Update detsys-ts for: Merge pull request #63 from DeterminateSystems/retry-streams (65dd73c562ac60a068340f8e0c040bdcf2c59afe) (#120)

Co-authored-by: grahamc <76716+grahamc@users.noreply.github.com>

.editorconfig

@@ -0,0 +1,10 @@
+# https://editorconfig.org
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true

.eslintrc.json

@@ -29,6 +29,7 @@
         "accessibility": "no-public"
       }
     ],
+    "@typescript-eslint/no-base-to-string": "error",
     "@typescript-eslint/no-require-imports": "error",
     "@typescript-eslint/array-type": "error",
     "@typescript-eslint/await-thenable": "error",

.github/verify-version.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+# This script verifies that the version of Nix installed on the runner
+# matches the version supplied in the first argument.
+
+EXPECTED_VERSION="${1}"
+
+INSTALLED_NIX_VERSION_OUTPUT=$(nix --version)
+INSTALLED_NIX_VERSION=$(echo "${INSTALLED_NIX_VERSION_OUTPUT}" | awk '{print $NF}')
+EXPECTED_OUTPUT="nix (Nix) ${EXPECTED_VERSION}"
+
+if [ "${INSTALLED_NIX_VERSION_OUTPUT}" != "${EXPECTED_OUTPUT}" ]; then
+  echo "Nix version ${INSTALLED_NIX_VERSION} didn't match expected version ${EXPECTED_VERSION}"
+  exit 1
+else
+  echo "Success! Nix version ${INSTALLED_NIX_VERSION} installed as expected"
+  exit 0
+fi

.github/workflows/ci.yml

@@ -7,6 +7,21 @@ on:
   workflow_dispatch:
 
 jobs:
+  tests:
+    runs-on: ubuntu-22.04
+    needs:
+      - check-dist-up-to-date
+      - install-nix-linux
+      - install-nix-macos
+      - install-with-non-default-source-inputs
+    # NOTE(cole-h): GitHub treats "skipped" as "OK" for the purposes of required checks on branch
+    # protection, so we take advantage of this fact and fail if any of the dependent actions failed,
+    # or "skip" (which is a success for GHA's purposes) if none of them did.
+    if: failure()
+    steps:
+      - name: Dependent checks failed
+        run: exit 1
+
   check-dist-up-to-date:
     name: Check the dist/ folder is up to date
     runs-on: ubuntu-22.04
@@ -28,8 +43,9 @@ jobs:
         run: git status --porcelain=v1
       - name: Ensure no staged changes
         run: git diff --exit-code
-  run-test-suite:
-    name: Run test suite
+
+  install-nix-linux:
+    name: Run test suite for Linux systems
     strategy:
       matrix:
         runner:
@@ -48,6 +64,7 @@ jobs:
           logger: pretty
           log-directives: nix_installer=trace
           backtrace: full
+          _internal-strict-mode: true
       - name: echo $PATH
         run: echo $PATH
 
@@ -79,6 +96,7 @@ jobs:
           logger: pretty
           log-directives: nix_installer=trace
           backtrace: full
+          _internal-strict-mode: true
       - name: Test `nix` with `$GITHUB_PATH`
         if: success() || failure()
         run: |
@@ -96,6 +114,7 @@ jobs:
           reinstall: true
           extra-conf: |
             use-sqlite-wal = true
+          _internal-strict-mode: true
       - name: Test `nix` with `$GITHUB_PATH`
         if: success() || failure()
         run: |
@@ -109,16 +128,17 @@ jobs:
           cat -n /etc/nix/nix.conf
           grep -E "^trusted-users = .*$USER" /etc/nix/nix.conf
           grep -E "^use-sqlite-wal = true" /etc/nix/nix.conf
-      - name: Breakpoint if tests failed
-        if: failure()
-        uses: namespacelabs/breakpoint-action@v0
-        with:
-          duration: 5m
-          authorized-users: grahamc
 
-  run-x86_64-darwin:
-    name: Run x86_64 Darwin
-    runs-on: macos-12
+  install-nix-macos:
+    name: Run test suite for macOS systems
+    strategy:
+      matrix:
+        runner:
+          # x86_64-darwin
+          - macos-12
+          # aarch64-darwin
+          - macos-latest-xlarge
+    runs-on: ${{ matrix.runner }}
     permissions:
       contents: read
       id-token: write
@@ -130,6 +150,7 @@ jobs:
           logger: pretty
           log-directives: nix_installer=trace
           backtrace: full
+          _internal-strict-mode: true
       - name: echo $PATH
         run: echo $PATH
       - name: Test `nix` with `$GITHUB_PATH`
@@ -158,6 +179,7 @@ jobs:
           logger: pretty
           log-directives: nix_installer=trace
           backtrace: full
+          _internal-strict-mode: true
       - name: Test `nix` with `$GITHUB_PATH`
         if: success() || failure()
         run: |
@@ -175,6 +197,7 @@ jobs:
           reinstall: true
           extra-conf: |
             use-sqlite-wal = true
+          _internal-strict-mode: true
       - name: Test `nix` with `$GITHUB_PATH`
         if: success() || failure()
         run: |
@@ -188,9 +211,28 @@ jobs:
           cat /etc/nix/nix.conf
           grep -E "^trusted-users = .*$USER" /etc/nix/nix.conf
           grep -E "^use-sqlite-wal = true" /etc/nix/nix.conf
-      - name: Breakpoint if tests failed
-        if: failure()
-        uses: namespacelabs/breakpoint-action@v0
+
+  install-with-non-default-source-inputs:
+    name: Install Nix using non-default source-${{ matrix.inputs.key }}
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        inputs:
+          # https://github.com/DeterminateSystems/nix-installer/blob/v0.18.0
+          - key: url
+            value: https://github.com/DeterminateSystems/nix-installer/releases/download/v0.18.0/nix-installer-x86_64-linux
+            nix-version: "2.21.2"
+          # https://github.com/DeterminateSystems/nix-installer/tree/7011c077ec491da410fbc39f68676b0908b9ce7e
+          - key: revision
+            value: 7011c077ec491da410fbc39f68676b0908b9ce7e
+            nix-version: "2.19.2"
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install with alternative source-${{ matrix.inputs.key }}
+        uses: ./
         with:
-          duration: 5m
-          authorized-users: grahamc
+          source-${{ matrix.inputs.key }}: ${{ matrix.inputs.value }}
+          _internal-strict-mode: true
+      - name: Ensure that the expected Nix version ${{ matrix.inputs.nix-version }} is installed via alternative source-${{ matrix.inputs.key }}
+        run: .github/verify-version.sh ${{ matrix.inputs.nix-version }}

README.md

@@ -110,7 +110,7 @@ Differing from the upstream [Nix](https://github.com/NixOS/nix) installer script
 | `source-pr`             | The pull request of `nix-installer` to use (conflicts with `source-tag`, `source-revision`, and `source-branch`)                                                                                                                                                               | integer                                    |                                                                |
 | `source-revision`       | The revision of `nix-installer` to use (conflicts with `source-tag`, `source-branch`, and `source-pr`)                                                                                                                                                                         | string                                     |                                                                |
 | `source-tag`            | The tag of `nix-installer` to use (conflicts with `source-revision`, `source-branch`, `source-pr`)                                                                                                                                                                             | string                                     |                                                                |
-| `source-url`            | A URL pointing to a `nix-installer.sh` script                                                                                                                                                                                                                                  | URL                                        | `https://install.determinate.systems/nix`                      |
+| `source-url`            | A URL pointing to the `nix-installer` binary                                                                                                                                                                                                                                   | URL                                        | n/a (calculated)                                               |
 | `nix-package-url`       | The Nix package URL                                                                                                                                                                                                                                                            | URL                                        |                                                                |
 | `planner`               | The installation [planner] to use                                                                                                                                                                                                                                              | enum (`linux` or `macos`)                  |                                                                |
 | `reinstall`             | Force a reinstall if an existing installation is detected (consider backing up `/nix/store`)                                                                                                                                                                                   | Boolean                                    | `false`                                                        |

action.yml

@@ -19,6 +19,7 @@ inputs:
     default: false
   force-docker-shim:
     description: Force the use of Docker as a process supervisor. This setting is automatically enabled when necessary.
+    required: false
     default: false
   github-token:
     description: A GitHub token for making authenticated requests (which have a higher rate-limit quota than unauthenticated requests)
@@ -79,6 +80,9 @@ inputs:
   nix-build-user-prefix:
     description: The Nix build user prefix (user numbers will be postfixed)
     required: false
+  source-binary:
+    description: Run a version of the nix-installer binary from somewhere already on disk. Conflicts with all other `source-*` options. Intended only for testing this Action.
+    required: false
   source-branch:
     description: The branch of `nix-installer` to use (conflicts with `source-tag`, `source-revision`, `source-pr`)
     required: false
@@ -92,7 +96,7 @@ inputs:
     description: The tag of `nix-installer` to use (conflicts with `source-revision`, `source-branch`, `source-pr`)
     required: false
   source-url:
-    description: A URL pointing to a `nix-installer.sh` script
+    description: A URL pointing to a `nix-installer` executable
     required: false
   nix-package-url:
     description: The Nix package URL
@@ -110,10 +114,11 @@ inputs:
     default: true
   diagnostic-endpoint:
     description: "Diagnostic endpoint url where the installer sends data to. To disable set this to an empty string."
-    default: "https://install.determinate.systems/nix-installer/diagnostic"
+    required: false
+    default: "-"
   trust-runner-user:
     description: Whether to make the runner user trusted by the Nix daemon
-    default: "true"
+    default: true
   nix-installer-branch:
     description: (deprecated) The branch of `nix-installer` to use (conflicts with `nix-installer-tag`, `nix-installer-revision`, `nix-installer-pr`)
     required: false
@@ -129,6 +134,10 @@ inputs:
   nix-installer-url:
     description: (deprecated) A URL pointing to a `nix-installer.sh` script
     required: false
+  _internal-strict-mode:
+    description: Whether to fail when any errors are thrown. Used only to test the Action; do not set this in your own workflows.
+    required: false
+    default: false
 
 runs:
   using: "node20"

package.json

@@ -29,21 +29,22 @@
     "@actions/exec": "^1.1.1",
     "@actions/github": "^5.1.1",
     "detsys-ts": "github:DeterminateSystems/detsys-ts",
+    "got": "^14.3.0",
     "string-argv": "^0.3.2"
   },
   "devDependencies": {
     "@trivago/prettier-plugin-sort-imports": "^4.3.0",
-    "@types/node": "^20.12.11",
+    "@types/node": "^20.14.0",
     "@types/uuid": "^9.0.8",
-    "@typescript-eslint/eslint-plugin": "^7.8.0",
+    "@typescript-eslint/eslint-plugin": "^7.12.0",
     "@vercel/ncc": "^0.38.1",
     "eslint": "^8.57.0",
     "eslint-import-resolver-typescript": "^3.6.1",
     "eslint-plugin-github": "^4.10.2",
     "eslint-plugin-import": "^2.29.1",
     "eslint-plugin-prettier": "^5.1.3",
-    "prettier": "^3.2.5",
-    "tsup": "^8.0.2",
+    "prettier": "^3.3.0",
+    "tsup": "^8.1.0",
     "typescript": "^5.4.5"
   }
 }

src/index.ts

@@ -1,14 +1,15 @@
 import * as actionsCore from "@actions/core";
 import * as github from "@actions/github";
 import * as actionsExec from "@actions/exec";
-import { access, writeFile, readFile } from "node:fs/promises";
+import { access, writeFile, readFile, mkdir } from "node:fs/promises";
 import { join } from "node:path";
 import fs from "node:fs";
 import { userInfo } from "node:os";
 import stringArgv from "string-argv";
 import * as path from "path";
-import { IdsToolbox, inputs, platform } from "detsys-ts";
+import { DetSysAction, inputs, platform, stringifyError } from "detsys-ts";
 import { randomUUID } from "node:crypto";
+import got from "got";
 
 // Nix installation events
 const EVENT_INSTALL_NIX_FAILURE = "install_nix_failure";
@@ -30,12 +31,18 @@ const EVENT_CONCLUDE_WORKFLOW = "conclude_workflow";
 // Facts
 const FACT_HAS_DOCKER = "has_docker";
 const FACT_HAS_SYSTEMD = "has_systemd";
-const FACT_IN_GITHUB_ACTIONS = "in_act";
+const FACT_IN_ACT = "in_act";
 const FACT_IN_NAMESPACE_SO = "in_namespace_so";
 const FACT_NIX_INSTALLER_PLANNER = "nix_installer_planner";
 
-class NixInstallerAction {
-  idslib: IdsToolbox;
+type WorkflowConclusion =
+  | "success"
+  | "failure"
+  | "cancelled"
+  | "unavailable"
+  | "no-jobs";
+
+class NixInstallerAction extends DetSysAction {
   platform: string;
   nixPackageUrl: string | null;
   backtrace: string | null;
@@ -45,7 +52,7 @@ class NixInstallerAction {
   kvm: boolean;
   githubServerUrl: string | null;
   githubToken: string | null;
-  forceDockerShim: boolean | null;
+  forceDockerShim: boolean;
   init: string | null;
   localRoot: string | null;
   logDirectives: string | null;
@@ -65,14 +72,16 @@ class NixInstallerAction {
   planner: string | null;
   reinstall: boolean;
   startDaemon: boolean;
-  trustRunnerUser: boolean | null;
+  trustRunnerUser: boolean;
+  runnerOs: string | undefined;
 
   constructor() {
-    this.idslib = new IdsToolbox({
+    super({
       name: "nix-installer",
       fetchStyle: "nix-style",
       legacySourcePrefix: "nix-installer",
       requireNix: "ignore",
+      diagnosticsSuffix: "diagnostic",
     });
 
     this.platform = platform.getNixPlatform(platform.getArchOs());
@@ -105,15 +114,82 @@ class NixInstallerAction {
     this.reinstall = inputs.getBool("reinstall");
     this.startDaemon = inputs.getBool("start-daemon");
     this.trustRunnerUser = inputs.getBool("trust-runner-user");
+    this.runnerOs = process.env["RUNNER_OS"];
   }
 
-  async detectAndForceDockerShim(): Promise<void> {
-    const runnerOs = process.env["RUNNER_OS"];
+  async main(): Promise<void> {
+    await this.scienceDebugFly();
+    await this.detectAndForceDockerShim();
+    await this.install();
+  }
 
-    // Detect if we're in a GHA runner which is Linux, doesn't have Systemd, and does have Docker.
-    // This is a common case in self-hosted runners, providers like [Namespace](https://namespace.so/),
-    // and especially GitHub Enterprise Server.
-    if (runnerOs !== "Linux") {
+  async post(): Promise<void> {
+    await this.cleanupDockerShim();
+    await this.reportOverall();
+  }
+
+  private get isMacOS(): boolean {
+    return this.runnerOs === "macOS";
+  }
+
+  private get isLinux(): boolean {
+    return this.runnerOs === "Linux";
+  }
+
+  private get isRunningInAct(): boolean {
+    return process.env["ACT"] !== undefined && !(process.env["NOT_ACT"] === "");
+  }
+
+  private get isRunningInNamespaceRunner(): boolean {
+    return (
+      process.env["NSC_VM_ID"] !== undefined &&
+      !(process.env["NOT_NAMESPACE"] === "true")
+    );
+  }
+
+  async scienceDebugFly(): Promise<void> {
+    try {
+      const feat = this.getFeature("debug-probe-urls");
+      if (feat === undefined || feat.payload === undefined) {
+        return;
+      }
+
+      const { timeoutMs, url }: { timeoutMs: number; url: string } = JSON.parse(
+        feat.payload,
+      );
+      try {
+        const resp = await got.get(url, {
+          timeout: {
+            request: timeoutMs,
+          },
+        });
+
+        this.recordEvent("debug-probe-urls:response", {
+          debug_probe_urls_ip: resp.ip, // eslint-disable-line camelcase
+          debug_probe_urls_ok: resp.ok, // eslint-disable-line camelcase
+          debug_probe_urls_status_code: resp.statusCode, // eslint-disable-line camelcase
+          debug_probe_urls_body: resp.body, // eslint-disable-line camelcase
+          // eslint-disable-next-line camelcase
+          debug_probe_urls_elapsed:
+            (resp.timings.end ?? 0) - resp.timings.start,
+        });
+      } catch (e: unknown) {
+        this.recordEvent("debug-probe-urls:exception", {
+          debug_probe_urls_exception: stringifyError(e), // eslint-disable-line camelcase
+        });
+      }
+    } catch (err: unknown) {
+      this.recordEvent("debug-probe-urls:error", {
+        exception: stringifyError(err),
+      });
+    }
+  }
+
+  // Detect if we're in a GHA runner which is Linux, doesn't have Systemd, and does have Docker.
+  // This is a common case in self-hosted runners, providers like [Namespace](https://namespace.so/),
+  // and especially GitHub Enterprise Server.
+  async detectAndForceDockerShim(): Promise<void> {
+    if (!this.isLinux) {
       if (this.forceDockerShim) {
         actionsCore.warning(
           "Ignoring force-docker-shim which is set to true, as it is only supported on Linux.",
@@ -123,26 +199,33 @@ class NixInstallerAction {
       return;
     }
 
+    if (this.isRunningInAct) {
+      actionsCore.debug(
+        "Not bothering to detect if the docker shim should be used, as it is typically incompatible with act.",
+      );
+      return;
+    }
+
     const systemdCheck = fs.statSync("/run/systemd/system", {
       throwIfNoEntry: false,
     });
     if (systemdCheck?.isDirectory()) {
+      this.addFact(FACT_HAS_SYSTEMD, true);
       if (this.forceDockerShim) {
         actionsCore.warning(
           "Systemd is detected, but ignoring it since force-docker-shim is enabled.",
         );
       } else {
-        this.idslib.addFact(FACT_HAS_SYSTEMD, true);
         return;
       }
     }
-    this.idslib.addFact(FACT_HAS_SYSTEMD, false);
+    this.addFact(FACT_HAS_SYSTEMD, false);
 
     actionsCore.debug(
       "Linux detected without systemd, testing for Docker with `docker info` as an alternative daemon supervisor.",
     );
 
-    this.idslib.addFact(FACT_HAS_DOCKER, false); // Set to false here, and only in the success case do we set it to true
+    this.addFact(FACT_HAS_DOCKER, false); // Set to false here, and only in the success case do we set it to true
     let exitCode;
     try {
       exitCode = await actionsExec.exec("docker", ["info"], {
@@ -176,7 +259,7 @@ class NixInstallerAction {
         return;
       }
     }
-    this.idslib.addFact(FACT_HAS_DOCKER, true);
+    this.addFact(FACT_HAS_DOCKER, true);
 
     if (
       !this.forceDockerShim &&
@@ -309,11 +392,10 @@ class NixInstallerAction {
 
   private async executionEnvironment(): Promise<ExecuteEnvironment> {
     const executionEnv: ExecuteEnvironment = {};
-    const runnerOs = process.env["RUNNER_OS"];
 
     executionEnv.NIX_INSTALLER_NO_CONFIRM = "true";
     executionEnv.NIX_INSTALLER_DIAGNOSTIC_ATTRIBUTION = JSON.stringify(
-      this.idslib.getCorrelationHashes(),
+      this.getCorrelationHashes(),
     );
 
     if (this.backtrace !== null) {
@@ -361,18 +443,18 @@ class NixInstallerAction {
     }
 
     executionEnv.NIX_INSTALLER_DIAGNOSTIC_ENDPOINT =
-      this.idslib.getDiagnosticsUrl()?.toString() ?? "";
+      (await this.getDiagnosticsUrl())?.toString() ?? "";
 
     // TODO: Error if the user uses these on not-MacOS
     if (this.macEncrypt !== null) {
-      if (runnerOs !== "macOS") {
+      if (!this.isMacOS) {
         throw new Error("`mac-encrypt` while `$RUNNER_OS` was not `macOS`");
       }
       executionEnv.NIX_INSTALLER_ENCRYPT = this.macEncrypt;
     }
 
     if (this.macCaseSensitive !== null) {
-      if (runnerOs !== "macOS") {
+      if (!this.isMacOS) {
         throw new Error(
           "`mac-case-sensitive` while `$RUNNER_OS` was not `macOS`",
         );
@@ -381,7 +463,7 @@ class NixInstallerAction {
     }
 
     if (this.macVolumeLabel !== null) {
-      if (runnerOs !== "macOS") {
+      if (!this.isMacOS) {
         throw new Error(
           "`mac-volume-label` while `$RUNNER_OS` was not `macOS`",
         );
@@ -390,7 +472,7 @@ class NixInstallerAction {
     }
 
     if (this.macRootDisk !== null) {
-      if (runnerOs !== "macOS") {
+      if (!this.isMacOS) {
         throw new Error("`mac-root-disk` while `$RUNNER_OS` was not `macOS`");
       }
       executionEnv.NIX_INSTALLER_ROOT_DISK = this.macRootDisk;
@@ -406,7 +488,7 @@ class NixInstallerAction {
 
     // TODO: Error if the user uses these on MacOS
     if (this.init !== null) {
-      if (runnerOs === "macOS") {
+      if (this.isMacOS) {
         throw new Error(
           "`init` is not a valid option when `$RUNNER_OS` is `macOS`",
         );
@@ -428,7 +510,7 @@ class NixInstallerAction {
       extraConf += `access-tokens = ${serverUrl}=${this.githubToken}`;
       extraConf += "\n";
     }
-    if (this.trustRunnerUser !== null) {
+    if (this.trustRunnerUser) {
       const user = userInfo().username;
       if (user) {
         extraConf += `trusted-users = root ${user}`;
@@ -452,16 +534,16 @@ class NixInstallerAction {
     }
     executionEnv.NIX_INSTALLER_EXTRA_CONF = extraConf;
 
-    if (process.env["ACT"] && !process.env["NOT_ACT"]) {
-      this.idslib.addFact(FACT_IN_GITHUB_ACTIONS, true);
+    if (this.isRunningInAct) {
+      this.addFact(FACT_IN_ACT, true);
       actionsCore.info(
         "Detected `$ACT` environment, assuming this is a https://github.com/nektos/act created container, set `NOT_ACT=true` to override this. This will change the setting of the `init` to be compatible with `act`",
       );
       executionEnv.NIX_INSTALLER_INIT = "none";
     }
 
-    if (process.env["NSC_VM_ID"] && !process.env["NOT_NAMESPACE"]) {
-      this.idslib.addFact(FACT_IN_NAMESPACE_SO, true);
+    if (this.isRunningInNamespaceRunner) {
+      this.addFact(FACT_IN_NAMESPACE_SO, true);
       actionsCore.info(
         "Detected Namespace runner, assuming this is a https://namespace.so created container, set `NOT_NAMESPACE=true` to override this. This will change the setting of the `init` to be compatible with Namespace",
       );
@@ -479,19 +561,19 @@ class NixInstallerAction {
 
     const args = ["install"];
     if (this.planner) {
-      this.idslib.addFact(FACT_NIX_INSTALLER_PLANNER, this.planner);
+      this.addFact(FACT_NIX_INSTALLER_PLANNER, this.planner);
       args.push(this.planner);
     } else {
-      this.idslib.addFact(FACT_NIX_INSTALLER_PLANNER, getDefaultPlanner());
-      args.push(getDefaultPlanner());
+      this.addFact(FACT_NIX_INSTALLER_PLANNER, this.defaultPlanner);
+      args.push(this.defaultPlanner);
     }
 
     if (this.extraArgs) {
       const extraArgs = stringArgv(this.extraArgs);
-      args.concat(extraArgs);
+      args.push(...extraArgs);
     }
 
-    this.idslib.recordEvent(EVENT_INSTALL_NIX_START);
+    this.recordEvent(EVENT_INSTALL_NIX_START);
     const exitCode = await actionsExec.exec(binaryPath, args, {
       env: {
         ...executionEnv,
@@ -500,13 +582,13 @@ class NixInstallerAction {
     });
 
     if (exitCode !== 0) {
-      this.idslib.recordEvent(EVENT_INSTALL_NIX_FAILURE, {
+      this.recordEvent(EVENT_INSTALL_NIX_FAILURE, {
         exitCode,
       });
       throw new Error(`Non-zero exit code of \`${exitCode}\` detected`);
     }
 
-    this.idslib.recordEvent(EVENT_INSTALL_NIX_SUCCESS);
+    this.recordEvent(EVENT_INSTALL_NIX_SUCCESS);
 
     return exitCode;
   }
@@ -606,7 +688,56 @@ class NixInstallerAction {
 
     {
       actionsCore.debug("Starting the Nix daemon through Docker...");
-      this.idslib.recordEvent(EVENT_START_DOCKER_SHIM);
+
+      const candidateDirectories = [
+        {
+          dir: "/bin",
+          readOnly: true,
+        },
+        {
+          dir: "/etc",
+          readOnly: true,
+        },
+        {
+          dir: "/home",
+          readOnly: true,
+        },
+        {
+          dir: "/lib",
+          readOnly: true,
+        },
+        {
+          dir: "/lib64",
+          readOnly: true,
+        },
+        {
+          dir: "/tmp",
+          readOnly: false,
+        },
+        {
+          dir: "/nix",
+          readOnly: false,
+        },
+      ];
+
+      const mountArguments = [];
+
+      for (const { dir, readOnly } of candidateDirectories) {
+        try {
+          await access(dir);
+          actionsCore.debug(`Will mount ${dir} in the docker shim.`);
+          mountArguments.push("--mount");
+          mountArguments.push(
+            `type=bind,src=${dir},dst=${dir}${readOnly ? ",readonly" : ""}`,
+          );
+        } catch {
+          actionsCore.debug(
+            `Not mounting ${dir} in the docker shim: it doesn't appear to exist.`,
+          );
+        }
+      }
+
+      this.recordEvent(EVENT_START_DOCKER_SHIM);
       const exitCode = await actionsExec.exec(
         "docker",
         [
@@ -617,25 +748,14 @@ class NixInstallerAction {
           "--network=host",
           "--userns=host",
           "--pid=host",
-          "--mount",
-          "type=bind,src=/bin,dst=/bin,readonly",
-          "--mount",
-          "type=bind,src=/lib,dst=/lib,readonly",
-          "--mount",
-          "type=bind,src=/home,dst=/home,readonly",
-          "--mount",
-          "type=bind,src=/tmp,dst=/tmp",
-          "--mount",
-          "type=bind,src=/nix,dst=/nix",
-          "--mount",
-          "type=bind,src=/etc,dst=/etc,readonly",
           "--restart",
           "always",
           "--init",
           "--name",
-          `determinate-nix-shim-${this.idslib.getUniqueId()}-${randomUUID()}`,
-          "determinate-nix-shim:latest",
-        ],
+          `determinate-nix-shim-${this.getUniqueId()}-${randomUUID()}`,
+        ]
+          .concat(mountArguments)
+          .concat(["determinate-nix-shim:latest"]),
         {
           silent: true,
           listeners: {
@@ -696,7 +816,7 @@ class NixInstallerAction {
       }
 
       if (cleaned) {
-        this.idslib.recordEvent(EVENT_CLEAN_UP_DOCKER_SHIM);
+        this.recordEvent(EVENT_CLEAN_UP_DOCKER_SHIM);
       } else {
         actionsCore.warning(
           "Giving up on cleaning up the nix daemon container",
@@ -725,7 +845,7 @@ class NixInstallerAction {
   }
 
   async flakehubLogin(): Promise<string> {
-    this.idslib.recordEvent(EVENT_LOGIN_TO_FLAKEHUB);
+    this.recordEvent(EVENT_LOGIN_TO_FLAKEHUB);
     const netrcPath = `${process.env["RUNNER_TEMP"]}/determinate-nix-installer-netrc`;
 
     const jwt = await actionsCore.getIDToken("api.flakehub.com");
@@ -734,10 +854,17 @@ class NixInstallerAction {
       netrcPath,
       [
         `machine api.flakehub.com login flakehub password ${jwt}`,
+        `machine cache.flakehub.com login flakehub password ${jwt}`,
         `machine flakehub.com login flakehub password ${jwt}`,
       ].join("\n"),
     );
 
+    const flakehubAuthDir = `${process.env["XDG_CONFIG_HOME"] || `${process.env["HOME"]}/.config`}/flakehub`;
+    await mkdir(flakehubAuthDir, { recursive: true });
+    const flakehubAuthPath = `${flakehubAuthDir}/auth`;
+
+    await writeFile(flakehubAuthPath, jwt);
+
     actionsCore.info("Logging in to FlakeHub.");
 
     // the join followed by a match on ^... looks silly, but extra_config
@@ -752,7 +879,7 @@ class NixInstallerAction {
   }
 
   async executeUninstall(): Promise<number> {
-    this.idslib.recordEvent(EVENT_UNINSTALL_NIX);
+    this.recordEvent(EVENT_UNINSTALL_NIX);
     const exitCode = await actionsExec.exec(
       `/nix/nix-installer`,
       ["uninstall"],
@@ -784,7 +911,7 @@ class NixInstallerAction {
   }
 
   private async setupKvm(): Promise<boolean> {
-    this.idslib.recordEvent(EVENT_SETUP_KVM);
+    this.recordEvent(EVENT_SETUP_KVM);
     const currentUser = userInfo();
     const isRoot = currentUser.uid === 0;
     const maybeSudo = isRoot ? "" : "sudo";
@@ -880,7 +1007,7 @@ class NixInstallerAction {
 
   private async fetchBinary(): Promise<string> {
     if (!this.localRoot) {
-      return await this.idslib.fetchExecutable();
+      return await this.fetchExecutable();
     } else {
       const localPath = join(this.localRoot, `nix-installer-${this.platform}`);
       actionsCore.info(`Using binary ${localPath}`);
@@ -890,7 +1017,7 @@ class NixInstallerAction {
 
   async reportOverall(): Promise<void> {
     try {
-      this.idslib.recordEvent(EVENT_CONCLUDE_WORKFLOW, {
+      this.recordEvent(EVENT_CONCLUDE_WORKFLOW, {
         conclusion: await this.getWorkflowConclusion(),
       });
     } catch (e) {
@@ -899,7 +1026,7 @@ class NixInstallerAction {
   }
 
   private async getWorkflowConclusion(): Promise<
-    undefined | "success" | "failure" | "cancelled" | "unavailable" | "no-jobs"
+    undefined | WorkflowConclusion
   > {
     if (this.githubToken == null) {
       return undefined;
@@ -946,6 +1073,18 @@ class NixInstallerAction {
       return "unavailable";
     }
   }
+
+  private get defaultPlanner(): string {
+    if (this.isMacOS) {
+      return "macos";
+    } else if (this.isLinux) {
+      return "linux";
+    } else {
+      throw new Error(
+        `Unsupported \`RUNNER_OS\` (currently \`${this.runnerOs}\`)`,
+      );
+    }
+  }
 }
 
 type ExecuteEnvironment = {
@@ -974,32 +1113,8 @@ type ExecuteEnvironment = {
   NIX_INSTALLER_LOGGER?: string;
 };
 
-function getDefaultPlanner(): string {
-  const envOs = process.env["RUNNER_OS"];
-
-  if (envOs === "macOS") {
-    return "macos";
-  } else if (envOs === "Linux") {
-    return "linux";
-  } else {
-    throw new Error(`Unsupported \`RUNNER_OS\` (currently \`${envOs}\`)`);
-  }
-}
-
 function main(): void {
-  const installer = new NixInstallerAction();
-
-  installer.idslib.onMain(async () => {
-    await installer.detectAndForceDockerShim();
-    await installer.install();
-  });
-
-  installer.idslib.onPost(async () => {
-    await installer.cleanupDockerShim();
-    await installer.reportOverall();
-  });
-
-  installer.idslib.execute();
+  new NixInstallerAction().execute();
 }
 
 main();