" /etc/nix/nix.conf
-          grep -E "^use-sqlite-wal = true" /etc/nix/nix.conf
-      - name: Breakpoint if tests failed
-        if: failure()
-        uses: namespacelabs/breakpoint-action@v0
-        with:
-          duration: 5m
-          authorized-users: grahamc
-
-  run-x86_64-darwin:
-    name: Run x86_64 Darwin
-    runs-on: macos-12
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - uses: actions/checkout@v4
-      - name: Install Nix
-        uses: ./
-        with:
-          logger: pretty
-          log-directives: nix_installer=trace
-          backtrace: full
-      - name: echo $PATH
-        run: echo $PATH
-      - name: Test `nix` with `$GITHUB_PATH`
-        if: success() || failure()
-        run: |
-          nix run nixpkgs#hello
-          nix profile install nixpkgs#hello
-          hello
-          nix store gc
-          nix run nixpkgs#hello
       - name: Test bash
         run: nix-instantiate -E 'builtins.currentTime' --eval
         if: success() || failure()
@@ -149,15 +84,16 @@ jobs:
         if: success() || failure()
         shell: sh -l {0}
       - name: Test zsh
-        run: nix-instantiate -E 'builtins.currentTime' --eval
+        run: if (zsh --help > /dev/null); then zsh --login --interactive -c "nix-instantiate -E 'builtins.currentTime' --eval"; fi
         if: success() || failure()
-        shell: zsh --login --interactive {0}
       - name: Install Nix again (noop)
         uses: ./
         with:
           logger: pretty
           log-directives: nix_installer=trace
           backtrace: full
+          _internal-strict-mode: true
+          determinate: ${{ matrix.determinate }}
       - name: Test `nix` with `$GITHUB_PATH`
         if: success() || failure()
         run: |
@@ -175,6 +111,8 @@ jobs:
           reinstall: true
           extra-conf: |
             use-sqlite-wal = true
+          _internal-strict-mode: true
+          determinate: ${{ matrix.determinate }}
       - name: Test `nix` with `$GITHUB_PATH`
         if: success() || failure()
         run: |
@@ -185,12 +123,7 @@ jobs:
           nix run nixpkgs#hello
       - name: Verify the generated nix.conf
         run: |
-          cat /etc/nix/nix.conf
-          grep -E "^trusted-users = .*$USER" /etc/nix/nix.conf
-          grep -E "^use-sqlite-wal = true" /etc/nix/nix.conf
-      - name: Breakpoint if tests failed
-        if: failure()
-        uses: namespacelabs/breakpoint-action@v0
-        with:
-          duration: 5m
-          authorized-users: grahamc
+          nix config show
+          cat -n /etc/nix/nix.conf
+          nix config show | grep -E "^trusted-users = .*$USER"
+          nix config show | grep -E "^use-sqlite-wal = true"

README.md

@@ -34,7 +34,7 @@ jobs:
 
 ### With FlakeHub
 
-To fetch private flakes from FlakeHub, update the `permissions` block and pass `flakehub: true`:
+To fetch private flakes from FlakeHub and Nix builds from FlakeHub Cache, update the `permissions` block and pass `determinate: true`:
 
 ```yaml
 on:
@@ -53,7 +53,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/nix-installer-action@main
         with:
-          flakehub: true
+          determinate: true
       - run: nix build .
 ```
 
@@ -85,9 +85,10 @@ Differing from the upstream [Nix](https://github.com/NixOS/nix) installer script
 | Parameter               | Description                                                                                                                                                                                                                                                                    | Type                                       | Default                                                        |
 | :---------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------- | :------------------------------------------------------------- |
 | `backtrace`             | The setting for [`RUST_BACKTRACE`][backtrace]                                                                                                                                                                                                                                  | string                                     |                                                                |
+| `determinate`           | Whether to install [Determinate Nix](https://determinate.systems/enterprise) and log in to FlakeHub for private Flakes and binary caches.                                                                                                                                      | Boolean                                    | `false`                                                        |
 | `extra-args`            | Extra arguments to pass to the planner (prefer using structured `with:` arguments unless using a custom [planner]!)                                                                                                                                                            | string                                     |                                                                |
 | `extra-conf`            | Extra configuration lines for `/etc/nix/nix.conf` (includes `access-tokens` with `secrets.GITHUB_TOKEN` automatically if `github-token` is set)                                                                                                                                | string                                     |                                                                |
-| `flakehub`              | Log in to FlakeHub to pull private flakes using the GitHub Actions [JSON Web Token](https://jwt.io) (JWT), which is bound to the `api.flakehub.com` audience.                                                                                                                  | Boolean                                    | `false`                                                        |
+| `flakehub`              | Deprecated. Implies `determinate`.                                                                                                                                                                                                                                             | Boolean                                    | `false`                                                        |
 | `force-docker-shim`     | Force the use of Docker as a process supervisor. This setting is automatically enabled when necessary.                                                                                                                                                                         | Boolean                                    | `false`                                                        |
 | `github-token`          | A [GitHub token] for making authenticated requests (which have a higher rate-limit quota than unauthenticated requests)                                                                                                                                                        | string                                     | `${{ github.token }}`                                          |
 | `github-server-url`     | The URL for the GitHub server, to use with the `github-token` token. Defaults to the current GitHub server, supporting GitHub Enterprise Server automatically. Only change this value if the provided `github-token` is for a different GitHub server than the current server. | string                                     | `${{ github.server }}`                                         |
@@ -110,7 +111,7 @@ Differing from the upstream [Nix](https://github.com/NixOS/nix) installer script
 | `source-pr`             | The pull request of `nix-installer` to use (conflicts with `source-tag`, `source-revision`, and `source-branch`)                                                                                                                                                               | integer                                    |                                                                |
 | `source-revision`       | The revision of `nix-installer` to use (conflicts with `source-tag`, `source-branch`, and `source-pr`)                                                                                                                                                                         | string                                     |                                                                |
 | `source-tag`            | The tag of `nix-installer` to use (conflicts with `source-revision`, `source-branch`, `source-pr`)                                                                                                                                                                             | string                                     |                                                                |
-| `source-url`            | A URL pointing to a `nix-installer.sh` script                                                                                                                                                                                                                                  | URL                                        | `https://install.determinate.systems/nix`                      |
+| `source-url`            | A URL pointing to the `nix-installer` binary                                                                                                                                                                                                                                   | URL                                        | n/a (calculated)                                               |
 | `nix-package-url`       | The Nix package URL                                                                                                                                                                                                                                                            | URL                                        |                                                                |
 | `planner`               | The installation [planner] to use                                                                                                                                                                                                                                              | enum (`linux` or `macos`)                  |                                                                |
 | `reinstall`             | Force a reinstall if an existing installation is detected (consider backing up `/nix/store`)                                                                                                                                                                                   | Boolean                                    | `false`                                                        |

action.yml

@@ -7,6 +7,10 @@ inputs:
   backtrace:
     description: The setting for `RUST_BACKTRACE` (see https://doc.rust-lang.org/std/backtrace/index.html#environment-variables)
     required: false
+  determinate:
+    description: |
+      Whether to install [Determinate Nix](https://determinate.systems/enterprise) and log in to FlakeHub for private Flakes and binary caches.
+    default: false
   extra-args:
     description: Extra args to pass to the planner (prefer using structured `with:` arguments unless using a custom planner!)
     required: false
@@ -14,11 +18,12 @@ inputs:
     description: Extra configuration lines for `/etc/nix/nix.conf` (includes `access-tokens` with `secrets.GITHUB_TOKEN` automatically if `github-token` is set)
     required: false
   flakehub:
-    description: Automatically log in to your [FlakeHub](https://flakehub.com) account, for accessing private flakes.
+    description: Deprecated. Implies `determinate`.
     required: false
     default: false
   force-docker-shim:
     description: Force the use of Docker as a process supervisor. This setting is automatically enabled when necessary.
+    required: false
     default: false
   github-token:
     description: A GitHub token for making authenticated requests (which have a higher rate-limit quota than unauthenticated requests)
@@ -29,6 +34,9 @@ inputs:
   init:
     description: "The init system to configure, requires `planner: linux-multi` (allowing the choice between `none` or `systemd`)"
     required: false
+  job-status:
+    description: The overall status of the job. Set automatically, for aggregate analysis of Nix stability.
+    default: ${{ job.status }}
   kvm:
     description: Automatically configure the GitHub Actions Runner for NixOS test supports, if the host supports it.
     required: false
@@ -79,6 +87,9 @@ inputs:
   nix-build-user-prefix:
     description: The Nix build user prefix (user numbers will be postfixed)
     required: false
+  source-binary:
+    description: Run a version of the nix-installer binary from somewhere already on disk. Conflicts with all other `source-*` options. Intended only for testing this Action.
+    required: false
   source-branch:
     description: The branch of `nix-installer` to use (conflicts with `source-tag`, `source-revision`, `source-pr`)
     required: false
@@ -92,7 +103,7 @@ inputs:
     description: The tag of `nix-installer` to use (conflicts with `source-revision`, `source-branch`, `source-pr`)
     required: false
   source-url:
-    description: A URL pointing to a `nix-installer.sh` script
+    description: A URL pointing to a `nix-installer` executable
     required: false
   nix-package-url:
     description: The Nix package URL
@@ -110,10 +121,11 @@ inputs:
     default: true
   diagnostic-endpoint:
     description: "Diagnostic endpoint url where the installer sends data to. To disable set this to an empty string."
-    default: "https://install.determinate.systems/nix-installer/diagnostic"
+    required: false
+    default: "-"
   trust-runner-user:
     description: Whether to make the runner user trusted by the Nix daemon
-    default: "true"
+    default: true
   nix-installer-branch:
     description: (deprecated) The branch of `nix-installer` to use (conflicts with `nix-installer-tag`, `nix-installer-revision`, `nix-installer-pr`)
     required: false
@@ -129,6 +141,10 @@ inputs:
   nix-installer-url:
     description: (deprecated) A URL pointing to a `nix-installer.sh` script
     required: false
+  _internal-strict-mode:
+    description: Whether to fail when any errors are thrown. Used only to test the Action; do not set this in your own workflows.
+    required: false
+    default: false
 
 runs:
   using: "node20"

package.json

@@ -25,25 +25,26 @@
   },
   "homepage": "https://github.com/DeterminateSystems/nix-installer-action#readme",
   "dependencies": {
-    "@actions/core": "^1.10.1",
+    "@actions/core": "^1.11.1",
     "@actions/exec": "^1.1.1",
-    "@actions/github": "^5.1.1",
+    "@actions/github": "^6.0.0",
     "detsys-ts": "github:DeterminateSystems/detsys-ts",
+    "got": "^14.4.6",
     "string-argv": "^0.3.2"
   },
   "devDependencies": {
     "@trivago/prettier-plugin-sort-imports": "^4.3.0",
-    "@types/node": "^20.12.11",
+    "@types/node": "^20.17.28",
     "@types/uuid": "^9.0.8",
-    "@typescript-eslint/eslint-plugin": "^7.8.0",
-    "@vercel/ncc": "^0.38.1",
-    "eslint": "^8.57.0",
-    "eslint-import-resolver-typescript": "^3.6.1",
+    "@typescript-eslint/eslint-plugin": "^7.18.0",
+    "@vercel/ncc": "^0.38.3",
+    "eslint": "^8.57.1",
+    "eslint-import-resolver-typescript": "^3.10.0",
     "eslint-plugin-github": "^4.10.2",
-    "eslint-plugin-import": "^2.29.1",
-    "eslint-plugin-prettier": "^5.1.3",
-    "prettier": "^3.2.5",
-    "tsup": "^8.0.2",
-    "typescript": "^5.4.5"
+    "eslint-plugin-import": "^2.31.0",
+    "eslint-plugin-prettier": "^5.2.5",
+    "prettier": "^3.5.3",
+    "tsup": "^8.4.0",
+    "typescript": "^5.8.2"
   }
 }