Sometimes, two heads are NOT as good as one. (#170)

Check whether the current user has access to KVM before attempting to add udev rule

.editorconfig

@@ -0,0 +1,10 @@
+# https://editorconfig.org
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true

.eslintrc.json

@@ -29,6 +29,7 @@
         "accessibility": "no-public"
       }
     ],
+    "@typescript-eslint/no-base-to-string": "error",
     "@typescript-eslint/no-require-imports": "error",
     "@typescript-eslint/array-type": "error",
     "@typescript-eslint/await-thenable": "error",

.github/verify-version.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+# This script verifies that the version of Nix installed on the runner
+# matches the version supplied in the first argument.
+
+EXPECTED_VERSION="${1}"
+
+INSTALLED_NIX_VERSION_OUTPUT=$(nix --version)
+INSTALLED_NIX_VERSION=$(echo "${INSTALLED_NIX_VERSION_OUTPUT}" | awk '{print $NF}')
+EXPECTED_OUTPUT="nix (Nix) ${EXPECTED_VERSION}"
+
+if [ "${INSTALLED_NIX_VERSION_OUTPUT}" != "${EXPECTED_OUTPUT}" ]; then
+  echo "Nix version ${INSTALLED_NIX_VERSION} didn't match expected version ${EXPECTED_VERSION}"
+  exit 1
+else
+  echo "Success! Nix version ${INSTALLED_NIX_VERSION} installed as expected"
+  exit 0
+fi

.github/workflows/ci.yml

@@ -7,13 +7,28 @@ on:
   workflow_dispatch:
 
 jobs:
+  tests:
+    runs-on: ubuntu-22.04
+    needs:
+      - check-dist-up-to-date
+      - install-nix
+      - install-with-non-default-source-inputs
+      - install-no-id-token
+    # NOTE(cole-h): GitHub treats "skipped" as "OK" for the purposes of required checks on branch
+    # protection, so we take advantage of this fact and fail if any of the dependent actions failed,
+    # or "skip" (which is a success for GHA's purposes) if none of them did.
+    if: failure()
+    steps:
+      - name: Dependent checks failed
+        run: exit 1
+
   check-dist-up-to-date:
     name: Check the dist/ folder is up to date
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: DeterminateSystems/flakehub-cache-action@main
       - name: pnpm install
         run: nix develop --command pnpm install
       - name: prettier format
@@ -28,14 +43,23 @@ jobs:
         run: git status --porcelain=v1
       - name: Ensure no staged changes
         run: git diff --exit-code
-  run-test-suite:
-    name: Run test suite
+
+  install-nix:
+    name: "Test: ${{ matrix.runner }}${{ matrix.determinate && ' with determinate' || '' }}"
     strategy:
+      fail-fast: false
       matrix:
         runner:
           - ubuntu-latest
           - nscloud-ubuntu-22.04-amd64-4x16
           - namespace-profile-default-arm64
+          # - macos-12-large # determinate-nixd is broken on macos-12
+          - macos-13-large
+          - macos-14-large
+          - macos-14-xlarge # arm64
+        determinate:
+          - true
+          - false
     runs-on: ${{ matrix.runner }}
     permissions:
       contents: read
@@ -48,6 +72,8 @@ jobs:
           logger: pretty
           log-directives: nix_installer=trace
           backtrace: full
+          _internal-strict-mode: true
+          determinate: ${{ matrix.determinate }}
       - name: echo $PATH
         run: echo $PATH
 
@@ -73,12 +99,17 @@ jobs:
         run: nix-instantiate -E 'builtins.currentTime' --eval
         if: success() || failure()
         shell: sh -l {0}
+      - name: Test zsh
+        run: if (zsh --help > /dev/null); then zsh --login --interactive -c "nix-instantiate -E 'builtins.currentTime' --eval"; fi
+        if: success() || failure()
       - name: Install Nix again (noop)
         uses: ./
         with:
           logger: pretty
           log-directives: nix_installer=trace
           backtrace: full
+          _internal-strict-mode: true
+          determinate: ${{ matrix.determinate }}
       - name: Test `nix` with `$GITHUB_PATH`
         if: success() || failure()
         run: |
@@ -96,6 +127,8 @@ jobs:
           reinstall: true
           extra-conf: |
             use-sqlite-wal = true
+          _internal-strict-mode: true
+          determinate: ${{ matrix.determinate }}
       - name: Test `nix` with `$GITHUB_PATH`
         if: success() || failure()
         run: |
@@ -106,91 +139,42 @@ jobs:
           nix run nixpkgs#hello
       - name: Verify the generated nix.conf
         run: |
+          nix config show
           cat -n /etc/nix/nix.conf
-          grep -E "^trusted-users = .*$USER" /etc/nix/nix.conf
-          grep -E "^use-sqlite-wal = true" /etc/nix/nix.conf
-      - name: Breakpoint if tests failed
-        if: failure()
-        uses: namespacelabs/breakpoint-action@v0
-        with:
-          duration: 5m
-          authorized-users: grahamc
+          nix config show | grep -E "^trusted-users = .*$USER"
+          nix config show | grep -E "^use-sqlite-wal = true"
+
+  install-with-non-default-source-inputs:
+    name: Install Nix using non-default source-${{ matrix.inputs.key }}
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        inputs:
+          # https://github.com/DeterminateSystems/nix-installer/blob/v0.18.0
+          - key: url
+            value: https://github.com/DeterminateSystems/nix-installer/releases/download/v0.18.0/nix-installer-x86_64-linux
+            nix-version: "2.21.2"
+          # https://github.com/DeterminateSystems/nix-installer/tree/7011c077ec491da410fbc39f68676b0908b9ce7e
+          - key: revision
+            value: 7011c077ec491da410fbc39f68676b0908b9ce7e
+            nix-version: "2.19.2"
 
-  run-x86_64-darwin:
-    name: Run x86_64 Darwin
-    runs-on: macos-12
-    permissions:
-      contents: read
-      id-token: write
     steps:
       - uses: actions/checkout@v4
-      - name: Install Nix
+      - name: Install with alternative source-${{ matrix.inputs.key }}
         uses: ./
         with:
-          logger: pretty
-          log-directives: nix_installer=trace
-          backtrace: full
-      - name: echo $PATH
-        run: echo $PATH
-      - name: Test `nix` with `$GITHUB_PATH`
-        if: success() || failure()
-        run: |
-          nix run nixpkgs#hello
-          nix profile install nixpkgs#hello
-          hello
-          nix store gc
-          nix run nixpkgs#hello
-      - name: Test bash
-        run: nix-instantiate -E 'builtins.currentTime' --eval
-        if: success() || failure()
-        shell: bash --login {0}
-      - name: Test sh
-        run: nix-instantiate -E 'builtins.currentTime' --eval
-        if: success() || failure()
-        shell: sh -l {0}
-      - name: Test zsh
-        run: nix-instantiate -E 'builtins.currentTime' --eval
-        if: success() || failure()
-        shell: zsh --login --interactive {0}
-      - name: Install Nix again (noop)
-        uses: ./
+          source-${{ matrix.inputs.key }}: ${{ matrix.inputs.value }}
+          _internal-strict-mode: true
+      - name: Ensure that the expected Nix version ${{ matrix.inputs.nix-version }} is installed via alternative source-${{ matrix.inputs.key }}
+        run: .github/verify-version.sh ${{ matrix.inputs.nix-version }}
+
+  install-no-id-token:
+    name: Install Nix without an ID token
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./
         with:
-          logger: pretty
-          log-directives: nix_installer=trace
-          backtrace: full
-      - name: Test `nix` with `$GITHUB_PATH`
-        if: success() || failure()
-        run: |
-          nix run nixpkgs#hello
-          nix profile install nixpkgs#hello
-          hello
-          nix store gc
-          nix run nixpkgs#hello
-      - name: Reinstall Nix
-        uses: ./
-        with:
-          logger: pretty
-          log-directives: nix_installer=trace
-          backtrace: full
-          reinstall: true
-          extra-conf: |
-            use-sqlite-wal = true
-      - name: Test `nix` with `$GITHUB_PATH`
-        if: success() || failure()
-        run: |
-          nix run nixpkgs#hello
-          nix profile install nixpkgs#hello
-          hello
-          nix store gc
-          nix run nixpkgs#hello
-      - name: Verify the generated nix.conf
-        run: |
-          cat /etc/nix/nix.conf
-          grep -E "^trusted-users = .*$USER" /etc/nix/nix.conf
-          grep -E "^use-sqlite-wal = true" /etc/nix/nix.conf
-      - name: Breakpoint if tests failed
-        if: failure()
-        uses: namespacelabs/breakpoint-action@v0
-        with:
-          duration: 5m
-          authorized-users: grahamc
+          _internal-strict-mode: true
+          determinate: true

CONTRIBUTING.md

@@ -1,3 +1,5 @@
 # Submitting Pull Requests
 
+Run `pnpm install` to install necessary JS tools.
+
 This action is based off https://github.com/actions/javascript-action. As part of your contributing flow you **must** run `npm run all` before we can merge.

README.md

@@ -34,7 +34,7 @@ jobs:
 
 ### With FlakeHub
 
-To fetch private flakes from FlakeHub, update the `permissions` block and pass `flakehub: true`:
+To fetch private flakes from FlakeHub and Nix builds from FlakeHub Cache, update the `permissions` block and pass `determinate: true`:
 
 ```yaml
 on:
@@ -53,7 +53,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/nix-installer-action@main
         with:
-          flakehub: true
+          determinate: true
       - run: nix build .
 ```
 
@@ -85,9 +85,10 @@ Differing from the upstream [Nix](https://github.com/NixOS/nix) installer script
 | Parameter               | Description                                                                                                                                                                                                                                                                    | Type                                       | Default                                                        |
 | :---------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------- | :------------------------------------------------------------- |
 | `backtrace`             | The setting for [`RUST_BACKTRACE`][backtrace]                                                                                                                                                                                                                                  | string                                     |                                                                |
+| `determinate`           | Whether to install [Determinate Nix](https://determinate.systems/enterprise) and log in to FlakeHub for private Flakes and binary caches.                                                                                                                                      | Boolean                                    | `false`                                                        |
 | `extra-args`            | Extra arguments to pass to the planner (prefer using structured `with:` arguments unless using a custom [planner]!)                                                                                                                                                            | string                                     |                                                                |
 | `extra-conf`            | Extra configuration lines for `/etc/nix/nix.conf` (includes `access-tokens` with `secrets.GITHUB_TOKEN` automatically if `github-token` is set)                                                                                                                                | string                                     |                                                                |
-| `flakehub`              | Log in to FlakeHub to pull private flakes using the GitHub Actions [JSON Web Token](https://jwt.io) (JWT), which is bound to the `api.flakehub.com` audience.                                                                                                                  | Boolean                                    | `false`                                                        |
+| `flakehub`              | Deprecated. Implies `determinate`.                                                                                                                                                                                                                                             | Boolean                                    | `false`                                                        |
 | `force-docker-shim`     | Force the use of Docker as a process supervisor. This setting is automatically enabled when necessary.                                                                                                                                                                         | Boolean                                    | `false`                                                        |
 | `github-token`          | A [GitHub token] for making authenticated requests (which have a higher rate-limit quota than unauthenticated requests)                                                                                                                                                        | string                                     | `${{ github.token }}`                                          |
 | `github-server-url`     | The URL for the GitHub server, to use with the `github-token` token. Defaults to the current GitHub server, supporting GitHub Enterprise Server automatically. Only change this value if the provided `github-token` is for a different GitHub server than the current server. | string                                     | `${{ github.server }}`                                         |
@@ -110,7 +111,7 @@ Differing from the upstream [Nix](https://github.com/NixOS/nix) installer script
 | `source-pr`             | The pull request of `nix-installer` to use (conflicts with `source-tag`, `source-revision`, and `source-branch`)                                                                                                                                                               | integer                                    |                                                                |
 | `source-revision`       | The revision of `nix-installer` to use (conflicts with `source-tag`, `source-branch`, and `source-pr`)                                                                                                                                                                         | string                                     |                                                                |
 | `source-tag`            | The tag of `nix-installer` to use (conflicts with `source-revision`, `source-branch`, `source-pr`)                                                                                                                                                                             | string                                     |                                                                |
-| `source-url`            | A URL pointing to a `nix-installer.sh` script                                                                                                                                                                                                                                  | URL                                        | `https://install.determinate.systems/nix`                      |
+| `source-url`            | A URL pointing to the `nix-installer` binary                                                                                                                                                                                                                                   | URL                                        | n/a (calculated)                                               |
 | `nix-package-url`       | The Nix package URL                                                                                                                                                                                                                                                            | URL                                        |                                                                |
 | `planner`               | The installation [planner] to use                                                                                                                                                                                                                                              | enum (`linux` or `macos`)                  |                                                                |
 | `reinstall`             | Force a reinstall if an existing installation is detected (consider backing up `/nix/store`)                                                                                                                                                                                   | Boolean                                    | `false`                                                        |

action.yml

@@ -7,6 +7,10 @@ inputs:
   backtrace:
     description: The setting for `RUST_BACKTRACE` (see https://doc.rust-lang.org/std/backtrace/index.html#environment-variables)
     required: false
+  determinate:
+    description: |
+      Whether to install [Determinate Nix](https://determinate.systems/enterprise) and log in to FlakeHub for private Flakes and binary caches.
+    default: false
   extra-args:
     description: Extra args to pass to the planner (prefer using structured `with:` arguments unless using a custom planner!)
     required: false
@@ -14,11 +18,12 @@ inputs:
     description: Extra configuration lines for `/etc/nix/nix.conf` (includes `access-tokens` with `secrets.GITHUB_TOKEN` automatically if `github-token` is set)
     required: false
   flakehub:
-    description: Automatically log in to your [FlakeHub](https://flakehub.com) account, for accessing private flakes.
+    description: Deprecated. Implies `determinate`.
     required: false
     default: false
   force-docker-shim:
     description: Force the use of Docker as a process supervisor. This setting is automatically enabled when necessary.
+    required: false
     default: false
   github-token:
     description: A GitHub token for making authenticated requests (which have a higher rate-limit quota than unauthenticated requests)
@@ -29,6 +34,9 @@ inputs:
   init:
     description: "The init system to configure, requires `planner: linux-multi` (allowing the choice between `none` or `systemd`)"
     required: false
+  job-status:
+    description: The overall status of the job. Set automatically, for aggregate analysis of Nix stability.
+    default: ${{ job.status }}
   kvm:
     description: Automatically configure the GitHub Actions Runner for NixOS test supports, if the host supports it.
     required: false
@@ -79,6 +87,9 @@ inputs:
   nix-build-user-prefix:
     description: The Nix build user prefix (user numbers will be postfixed)
     required: false
+  source-binary:
+    description: Run a version of the nix-installer binary from somewhere already on disk. Conflicts with all other `source-*` options. Intended only for testing this Action.
+    required: false
   source-branch:
     description: The branch of `nix-installer` to use (conflicts with `source-tag`, `source-revision`, `source-pr`)
     required: false
@@ -92,7 +103,7 @@ inputs:
     description: The tag of `nix-installer` to use (conflicts with `source-revision`, `source-branch`, `source-pr`)
     required: false
   source-url:
-    description: A URL pointing to a `nix-installer.sh` script
+    description: A URL pointing to a `nix-installer` executable
     required: false
   nix-package-url:
     description: The Nix package URL
@@ -110,10 +121,11 @@ inputs:
     default: true
   diagnostic-endpoint:
     description: "Diagnostic endpoint url where the installer sends data to. To disable set this to an empty string."
-    default: "https://install.determinate.systems/nix-installer/diagnostic"
+    required: false
+    default: "-"
   trust-runner-user:
     description: Whether to make the runner user trusted by the Nix daemon
-    default: "true"
+    default: true
   nix-installer-branch:
     description: (deprecated) The branch of `nix-installer` to use (conflicts with `nix-installer-tag`, `nix-installer-revision`, `nix-installer-pr`)
     required: false
@@ -129,6 +141,10 @@ inputs:
   nix-installer-url:
     description: (deprecated) A URL pointing to a `nix-installer.sh` script
     required: false
+  _internal-strict-mode:
+    description: Whether to fail when any errors are thrown. Used only to test the Action; do not set this in your own workflows.
+    required: false
+    default: false
 
 runs:
   using: "node20"

package.json

@@ -11,7 +11,8 @@
     "check-fmt": "prettier --check .",
     "lint": "eslint src/**/*.ts",
     "package": "ncc build",
-    "all": "pnpm run format && pnpm run lint && pnpm run build && pnpm run package"
+    "test": "vitest --watch false",
+    "all": "pnpm run test && pnpm run format && pnpm run lint && pnpm run build && pnpm run package"
   },
   "repository": {
     "type": "git",
@@ -25,25 +26,27 @@
   },
   "homepage": "https://github.com/DeterminateSystems/nix-installer-action#readme",
   "dependencies": {
-    "@actions/core": "^1.10.1",
+    "@actions/core": "^1.11.1",
     "@actions/exec": "^1.1.1",
-    "@actions/github": "^5.1.1",
+    "@actions/github": "^6.0.0",
     "detsys-ts": "github:DeterminateSystems/detsys-ts",
-    "string-argv": "^0.3.2"
+    "got": "^14.4.7",
+    "string-argv": "^0.3.2",
+    "vitest": "^3.1.1"
   },
   "devDependencies": {
     "@trivago/prettier-plugin-sort-imports": "^4.3.0",
-    "@types/node": "^20.12.11",
+    "@types/node": "^20.17.30",
     "@types/uuid": "^9.0.8",
-    "@typescript-eslint/eslint-plugin": "^7.8.0",
-    "@vercel/ncc": "^0.38.1",
-    "eslint": "^8.57.0",
-    "eslint-import-resolver-typescript": "^3.6.1",
+    "@typescript-eslint/eslint-plugin": "^7.18.0",
+    "@vercel/ncc": "^0.38.3",
+    "eslint": "^8.57.1",
+    "eslint-import-resolver-typescript": "^3.10.0",
     "eslint-plugin-github": "^4.10.2",
-    "eslint-plugin-import": "^2.29.1",
-    "eslint-plugin-prettier": "^5.1.3",
-    "prettier": "^3.2.5",
-    "tsup": "^8.0.2",
-    "typescript": "^5.4.5"
+    "eslint-plugin-import": "^2.31.0",
+    "eslint-plugin-prettier": "^5.2.6",
+    "prettier": "^3.5.3",
+    "tsup": "^8.4.0",
+    "typescript": "^5.8.3"
   }
 }

src/annotate.ts

@@ -0,0 +1,66 @@
+import * as core from "@actions/core";
+
+import type { Fix, FixHashesOutputV1, Mismatch } from "./fixHashes.js";
+
+function prettyDerivation(derivation: string): string {
+  return derivation.replace(/\/nix\/store\/\w+-/, "").replace(/.drv$/, "");
+}
+
+function annotateSingle(
+  file: string,
+  line: number,
+  { derivation, replacement }: Mismatch,
+): void {
+  const pretty = prettyDerivation(derivation);
+  core.error(`To correct the hash mismatch for ${pretty}, use ${replacement}`, {
+    file,
+    startLine: line,
+  });
+}
+
+function annotateMultiple(
+  file: string,
+  { line, found, mismatches }: Fix,
+): void {
+  const matches = mismatches
+    .map(({ derivation, replacement }) => {
+      const pretty = prettyDerivation(derivation);
+      return `* For the derivation ${pretty}, use ${replacement}`;
+    })
+    .join("\n");
+
+  core.error(
+    `There are multiple replacements for the expression ${found}:\n${matches}`,
+    {
+      file,
+      startLine: line,
+    },
+  );
+}
+
+function annotate(file: string, fix: Fix): void {
+  if (fix.mismatches.length === 1) {
+    annotateSingle(file, fix.line, fix.mismatches[0]);
+  } else {
+    annotateMultiple(file, fix);
+  }
+}
+
+/**
+ * Annotates fixed-output derivation hash mismatches using GitHub Actions'
+ *
+ * @param output The output of `determinate-nixd fix hashes --json`
+ * @returns The number of annotations reported to the user
+ */
+export function annotateMismatches(output: FixHashesOutputV1): number {
+  let count = 0;
+
+  for (const { file, fixes } of output.files) {
+    for (const fix of fixes) {
+      annotate(file, fix);
+      count++;
+    }
+  }
+
+  return count;
+}

src/events.test.ts

@@ -0,0 +1,65 @@
+import { parseEvents, getRecentEvents } from "./events.js";
+import { expect, test } from "vitest";
+
+// Handy test for locally making sure you can fetch recent events:
+// eslint-disable-next-line no-constant-condition
+if (false) {
+  test("Parsing existing events", async () => {
+    expect(await getRecentEvents(new Date(Date.now() - 1000000))).toStrictEqual(
+      [{}],
+    );
+  });
+}
+
+test("Parsing existing events", () => {
+  const events = parseEvents([
+    {
+      v: "1",
+      c: "BuiltPathResponseEventV1",
+      drv: "/nix/store/m96zgji4fhi70s2zs6pq5pric6ch7p4h-stdenv-darwin.drv",
+      outputs: ["/nix/store/dalhfz3l75w4b4q06sxzqgb2wfydvkbv-stdenv-darwin"],
+      timing: null,
+    },
+    {
+      v: "1",
+      c: "BuiltPathResponseEventV1",
+      drv: "/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv",
+      outputs: ["/nix/store/qwlgz5da3pfb53gqpgdmazaj9jczrnly-dep-1"],
+      timing: {
+        startTime: "2025-04-11T14:38:02Z",
+        stopTime: "2025-04-11T14:38:05Z",
+        durationSeconds: 3,
+      },
+    },
+    {
+      v: "1",
+      c: "BuildFailureResponseEventV1",
+      drv: "/nix/store/ykvbksjqrza2zpj6nkbycrdfwgfdpr8g-hash-mismatch-md5-base16.drv",
+      timing: {
+        startTime: "2025-04-11T14:36:44Z",
+        stopTime: "2025-04-11T14:36:44Z",
+        durationSeconds: 0,
+      },
+    },
+  ]);
+  expect(events).toStrictEqual([
+    {
+      v: "1",
+      c: "BuiltPathResponseEventV1",
+      drv: "/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv",
+      timing: {
+        durationSeconds: 3,
+        startTime: new Date("2025-04-11T14:38:02Z"),
+      },
+    },
+    {
+      v: "1",
+      c: "BuildFailureResponseEventV1",
+      drv: "/nix/store/ykvbksjqrza2zpj6nkbycrdfwgfdpr8g-hash-mismatch-md5-base16.drv",
+      timing: {
+        durationSeconds: 0,
+        startTime: new Date("2025-04-11T14:36:44Z"),
+      },
+    },
+  ]);
+});

src/events.ts

@@ -0,0 +1,71 @@
+import got from "got";
+
+export interface DEvent {
+  v: string;
+  c: string;
+  drv: string;
+  timing: {
+    startTime: Date;
+    durationSeconds: number;
+  };
+}
+
+export function parseEvents(data: unknown): DEvent[] {
+  if (!Array.isArray(data)) {
+    return [];
+  }
+
+  return data.flatMap((event) => {
+    if (
+      event.v === "1" &&
+      (event.c === "BuildFailureResponseEventV1" ||
+        event.c === "BuiltPathResponseEventV1") &&
+      Object.hasOwn(event, "drv") &&
+      typeof event.drv === "string" &&
+      Object.hasOwn(event, "timing") &&
+      typeof event.timing === "object" &&
+      event.timing !== null
+    ) {
+      const timing = event.timing as { [key: string]: unknown };
+
+      if (
+        Object.hasOwn(timing, "startTime") &&
+        typeof timing.startTime === "string" &&
+        Object.hasOwn(timing, "durationSeconds") &&
+        typeof timing.durationSeconds === "number"
+      ) {
+        const date = Date.parse(timing.startTime);
+        if (!Number.isNaN(date)) {
+          return [
+            {
+              v: event.v,
+              c: event.c,
+              drv: event.drv,
+              timing: {
+                startTime: new Date(date),
+                durationSeconds: timing.durationSeconds,
+              },
+            },
+          ];
+        }
+      }
+    }
+
+    return [];
+  });
+}
+
+export async function getRecentEvents(since: Date): Promise<DEvent[]> {
+  const queryParam = encodeURIComponent(since.toISOString());
+
+  const resp = await got
+    .get(
+      `http://unix:/nix/var/determinate/determinate-nixd.socket:/events/recent?since=${queryParam}`,
+      {
+        enableUnixSockets: true,
+      },
+    )
+    .json();
+
+  return parseEvents(resp);
+}

src/failuresummary.test.ts

@@ -0,0 +1,274 @@
+import { expect, test } from "vitest";
+import {
+  FailureSummary,
+  getBuildFailures,
+  summarizeFailures,
+} from "./failuresummary.js";
+
+/* eslint-disable @typescript-eslint/no-non-null-assertion */
+
+test("Select for failure events", () => {
+  const events = [
+    {
+      v: "1",
+      c: "BuildFailureResponseEventV1",
+      drv: `/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv`,
+      timing: {
+        startTime: new Date(1 * 1000),
+        durationSeconds: 1,
+      },
+    },
+    {
+      v: "1",
+      c: "BuiltPathResponseEventV1",
+      drv: `/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-2.drv`,
+      timing: {
+        startTime: new Date(2 * 1000),
+        durationSeconds: 2,
+      },
+    },
+    {
+      v: "1",
+      c: "BuildFailureResponseEventV1",
+      drv: `/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv`,
+      timing: {
+        startTime: new Date(3 * 1000),
+        durationSeconds: 3,
+      },
+    },
+  ];
+
+  expect(getBuildFailures(events)).toStrictEqual([
+    {
+      v: "1",
+      c: "BuildFailureResponseEventV1",
+      drv: `/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv`,
+      timing: {
+        startTime: new Date(1 * 1000),
+        durationSeconds: 1,
+      },
+    },
+    {
+      v: "1",
+      c: "BuildFailureResponseEventV1",
+      drv: `/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv`,
+      timing: {
+        startTime: new Date(3 * 1000),
+        durationSeconds: 3,
+      },
+    },
+  ]);
+});
+
+test("Summarize Failures", async () => {
+  const events = [
+    {
+      v: "1",
+      c: "BuildFailureResponseEventV1",
+      drv: `/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv`,
+      timing: {
+        startTime: new Date(1 * 1000),
+        durationSeconds: 1,
+      },
+    },
+    {
+      v: "1",
+      c: "BuiltPathResponseEventV1",
+      drv: `/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-2.drv`,
+      timing: {
+        startTime: new Date(2 * 1000),
+        durationSeconds: 2,
+      },
+    },
+    {
+      v: "1",
+      c: "BuildFailureResponseEventV1",
+      drv: `/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv`,
+      timing: {
+        startTime: new Date(3 * 1000),
+        durationSeconds: 3,
+      },
+    },
+  ];
+
+  const logMaker = async (drv: string): Promise<string | undefined> => {
+    if (drv.includes("dep-1")) {
+      return `${drv}\n`.repeat(9).trimEnd();
+    } else {
+      return `${drv}\n`.repeat(25).trimEnd();
+    }
+  };
+
+  const summary: FailureSummary = (await summarizeFailures(events, logMaker))!;
+
+  expect(summary.markdownLines.join("\n"))
+    .toStrictEqual(`### Build error review :boom:
+> [!NOTE]
+> 2 builds failed
+<details><summary>Failure log: <code>/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-<strong>dep-1</strong>.drv</code></summary>
+
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+
+</details>
+
+<details><summary>Failure log: <code>/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-<strong>dep-3</strong>.drv</code></summary>
+
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+
+</details>
+`);
+
+  expect(summary.logLines.join("\n"))
+    .toStrictEqual(`\u001b[38;2;255;0;0mBuild logs from 2 failures
+The following build logs are also available in the Markdown summary:
+::group::Failed build: /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+::endgroup::
+::group::Failed build: /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+::endgroup::`);
+});
+
+test("Omit some logs if there are too many", async () => {
+  const events = [
+    {
+      v: "1",
+      c: "BuildFailureResponseEventV1",
+      drv: `/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv`,
+      timing: {
+        startTime: new Date(1 * 1000),
+        durationSeconds: 1,
+      },
+    },
+    {
+      v: "1",
+      c: "BuiltPathResponseEventV1",
+      drv: `/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-2.drv`,
+      timing: {
+        startTime: new Date(2 * 1000),
+        durationSeconds: 2,
+      },
+    },
+    {
+      v: "1",
+      c: "BuildFailureResponseEventV1",
+      drv: `/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv`,
+      timing: {
+        startTime: new Date(3 * 1000),
+        durationSeconds: 3,
+      },
+    },
+  ];
+
+  const logMaker = async (drv: string): Promise<string | undefined> => {
+    return `${drv}\n`.repeat(5).trimEnd();
+  };
+
+  const summary: FailureSummary = (await summarizeFailures(
+    events,
+    logMaker,
+    500,
+  ))!;
+
+  expect(summary.markdownLines.join("\n"))
+    .toStrictEqual(`### Build error review :boom:
+> [!NOTE]
+> 2 builds failed
+<details><summary>Failure log: <code>/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-<strong>dep-1</strong>.drv</code></summary>
+
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+
+</details>
+
+> [!NOTE]
+> The following failure has been ommitted due to GitHub Actions summary length limitations.
+> The full logs are available in the post-run phase of the Nix Installer Action.
+> * \`/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv\``);
+
+  expect(summary.logLines.join("\n"))
+    .toStrictEqual(`\u001b[38;2;255;0;0mBuild logs from 2 failures
+The following build logs are also available in the Markdown summary:
+::group::Failed build: /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv
+::endgroup::
+The following build logs are NOT available in the Markdown summary:
+::group::Failed build: /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+    /nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv
+::endgroup::`);
+});

src/failuresummary.ts

@@ -0,0 +1,123 @@
+import { getExecOutput } from "@actions/exec";
+import { DEvent } from "./events.js";
+import { stripVTControlCharacters } from "node:util";
+
+// CI summaries have a max length of "1024k" which I assume to be 1048576 bytes.
+// Generously, the mermaid doc is about 50,000 bytes.
+// Rounding it all down a bit further for wiggle room, that leaves lots of log space.
+const defaultMaxSummaryLength = 995_000;
+
+export function getBuildFailures(events: DEvent[]): DEvent[] {
+  return events.filter((event: DEvent): Boolean => {
+    return event.c === "BuildFailureResponseEventV1";
+  });
+}
+
+export interface FailureSummary {
+  logLines: string[];
+  markdownLines: string[];
+}
+
+export async function summarizeFailures(
+  events: DEvent[],
+  getLog: (drv: string) => Promise<string | undefined> = getLogFromNix,
+  maxLength: number = defaultMaxSummaryLength,
+): Promise<FailureSummary | undefined> {
+  const failures = getBuildFailures(events);
+
+  if (failures.length === 0) {
+    return undefined;
+  }
+
+  const logLines = [];
+  const markdownLines = [];
+
+  logLines.push(
+    `\u001b[38;2;255;0;0mBuild logs from ${failures.length} failure${failures.length === 1 ? "" : "s"}`,
+  );
+  logLines.push(
+    `The following build logs are also available in the Markdown summary:`,
+  );
+  markdownLines.push(`### Build error review :boom:`);
+  markdownLines.push("> [!NOTE]");
+  markdownLines.push(
+    `> ${failures.length} build${failures.length === 1 ? "" : "s"} failed`,
+  );
+
+  const markdownLogChunks: {
+    drv: string;
+    txtLines: string[];
+    mdLines: string[];
+  }[] = [];
+  for (const event of failures) {
+    const markdownLogChunk = [];
+    const txtLogChunk = [];
+    txtLogChunk.push(`::group::Failed build: ${event.drv}`);
+
+    const log =
+      (await getLog(event.drv)) ??
+      "(failure reading the log for this derivation.)";
+    const indented = log.split("\n").map((line) => `    ${line}`);
+
+    markdownLogChunk.push(
+      `<details><summary>Failure log: <code>${event.drv.replace(/^(\/nix[^-]*-)(.*)(\.drv)$/, "$1<strong>$2</strong>$3")}</code></summary>`,
+    );
+    markdownLogChunk.push("");
+
+    for (const line of indented) {
+      txtLogChunk.push(line);
+      markdownLogChunk.push(stripVTControlCharacters(line));
+    }
+    markdownLogChunk.push("");
+    markdownLogChunk.push("</details>");
+    markdownLogChunk.push("");
+
+    markdownLogChunks.push({
+      drv: event.drv,
+      mdLines: markdownLogChunk,
+      txtLines: txtLogChunk,
+    });
+    txtLogChunk.push(`::endgroup::`);
+  }
+
+  const skippedChunks = [];
+
+  // Add markdown log chunks until we exceed the max length
+  let markdownLength = markdownLines.join("\n").length;
+  for (const chunk of markdownLogChunks) {
+    const chunkLength = chunk.mdLines.join("\n").length;
+    if (markdownLength + chunkLength > maxLength) {
+      skippedChunks.push(chunk);
+    } else {
+      logLines.push(...chunk.txtLines);
+      markdownLines.push(...chunk.mdLines);
+      markdownLength += chunkLength;
+    }
+  }
+
+  if (skippedChunks.length > 0) {
+    markdownLines.push(
+      "> [!NOTE]",
+      `> The following ${skippedChunks.length === 1 ? "failure has" : "failures have"} been ommitted due to GitHub Actions summary length limitations.`,
+      "> The full logs are available in the post-run phase of the Nix Installer Action.",
+    );
+
+    logLines.push(
+      "The following build logs are NOT available in the Markdown summary:",
+    );
+    for (const chunk of skippedChunks) {
+      markdownLines.push(`> * \`${chunk.drv}\``);
+      logLines.push(...chunk.txtLines);
+    }
+  }
+
+  return { logLines, markdownLines };
+}
+
+async function getLogFromNix(drv: string): Promise<string | undefined> {
+  const output = await getExecOutput("nix", ["log", drv], {
+    silent: true,
+  });
+
+  return output.stdout;
+}

src/fixHashes.ts

@@ -0,0 +1,38 @@
+import { getExecOutput } from "@actions/exec";
+
+export interface Mismatch {
+  readonly derivation: string;
+  readonly replacement: string;
+}
+
+export interface Fix {
+  readonly line: number;
+  readonly found: string;
+  readonly mismatches: readonly Mismatch[];
+}
+
+export interface FileFix {
+  readonly file: string;
+  readonly fixes: readonly Fix[];
+}
+
+export interface FixHashesOutputV1 {
+  readonly version: "v1";
+  readonly files: readonly FileFix[];
+}
+
+export async function getFixHashes(since: string): Promise<FixHashesOutputV1> {
+  const output = await getExecOutput(
+    "determinate-nixd",
+    ["fix", "hashes", "--json", "--since", since],
+    { silent: true },
+  );
+
+  if (output.exitCode !== 0) {
+    throw new Error(
+      `determinate-nixd fix hashes returned non-zero exit code ${output.exitCode} with the following error output:\n${output.stderr}`,
+    );
+  }
+
+  return JSON.parse(output.stdout);
+}

src/index.ts

@@ -1,14 +1,21 @@
 import * as actionsCore from "@actions/core";
-import * as github from "@actions/github";
 import * as actionsExec from "@actions/exec";
-import { access, writeFile, readFile } from "node:fs/promises";
+import * as github from "@actions/github";
+import { access, readFile, stat } from "node:fs/promises";
 import { join } from "node:path";
 import fs from "node:fs";
 import { userInfo } from "node:os";
 import stringArgv from "string-argv";
 import * as path from "path";
-import { IdsToolbox, inputs, platform } from "detsys-ts";
+import { DetSysAction, inputs, platform, stringifyError } from "detsys-ts";
 import { randomUUID } from "node:crypto";
+import got from "got";
+import { setTimeout } from "node:timers/promises";
+import { getFixHashes } from "./fixHashes.js";
+import { annotateMismatches } from "./annotate.js";
+import { getRecentEvents } from "./events.js";
+import { makeMermaidReport } from "./mermaid.js";
+import { summarizeFailures } from "./failuresummary.js";
 
 // Nix installation events
 const EVENT_INSTALL_NIX_FAILURE = "install_nix_failure";
@@ -25,28 +32,39 @@ const EVENT_START_DOCKER_SHIM = "start_docker_shim";
 const EVENT_LOGIN_TO_FLAKEHUB = "login_to_flakehub";
 
 // Other events
-const EVENT_CONCLUDE_WORKFLOW = "conclude_workflow";
+const EVENT_CONCLUDE_JOB = "conclude_job";
+const EVENT_FOD_ANNOTATE = "fod_annotate";
+
+// Feature flag names
+const FEAT_ANNOTATIONS = "hash-mismatch-annotations";
 
 // Facts
+const FACT_DETERMINATE_NIX = "determinate_nix";
 const FACT_HAS_DOCKER = "has_docker";
 const FACT_HAS_SYSTEMD = "has_systemd";
-const FACT_IN_GITHUB_ACTIONS = "in_act";
+const FACT_IN_ACT = "in_act";
 const FACT_IN_NAMESPACE_SO = "in_namespace_so";
 const FACT_NIX_INSTALLER_PLANNER = "nix_installer_planner";
 
-class NixInstallerAction {
-  idslib: IdsToolbox;
+// Flags
+const FLAG_DETERMINATE = "--determinate";
+
+// Pre/post state keys
+const STATE_START_DATETIME = "DETERMINATE_NIXD_START_DATETIME";
+
+class NixInstallerAction extends DetSysAction {
+  determinate: boolean;
   platform: string;
   nixPackageUrl: string | null;
   backtrace: string | null;
   extraArgs: string | null;
   extraConf: string[] | null;
-  flakehub: boolean;
   kvm: boolean;
   githubServerUrl: string | null;
   githubToken: string | null;
-  forceDockerShim: boolean | null;
+  forceDockerShim: boolean;
   init: string | null;
+  jobConclusion: string | null;
   localRoot: string | null;
   logDirectives: string | null;
   logger: string | null;
@@ -65,27 +83,31 @@ class NixInstallerAction {
   planner: string | null;
   reinstall: boolean;
   startDaemon: boolean;
-  trustRunnerUser: boolean | null;
+  trustRunnerUser: boolean;
+  runnerOs: string | undefined;
 
   constructor() {
-    this.idslib = new IdsToolbox({
+    super({
       name: "nix-installer",
       fetchStyle: "nix-style",
       legacySourcePrefix: "nix-installer",
       requireNix: "ignore",
+      diagnosticsSuffix: "diagnostic",
     });
 
+    this.determinate =
+      inputs.getBool("determinate") || inputs.getBool("flakehub");
     this.platform = platform.getNixPlatform(platform.getArchOs());
     this.nixPackageUrl = inputs.getStringOrNull("nix-package-url");
     this.backtrace = inputs.getStringOrNull("backtrace");
     this.extraArgs = inputs.getStringOrNull("extra-args");
     this.extraConf = inputs.getMultilineStringOrNull("extra-conf");
-    this.flakehub = inputs.getBool("flakehub");
     this.kvm = inputs.getBool("kvm");
     this.forceDockerShim = inputs.getBool("force-docker-shim");
     this.githubToken = inputs.getStringOrNull("github-token");
     this.githubServerUrl = inputs.getStringOrNull("github-server-url");
     this.init = inputs.getStringOrNull("init");
+    this.jobConclusion = inputs.getStringOrNull("job-status");
     this.localRoot = inputs.getStringOrNull("local-root");
     this.logDirectives = inputs.getStringOrNull("log-directives");
     this.logger = inputs.getStringOrNull("logger");
@@ -105,15 +127,91 @@ class NixInstallerAction {
     this.reinstall = inputs.getBool("reinstall");
     this.startDaemon = inputs.getBool("start-daemon");
     this.trustRunnerUser = inputs.getBool("trust-runner-user");
+    this.runnerOs = process.env["RUNNER_OS"];
   }
 
-  async detectAndForceDockerShim(): Promise<void> {
-    const runnerOs = process.env["RUNNER_OS"];
+  async main(): Promise<void> {
+    await this.scienceDebugFly();
+    await this.detectAndForceDockerShim();
+    await this.install();
+    actionsCore.saveState(STATE_START_DATETIME, new Date().toISOString());
+  }
 
-    // Detect if we're in a GHA runner which is Linux, doesn't have Systemd, and does have Docker.
-    // This is a common case in self-hosted runners, providers like [Namespace](https://namespace.so/),
-    // and especially GitHub Enterprise Server.
-    if (runnerOs !== "Linux") {
+  async post(): Promise<void> {
+    await this.annotateMismatches();
+    try {
+      await this.summarizeExecution();
+    } catch (err: unknown) {
+      this.recordEvent("summarize-execution:error", {
+        exception: stringifyError(err),
+      });
+    }
+    await this.cleanupDockerShim();
+    await this.reportOverall();
+  }
+
+  private get isMacOS(): boolean {
+    return this.runnerOs === "macOS";
+  }
+
+  private get isLinux(): boolean {
+    return this.runnerOs === "Linux";
+  }
+
+  private get isRunningInAct(): boolean {
+    return process.env["ACT"] !== undefined && !(process.env["NOT_ACT"] === "");
+  }
+
+  private get isRunningInNamespaceRunner(): boolean {
+    return (
+      process.env["NSC_VM_ID"] !== undefined &&
+      !(process.env["NOT_NAMESPACE"] === "true")
+    );
+  }
+
+  async scienceDebugFly(): Promise<void> {
+    try {
+      const feat = this.getFeature("debug-probe-urls");
+      if (feat === undefined || feat.payload === undefined) {
+        return;
+      }
+
+      const { timeoutMs, url }: { timeoutMs: number; url: string } = JSON.parse(
+        feat.payload,
+      );
+      try {
+        const resp = await got.get(url, {
+          timeout: {
+            request: timeoutMs,
+          },
+        });
+
+        this.recordEvent("debug-probe-urls:response", {
+          debug_probe_urls_ip: resp.ip, // eslint-disable-line camelcase
+          debug_probe_urls_ok: resp.ok, // eslint-disable-line camelcase
+          debug_probe_urls_status_code: resp.statusCode, // eslint-disable-line camelcase
+          debug_probe_urls_body: resp.body, // eslint-disable-line camelcase
+          // eslint-disable-next-line camelcase
+          debug_probe_urls_elapsed:
+            (resp.timings.end ?? 0) - resp.timings.start,
+        });
+      } catch (e: unknown) {
+        this.recordEvent("debug-probe-urls:exception", {
+          debug_probe_urls_exception: stringifyError(e), // eslint-disable-line camelcase
+        });
+      }
+    } catch (err: unknown) {
+      this.recordEvent("debug-probe-urls:error", {
+        exception: stringifyError(err),
+      });
+    }
+  }
+
+  // Detect if we're in a GHA runner which is Linux, doesn't have Systemd, and does have Docker.
+  // This is a common case in self-hosted runners, providers like [Namespace](https://namespace.so/),
+  // and especially GitHub Enterprise Server.
+  async detectAndForceDockerShim(): Promise<void> {
+    if (!this.isLinux) {
       if (this.forceDockerShim) {
         actionsCore.warning(
           "Ignoring force-docker-shim which is set to true, as it is only supported on Linux.",
@@ -123,26 +221,33 @@ class NixInstallerAction {
       return;
     }
 
+    if (this.isRunningInAct) {
+      actionsCore.debug(
+        "Not bothering to detect if the docker shim should be used, as it is typically incompatible with act.",
+      );
+      return;
+    }
+
     const systemdCheck = fs.statSync("/run/systemd/system", {
       throwIfNoEntry: false,
     });
     if (systemdCheck?.isDirectory()) {
+      this.addFact(FACT_HAS_SYSTEMD, true);
       if (this.forceDockerShim) {
         actionsCore.warning(
           "Systemd is detected, but ignoring it since force-docker-shim is enabled.",
         );
       } else {
-        this.idslib.addFact(FACT_HAS_SYSTEMD, true);
         return;
       }
     }
-    this.idslib.addFact(FACT_HAS_SYSTEMD, false);
+    this.addFact(FACT_HAS_SYSTEMD, false);
 
     actionsCore.debug(
       "Linux detected without systemd, testing for Docker with `docker info` as an alternative daemon supervisor.",
     );
 
-    this.idslib.addFact(FACT_HAS_DOCKER, false); // Set to false here, and only in the success case do we set it to true
+    this.addFact(FACT_HAS_DOCKER, false); // Set to false here, and only in the success case do we set it to true
     let exitCode;
     try {
       exitCode = await actionsExec.exec("docker", ["info"], {
@@ -176,7 +281,7 @@ class NixInstallerAction {
         return;
       }
     }
-    this.idslib.addFact(FACT_HAS_DOCKER, true);
+    this.addFact(FACT_HAS_DOCKER, true);
 
     if (
       !this.forceDockerShim &&
@@ -309,11 +414,10 @@ class NixInstallerAction {
 
   private async executionEnvironment(): Promise<ExecuteEnvironment> {
     const executionEnv: ExecuteEnvironment = {};
-    const runnerOs = process.env["RUNNER_OS"];
 
     executionEnv.NIX_INSTALLER_NO_CONFIRM = "true";
     executionEnv.NIX_INSTALLER_DIAGNOSTIC_ATTRIBUTION = JSON.stringify(
-      this.idslib.getCorrelationHashes(),
+      this.getCorrelationHashes(),
     );
 
     if (this.backtrace !== null) {
@@ -361,18 +465,18 @@ class NixInstallerAction {
     }
 
     executionEnv.NIX_INSTALLER_DIAGNOSTIC_ENDPOINT =
-      this.idslib.getDiagnosticsUrl()?.toString() ?? "";
+      (await this.getDiagnosticsUrl())?.toString() ?? "";
 
     // TODO: Error if the user uses these on not-MacOS
     if (this.macEncrypt !== null) {
-      if (runnerOs !== "macOS") {
+      if (!this.isMacOS) {
         throw new Error("`mac-encrypt` while `$RUNNER_OS` was not `macOS`");
       }
       executionEnv.NIX_INSTALLER_ENCRYPT = this.macEncrypt;
     }
 
     if (this.macCaseSensitive !== null) {
-      if (runnerOs !== "macOS") {
+      if (!this.isMacOS) {
         throw new Error(
           "`mac-case-sensitive` while `$RUNNER_OS` was not `macOS`",
         );
@@ -381,7 +485,7 @@ class NixInstallerAction {
     }
 
     if (this.macVolumeLabel !== null) {
-      if (runnerOs !== "macOS") {
+      if (!this.isMacOS) {
         throw new Error(
           "`mac-volume-label` while `$RUNNER_OS` was not `macOS`",
         );
@@ -390,7 +494,7 @@ class NixInstallerAction {
     }
 
     if (this.macRootDisk !== null) {
-      if (runnerOs !== "macOS") {
+      if (!this.isMacOS) {
         throw new Error("`mac-root-disk` while `$RUNNER_OS` was not `macOS`");
       }
       executionEnv.NIX_INSTALLER_ROOT_DISK = this.macRootDisk;
@@ -406,7 +510,7 @@ class NixInstallerAction {
 
     // TODO: Error if the user uses these on MacOS
     if (this.init !== null) {
-      if (runnerOs === "macOS") {
+      if (this.isMacOS) {
         throw new Error(
           "`init` is not a valid option when `$RUNNER_OS` is `macOS`",
         );
@@ -428,7 +532,7 @@ class NixInstallerAction {
       extraConf += `access-tokens = ${serverUrl}=${this.githubToken}`;
       extraConf += "\n";
     }
-    if (this.trustRunnerUser !== null) {
+    if (this.trustRunnerUser) {
       const user = userInfo().username;
       if (user) {
         extraConf += `trusted-users = root ${user}`;
@@ -437,31 +541,22 @@ class NixInstallerAction {
       }
       extraConf += "\n";
     }
-    if (this.flakehub) {
-      try {
-        const flakeHubNetrcFile = await this.flakehubLogin();
-        extraConf += `netrc-file = ${flakeHubNetrcFile}`;
-        extraConf += "\n";
-      } catch (e) {
-        actionsCore.warning(`Failed to set up FlakeHub: ${e}`);
-      }
-    }
     if (this.extraConf !== null && this.extraConf.length !== 0) {
       extraConf += this.extraConf.join("\n");
       extraConf += "\n";
     }
     executionEnv.NIX_INSTALLER_EXTRA_CONF = extraConf;
 
-    if (process.env["ACT"] && !process.env["NOT_ACT"]) {
-      this.idslib.addFact(FACT_IN_GITHUB_ACTIONS, true);
+    if (this.isRunningInAct) {
+      this.addFact(FACT_IN_ACT, true);
       actionsCore.info(
         "Detected `$ACT` environment, assuming this is a https://github.com/nektos/act created container, set `NOT_ACT=true` to override this. This will change the setting of the `init` to be compatible with `act`",
       );
       executionEnv.NIX_INSTALLER_INIT = "none";
     }
 
-    if (process.env["NSC_VM_ID"] && !process.env["NOT_NAMESPACE"]) {
-      this.idslib.addFact(FACT_IN_NAMESPACE_SO, true);
+    if (this.isRunningInNamespaceRunner) {
+      this.addFact(FACT_IN_NAMESPACE_SO, true);
       actionsCore.info(
         "Detected Namespace runner, assuming this is a https://namespace.so created container, set `NOT_NAMESPACE=true` to override this. This will change the setting of the `init` to be compatible with Namespace",
       );
@@ -471,28 +566,49 @@ class NixInstallerAction {
     return executionEnv;
   }
 
+  private get installerArgs(): string[] {
+    const args = ["install"];
+
+    if (this.planner) {
+      this.addFact(FACT_NIX_INSTALLER_PLANNER, this.planner);
+      args.push(this.planner);
+    } else {
+      this.addFact(FACT_NIX_INSTALLER_PLANNER, this.defaultPlanner);
+      args.push(this.defaultPlanner);
+    }
+
+    if (this.extraArgs) {
+      const extraArgs = stringArgv(this.extraArgs);
+      args.push(...extraArgs);
+    }
+
+    if (this.determinate) {
+      this.addFact(FACT_DETERMINATE_NIX, true);
+
+      actionsCore.info(
+        `Installing Determinate Nix using the ${FLAG_DETERMINATE} flag`,
+      );
+
+      if (!this.extraArgs) {
+        args.push(FLAG_DETERMINATE);
+      }
+
+      if (this.extraArgs && !this.extraArgs.includes(FLAG_DETERMINATE)) {
+        args.push(FLAG_DETERMINATE);
+      }
+    }
+
+    return args;
+  }
+
   private async executeInstall(binaryPath: string): Promise<number> {
     const executionEnv = await this.executionEnvironment();
     actionsCore.debug(
       `Execution environment: ${JSON.stringify(executionEnv, null, 4)}`,
     );
 
-    const args = ["install"];
-    if (this.planner) {
-      this.idslib.addFact(FACT_NIX_INSTALLER_PLANNER, this.planner);
-      args.push(this.planner);
-    } else {
-      this.idslib.addFact(FACT_NIX_INSTALLER_PLANNER, getDefaultPlanner());
-      args.push(getDefaultPlanner());
-    }
-
-    if (this.extraArgs) {
-      const extraArgs = stringArgv(this.extraArgs);
-      args.concat(extraArgs);
-    }
-
-    this.idslib.recordEvent(EVENT_INSTALL_NIX_START);
-    const exitCode = await actionsExec.exec(binaryPath, args, {
+    this.recordEvent(EVENT_INSTALL_NIX_START);
+    const exitCode = await actionsExec.exec(binaryPath, this.installerArgs, {
       env: {
         ...executionEnv,
         ...process.env, // To get $PATH, etc
@@ -500,13 +616,13 @@ class NixInstallerAction {
     });
 
     if (exitCode !== 0) {
-      this.idslib.recordEvent(EVENT_INSTALL_NIX_FAILURE, {
+      this.recordEvent(EVENT_INSTALL_NIX_FAILURE, {
         exitCode,
       });
       throw new Error(`Non-zero exit code of \`${exitCode}\` detected`);
     }
 
-    this.idslib.recordEvent(EVENT_INSTALL_NIX_SUCCESS);
+    this.recordEvent(EVENT_INSTALL_NIX_SUCCESS);
 
     return exitCode;
   }
@@ -521,8 +637,13 @@ class NixInstallerAction {
         );
         await this.executeUninstall();
       } else {
-        // We're already installed, and not reinstalling, just set GITHUB_PATH and finish early
+        // We're already installed, and not reinstalling, just log in to FlakeHub, set GITHUB_PATH and finish early
         await this.setGithubPath();
+
+        if (this.determinate) {
+          await this.flakehubLogin();
+        }
+
         actionsCore.info("Nix was already installed, using existing install");
         return;
       }
@@ -541,7 +662,6 @@ class NixInstallerAction {
       }
     }
 
-    // Normal just doing of the install
     actionsCore.startGroup("Installing Nix");
     const binaryPath = await this.fetchBinary();
     await this.executeInstall(binaryPath);
@@ -550,7 +670,12 @@ class NixInstallerAction {
     if (this.forceDockerShim) {
       await this.spawnDockerShim();
     }
+
     await this.setGithubPath();
+
+    if (this.determinate) {
+      await this.flakehubLogin();
+    }
   }
 
   async spawnDockerShim(): Promise<void> {
@@ -606,7 +731,68 @@ class NixInstallerAction {
 
     {
       actionsCore.debug("Starting the Nix daemon through Docker...");
-      this.idslib.recordEvent(EVENT_START_DOCKER_SHIM);
+
+      const candidateDirectories = [
+        {
+          dir: "/bin",
+          readOnly: true,
+        },
+        {
+          dir: "/etc",
+          readOnly: true,
+        },
+        {
+          dir: "/home",
+          readOnly: true,
+        },
+        {
+          dir: "/lib",
+          readOnly: true,
+        },
+        {
+          dir: "/lib64",
+          readOnly: true,
+        },
+        {
+          dir: "/tmp",
+          readOnly: false,
+        },
+        {
+          dir: "/usr",
+          readOnly: true,
+        },
+        {
+          dir: "/nix",
+          readOnly: false,
+        },
+      ];
+
+      const mountArguments = [];
+
+      for (const { dir, readOnly } of candidateDirectories) {
+        try {
+          await access(dir);
+          actionsCore.debug(`Will mount ${dir} in the docker shim.`);
+          mountArguments.push("--mount");
+          mountArguments.push(
+            `type=bind,src=${dir},dst=${dir}${readOnly ? ",readonly" : ""}`,
+          );
+        } catch {
+          actionsCore.debug(
+            `Not mounting ${dir} in the docker shim: it doesn't appear to exist.`,
+          );
+        }
+      }
+
+      const plausibleDeterminateOptions = [];
+      const plausibleDeterminateArguments = [];
+      if (this.determinate) {
+        plausibleDeterminateOptions.push("--entrypoint");
+        plausibleDeterminateOptions.push("/usr/local/bin/determinate-nixd");
+        plausibleDeterminateArguments.push("daemon");
+      }
+
+      this.recordEvent(EVENT_START_DOCKER_SHIM);
       const exitCode = await actionsExec.exec(
         "docker",
         [
@@ -617,25 +803,16 @@ class NixInstallerAction {
           "--network=host",
           "--userns=host",
           "--pid=host",
-          "--mount",
-          "type=bind,src=/bin,dst=/bin,readonly",
-          "--mount",
-          "type=bind,src=/lib,dst=/lib,readonly",
-          "--mount",
-          "type=bind,src=/home,dst=/home,readonly",
-          "--mount",
-          "type=bind,src=/tmp,dst=/tmp",
-          "--mount",
-          "type=bind,src=/nix,dst=/nix",
-          "--mount",
-          "type=bind,src=/etc,dst=/etc,readonly",
           "--restart",
           "always",
           "--init",
           "--name",
-          `determinate-nix-shim-${this.idslib.getUniqueId()}-${randomUUID()}`,
-          "determinate-nix-shim:latest",
-        ],
+          `determinate-nix-shim-${this.getUniqueId()}-${randomUUID()}`,
+        ]
+          .concat(plausibleDeterminateOptions)
+          .concat(mountArguments)
+          .concat(["determinate-nix-shim:latest"])
+          .concat(plausibleDeterminateArguments),
         {
           silent: true,
           listeners: {
@@ -665,10 +842,92 @@ class NixInstallerAction {
       }
     }
 
+    const maxDurationSeconds = 120;
+    const delayPerAttemptInMiliseconds = 50;
+    const maxAttempts =
+      (maxDurationSeconds * 1000) / delayPerAttemptInMiliseconds;
+    let didSucceed = false;
+
+    for (let attempt = 0; attempt <= maxAttempts; attempt += 1) {
+      if (await this.doesTheSocketExistYet()) {
+        didSucceed = true;
+        break;
+      }
+
+      await setTimeout(50);
+    }
+
+    if (!didSucceed) {
+      throw new Error("Timed out waiting for the Nix Daemon");
+    }
+
     actionsCore.endGroup();
 
     return;
   }
+
+  async doesTheSocketExistYet(): Promise<boolean> {
+    const socketPath = "/nix/var/nix/daemon-socket/socket";
+    try {
+      await stat(socketPath);
+      return true;
+    } catch (error: unknown) {
+      // eslint-disable-next-line no-undef
+      if ((error as NodeJS.ErrnoException).code === "ENOENT") {
+        actionsCore.debug(`Socket '${socketPath}' does not exist yet`);
+        return false;
+      }
+
+      actionsCore.warning(
+        `Error waiting for the Nix Daemon socket: ${stringifyError(error)}`,
+      );
+      this.recordEvent("docker-shim:wait-for-socket", {
+        exception: stringifyError(error),
+      });
+      throw error;
+    }
+  }
+
+  async summarizeExecution(): Promise<void> {
+    const startDate = new Date(actionsCore.getState(STATE_START_DATETIME));
+    const events = await getRecentEvents(startDate);
+
+    const mermaidSummary = makeMermaidReport(events);
+    const failureSummary = await summarizeFailures(events);
+
+    if (mermaidSummary || failureSummary) {
+      actionsCore.summary.addRaw(
+        `## ![](https://avatars.githubusercontent.com/u/80991770?s=30) Determinate Nix build summary`,
+        true,
+      );
+      actionsCore.summary.addRaw("\n", true);
+    }
+
+    if (mermaidSummary !== undefined) {
+      actionsCore.summary.addRaw(mermaidSummary, true);
+      actionsCore.summary.addRaw("\n", true);
+    }
+
+    if (failureSummary !== undefined) {
+      for (const logLine of failureSummary.logLines) {
+        actionsCore.info(logLine);
+      }
+
+      actionsCore.summary.addRaw(failureSummary.markdownLines.join("\n"), true);
+      actionsCore.summary.addRaw("\n", true);
+    }
+
+    if (mermaidSummary || failureSummary) {
+      actionsCore.summary.addRaw("---", true);
+      actionsCore.summary.addRaw(
+        `_Please let us know what you think about this summary on the [Determinate Systems Discord](https://determinate.systems/discord)._`,
+        true,
+      );
+      actionsCore.summary.addRaw("\n", true);
+      await actionsCore.summary.write();
+    }
+  }
+
   async cleanupDockerShim(): Promise<void> {
     const containerId = actionsCore.getState("docker_shim_container_id");
 
@@ -696,7 +955,7 @@ class NixInstallerAction {
       }
 
       if (cleaned) {
-        this.idslib.recordEvent(EVENT_CLEAN_UP_DOCKER_SHIM);
+        this.recordEvent(EVENT_CLEAN_UP_DOCKER_SHIM);
       } else {
         actionsCore.warning(
           "Giving up on cleaning up the nix daemon container",
@@ -710,13 +969,19 @@ class NixInstallerAction {
   async setGithubPath(): Promise<void> {
     // Interim versions of the `nix-installer` crate may have already manipulated `$GITHUB_PATH`, as root even! Accessing that will be an error.
     try {
-      const nixVarNixProfilePath = "/nix/var/nix/profiles/default/bin";
-      const homeNixProfilePath = `${process.env["HOME"]}/.nix-profile/bin`;
-      actionsCore.addPath(nixVarNixProfilePath);
-      actionsCore.addPath(homeNixProfilePath);
-      actionsCore.info(
-        `Added \`${nixVarNixProfilePath}\` and \`${homeNixProfilePath}\` to \`$GITHUB_PATH\``,
-      );
+      const paths = [];
+
+      if (this.determinate) {
+        paths.push("/usr/local/bin");
+      }
+
+      paths.push("/nix/var/nix/profiles/default/bin");
+      paths.push(`${process.env["HOME"]}/.nix-profile/bin`);
+
+      for (const p of paths) {
+        actionsCore.addPath(p);
+        actionsCore.debug(`Added \`${p}\` to \`$GITHUB_PATH\``);
+      }
     } catch {
       actionsCore.info(
         "Skipping setting $GITHUB_PATH in action, the `nix-installer` crate seems to have done this already. From `nix-installer` version 0.11.0 and up, this step is done in the action. Prior to 0.11.0, this was only done in the `nix-installer` binary.",
@@ -724,35 +989,47 @@ class NixInstallerAction {
     }
   }
 
-  async flakehubLogin(): Promise<string> {
-    this.idslib.recordEvent(EVENT_LOGIN_TO_FLAKEHUB);
-    const netrcPath = `${process.env["RUNNER_TEMP"]}/determinate-nix-installer-netrc`;
+  async flakehubLogin(): Promise<void> {
+    const canLogin =
+      process.env["ACTIONS_ID_TOKEN_REQUEST_URL"] &&
+      process.env["ACTIONS_ID_TOKEN_REQUEST_TOKEN"];
 
-    const jwt = await actionsCore.getIDToken("api.flakehub.com");
+    if (!canLogin) {
+      const pr = github.context.payload.pull_request;
+      const base = pr?.base?.repo?.full_name;
+      const head = pr?.head?.repo?.full_name;
 
-    await writeFile(
-      netrcPath,
-      [
-        `machine api.flakehub.com login flakehub password ${jwt}`,
-        `machine flakehub.com login flakehub password ${jwt}`,
-      ].join("\n"),
-    );
+      if (pr && base !== head) {
+        actionsCore.info(
+          `Not logging in to FlakeHub: GitHub Actions does not allow OIDC authentication from forked repositories ("${head}" is not the same repository as "${base}").`,
+        );
+        return;
+      }
 
-    actionsCore.info("Logging in to FlakeHub.");
-
-    // the join followed by a match on ^... looks silly, but extra_config
-    // could contain multi-line values
-    if (this.extraConf?.join("\n").match(/^netrc-file/m)) {
-      actionsCore.warning(
-        "Logging in to FlakeHub conflicts with the Nix option `netrc-file`.",
+      actionsCore.info(
+        `Not logging in to FlakeHub: GitHub Actions has not provided OIDC token endpoints; please make sure that \`id-token: write\` and \`contents: read\` are set for this step's (or job's) permissions.`,
       );
+      actionsCore.info(
+        `For more information, see https://docs.determinate.systems/guides/github-actions/#nix-installer-action`,
+      );
+      return;
     }
 
-    return netrcPath;
+    actionsCore.startGroup("Logging in to FlakeHub");
+    this.recordEvent(EVENT_LOGIN_TO_FLAKEHUB);
+    try {
+      await actionsExec.exec(`determinate-nixd`, ["login", "github-action"]);
+    } catch (e: unknown) {
+      actionsCore.warning(`FlakeHub Login failure: ${stringifyError(e)}`);
+      this.recordEvent("flakehub-login:failure", {
+        exception: stringifyError(e),
+      });
+    }
+    actionsCore.endGroup();
   }
 
   async executeUninstall(): Promise<number> {
-    this.idslib.recordEvent(EVENT_UNINSTALL_NIX);
+    this.recordEvent(EVENT_UNINSTALL_NIX);
     const exitCode = await actionsExec.exec(
       `/nix/nix-installer`,
       ["uninstall"],
@@ -776,19 +1053,52 @@ class NixInstallerAction {
     try {
       await access(receiptPath);
       // There is a /nix/receipt.json
+      actionsCore.info(
+        "\u001b[32m Nix is already installed: found /nix/receipt.json \u001b[33m",
+      );
       return true;
     } catch {
       // No /nix/receipt.json
+    }
+
+    try {
+      const exitCode = await actionsExec.exec("nix", ["--version"], {});
+
+      if (exitCode === 0) {
+        actionsCore.info(
+          "\u001b[32m Nix is already installed: `nix --version` exited 0 \u001b[33m",
+        );
+        // Working existing installation of `nix` available, possibly a self-hosted runner
+        return true;
+      }
+    } catch {
+      // nix --version was not successful
+    }
+
+    return false;
+  }
+
+  private async canAccessKvm(): Promise<boolean> {
+    try {
+      await access("/dev/kvm", fs.constants.R_OK | fs.constants.W_OK);
+      return true;
+    } catch {
       return false;
     }
   }
 
   private async setupKvm(): Promise<boolean> {
-    this.idslib.recordEvent(EVENT_SETUP_KVM);
+    this.recordEvent(EVENT_SETUP_KVM);
     const currentUser = userInfo();
     const isRoot = currentUser.uid === 0;
     const maybeSudo = isRoot ? "" : "sudo";
 
+    // First check to see whether the current user can open the KVM device node
+    if (await this.canAccessKvm()) {
+      return true;
+    }
+
+    // The current user can't access KVM, so try adding a udev rule to allow access to all users and groups
     const kvmRules = "/etc/udev/rules.d/99-determinate-nix-installer-kvm.rules";
     try {
       const writeFileExitCode = await actionsExec.exec(
@@ -880,7 +1190,7 @@ class NixInstallerAction {
 
   private async fetchBinary(): Promise<string> {
     if (!this.localRoot) {
-      return await this.idslib.fetchExecutable();
+      return await this.fetchExecutable();
     } else {
       const localPath = join(this.localRoot, `nix-installer-${this.platform}`);
       actionsCore.info(`Using binary ${localPath}`);
@@ -890,60 +1200,57 @@ class NixInstallerAction {
 
   async reportOverall(): Promise<void> {
     try {
-      this.idslib.recordEvent(EVENT_CONCLUDE_WORKFLOW, {
-        conclusion: await this.getWorkflowConclusion(),
+      this.recordEvent(EVENT_CONCLUDE_JOB, {
+        conclusion: this.jobConclusion ?? "unknown",
       });
     } catch (e) {
       actionsCore.debug(`Error submitting post-run diagnostics report: ${e}`);
     }
   }
 
-  private async getWorkflowConclusion(): Promise<
-    undefined | "success" | "failure" | "cancelled" | "unavailable" | "no-jobs"
-  > {
-    if (this.githubToken == null) {
-      return undefined;
+  private get defaultPlanner(): string {
+    if (this.isMacOS) {
+      return "macos";
+    } else if (this.isLinux) {
+      return "linux";
+    } else {
+      throw new Error(
+        `Unsupported \`RUNNER_OS\` (currently \`${this.runnerOs}\`)`,
+      );
+    }
+  }
+
+  private async annotateMismatches(): Promise<void> {
+    if (!this.determinate) {
+      return;
+    }
+
+    const active = this.getFeature(FEAT_ANNOTATIONS)?.variant;
+    if (!active) {
+      actionsCore.debug("The annotations feature is disabled for this run");
+      return;
     }
 
     try {
-      const octokit = github.getOctokit(this.githubToken);
-      const jobs = await octokit.paginate(
-        octokit.rest.actions.listJobsForWorkflowRun,
-        {
-          owner: github.context.repo.owner,
-          repo: github.context.repo.repo,
-          /* eslint-disable camelcase */
-          run_id: github.context.runId,
-        },
-      );
+      actionsCore.debug("Getting hash fixes from determinate-nixd");
 
-      actionsCore.debug(`awaited jobs: ${jobs}`);
-      const job = jobs
-        .filter((candidate) => candidate.name === github.context.job)
-        .at(0);
-      if (job === undefined) {
-        return "no-jobs";
+      const since = actionsCore.getState(STATE_START_DATETIME);
+      const mismatches = await getFixHashes(since);
+      if (mismatches.version !== "v1") {
+        throw new Error(
+          `Unsupported \`determinate-nixd fix hashes\` output (got ${mismatches.version}, expected v1)`,
+        );
       }
 
-      const outcomes = (job.steps ?? []).map((j) => j.conclusion ?? "unknown");
-
-      // Possible values: success, failure, cancelled, or skipped
-      // from: https://docs.github.com/en/actions/learn-github-actions/contexts
-
-      if (outcomes.includes("failure")) {
-        // Any failures fails the job
-        return "failure";
-      }
-      if (outcomes.includes("cancelled")) {
-        // Any cancellations cancels the job
-        return "cancelled";
-      }
-
-      // Assume success if no jobs failed or were canceled
-      return "success";
-    } catch (e) {
-      actionsCore.debug(`Error determining final disposition: ${e}`);
-      return "unavailable";
+      actionsCore.debug("Annotating mismatches");
+      const count = annotateMismatches(mismatches);
+      this.recordEvent(EVENT_FOD_ANNOTATE, { count });
+    } catch (error) {
+      // Don't hard fail the action if something exploded; this feature is only a nice-to-have
+      actionsCore.warning(`Could not consume hash mismatch events: ${error}`);
+      this.recordEvent("annotation-mismatch-execution:error", {
+        exception: stringifyError(error),
+      });
     }
   }
 }
@@ -974,32 +1281,8 @@ type ExecuteEnvironment = {
   NIX_INSTALLER_LOGGER?: string;
 };
 
-function getDefaultPlanner(): string {
-  const envOs = process.env["RUNNER_OS"];
-
-  if (envOs === "macOS") {
-    return "macos";
-  } else if (envOs === "Linux") {
-    return "linux";
-  } else {
-    throw new Error(`Unsupported \`RUNNER_OS\` (currently \`${envOs}\`)`);
-  }
-}
-
 function main(): void {
-  const installer = new NixInstallerAction();
-
-  installer.idslib.onMain(async () => {
-    await installer.detectAndForceDockerShim();
-    await installer.install();
-  });
-
-  installer.idslib.onPost(async () => {
-    await installer.cleanupDockerShim();
-    await installer.reportOverall();
-  });
-
-  installer.idslib.execute();
+  new NixInstallerAction().execute();
 }
 
 main();

src/mermaid.test.ts

@@ -0,0 +1,171 @@
+import { mermaidify, makeMermaidReport } from "./mermaid.js";
+import { DEvent, parseEvents } from "./events.js";
+import { expect, test } from "vitest";
+
+/* eslint-disable @typescript-eslint/no-non-null-assertion */
+
+function generateEvents(count: number): DEvent[] {
+  const events: DEvent[] = [];
+
+  for (let i = 0; i < count; i++) {
+    events.push({
+      v: "1",
+      c: "BuiltPathResponseEventV1",
+      drv: `/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-${i}.drv`,
+      timing: {
+        startTime: new Date(i * 1000),
+        durationSeconds: i,
+      },
+    });
+  }
+
+  return events;
+}
+
+test("Create a very large report doc and make sure it is small enough", () => {
+  {
+    const report = makeMermaidReport(generateEvents(2000))!;
+
+    // Assert the `.drv` suffix was pruned (1 reference = the NOTE at the end)
+    expect(report.match(/\.drv/g)!.length).equals(1);
+
+    // Assert the `/nix/store` prefix was pruned (1 reference = the NOTE at the end)
+    expect(report.match(/\/nix\/store\//g)!.length).equals(1);
+
+    // Assert that some events were pruned
+    expect(report.match(/dep-/g)!.length).lessThan(2000);
+    expect(report.match(/dep-/g)!.length).greaterThan(1500);
+
+    expect(report).toContain("suffix, and builds that took less than 3");
+
+    expect(report.length).lessThan(50200);
+    expect(report.length).greaterThan(49000);
+  }
+});
+
+test("Create a medium large report doc and make sure it is small enough", () => {
+  {
+    const eventCount = 675;
+    const report = makeMermaidReport(generateEvents(eventCount))!;
+
+    // Assert the `.drv` suffix was pruned (1 reference = the NOTE at the end)
+    expect(report.match(/\.drv/g)!.length).equals(1);
+
+    // Assert the `/nix/store` prefix was pruned (1 reference = the NOTE at the end)
+    expect(report.match(/\/nix\/store\//g)!.length).equals(1);
+
+    // Assert that no lines were pruned
+    expect(report.match(/dep-/g)!.length).toStrictEqual(eventCount);
+
+    expect(report).toContain(
+      "suffixes have been removed to make the graph small enough to render",
+    );
+
+    expect(report.length).lessThan(50200);
+    expect(report.length).greaterThan(18000);
+  }
+});
+
+test("Create a small report doc and make sure it isn't pruned", () => {
+  {
+    const report = makeMermaidReport(generateEvents(100))!;
+
+    // Assert 100 events have the `.drv` suffix, ie: were not pruned
+    expect(report.match(/\.drv/g)!.length).equals(100);
+
+    // Assert 100 events have the `.drv` suffix, ie: were not pruned
+    expect(report.match(/\/nix\/store\//g)!.length).equals(100);
+
+    expect(report.length).lessThan(50000);
+  }
+});
+
+test("Generate a really big report and shrink it", () => {
+  const events = generateEvents(1000);
+
+  const originalLength = mermaidify(events, -1)!.length;
+  const limitedLengthZero = mermaidify(events, 0)!.length;
+  const limitedLengthOne = mermaidify(events, 1)!.length;
+  const limitedLengthTwo = mermaidify(events, 2)!.length;
+
+  expect(originalLength).greaterThan(limitedLengthZero);
+  expect(limitedLengthZero).greaterThan(limitedLengthOne);
+  expect(limitedLengthOne).greaterThan(limitedLengthTwo);
+});
+
+test("Generate a rough report of various length", () => {
+  const events = parseEvents([
+    {
+      v: "1",
+      c: "BuiltPathResponseEventV1",
+      drv: "/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-0.drv",
+      outputs: ["/nix/store/qwlgz5da3pfb53gqpgdmazaj9jczrnly-dep-0"],
+      timing: {
+        startTime: "2025-04-11T14:38:02Z",
+        stopTime: "2025-04-11T14:38:05Z",
+        durationSeconds: 0,
+      },
+    },
+    {
+      v: "1",
+      c: "BuiltPathResponseEventV1",
+      drv: "/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv",
+      outputs: ["/nix/store/qwlgz5da3pfb53gqpgdmazaj9jczrnly-dep-1"],
+      timing: {
+        startTime: "2025-04-11T14:38:02Z",
+        stopTime: "2025-04-11T14:38:05Z",
+        durationSeconds: 1,
+      },
+    },
+    {
+      v: "1",
+      c: "BuiltPathResponseEventV1",
+      drv: "/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-2.drv",
+      outputs: ["/nix/store/qwlgz5da3pfb53gqpgdmazaj9jczrnly-dep-2"],
+      timing: {
+        startTime: "2025-04-11T14:38:02Z",
+        stopTime: "2025-04-11T14:38:05Z",
+        durationSeconds: 2,
+      },
+    },
+    {
+      v: "1",
+      c: "BuildFailureResponseEventV1",
+      drv: "/nix/store/ykvbksjqrza2zpj6nkbycrdfwgfdpr8g-hash-mismatch-md5-base16.drv",
+      timing: {
+        startTime: "2025-04-11T14:38:05Z",
+        stopTime: "2025-04-11T14:38:09Z",
+        durationSeconds: 4,
+      },
+    },
+  ]);
+
+  expect(mermaidify(events, -1)).toStrictEqual(`\`\`\`mermaid
+gantt
+    dateFormat X
+    axisFormat %Mm%Ss
+/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-0.drv (0s):d, 0, 0s
+/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-1.drv (1s):d, 0, 1s
+/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-2.drv (2s):d, 0, 2s
+/nix/store/ykvbksjqrza2zpj6nkbycrdfwgfdpr8g-hash-mismatch-md5-base16.drv (4s):crit, 3, 4s
+\`\`\``);
+
+  expect(mermaidify(events, 0)).toStrictEqual(`\`\`\`mermaid
+gantt
+    dateFormat X
+    axisFormat %Mm%Ss
+dep-0 (0s):d, 0, 0s
+dep-1 (1s):d, 0, 1s
+dep-2 (2s):d, 0, 2s
+hash-mismatch-md5-base16 (4s):crit, 3, 4s
+\`\`\``);
+
+  expect(mermaidify(events, 1)).toStrictEqual(`\`\`\`mermaid
+gantt
+    dateFormat X
+    axisFormat %Mm%Ss
+dep-1 (1s):d, 0, 1s
+dep-2 (2s):d, 0, 2s
+hash-mismatch-md5-base16 (4s):crit, 3, 4s
+\`\`\``);
+});

src/mermaid.ts

@@ -0,0 +1,90 @@
+import { DEvent } from "./events.js";
+import { truncateDerivation } from "./util.js";
+
+export function makeMermaidReport(events: DEvent[]): string | undefined {
+  // # 50k is the max: https://github.com/mermaid-js/mermaid/blob/c269dc822c528e1afbde34e18a1cad03d972d4fe/src/defaultConfig.js#L55
+  const maxLength = 49900;
+  let mermaid = "";
+  let pruneLevel = -2;
+
+  do {
+    pruneLevel += 1;
+    mermaid = mermaidify(events, pruneLevel) ?? "";
+  } while (mermaid.length > maxLength);
+
+  if (mermaid === undefined) {
+    return undefined;
+  }
+
+  const lines = [
+    "<details open><summary><strong>Build timeline</strong> :hourglass_flowing_sand:</summary>",
+    "", // load bearing whitespace, deleting it breaks the details expander / markdown
+    mermaid,
+    "", // load bearing whitespace, deleting it breaks the details expander / markdown
+  ];
+
+  if (pruneLevel === 0) {
+    lines.push("> [!NOTE]");
+    lines.push(
+      "> `/nix/store/[hash]` and the `.drv` suffixes have been removed to make the graph small enough to render.",
+    );
+  } else if (pruneLevel > 0) {
+    lines.push("> [!NOTE]");
+    lines.push(
+      `> \`/nix/store/[hash]\`, the \`.drv\` suffix, and builds that took less than ${pruneLevel}s have been removed to make the graph small enough to render.`,
+    );
+  }
+
+  lines.push(""); // load bearing whitespace, deleting it breaks the details expander / markdown
+  lines.push("</details>");
+
+  return lines.join("\n");
+}
+
+export function mermaidify(
+  allEvents: DEvent[],
+  pruneLevel: number,
+): string | undefined {
+  const events = allEvents
+    .filter(
+      (event) =>
+        event.c === "BuiltPathResponseEventV1" ||
+        event.c === "BuildFailureResponseEventV1",
+    )
+    .sort(
+      (a, b) => a.timing.startTime.getTime() - b.timing.startTime.getTime(),
+    );
+
+  const firstEvent = events.at(0);
+  if (firstEvent === undefined) {
+    return undefined;
+  }
+
+  const zeroMoment = firstEvent.timing.startTime.getTime();
+
+  const lines = [
+    "```mermaid",
+    "gantt",
+    "    dateFormat X",
+    "    axisFormat %Mm%Ss",
+  ];
+
+  for (const event of events) {
+    const duration = event.timing.durationSeconds;
+    if (duration < pruneLevel) {
+      continue;
+    }
+
+    const label = pruneLevel >= 0 ? truncateDerivation(event.drv) : event.drv;
+    const tag = event.c === "BuildFailureResponseEventV1" ? "crit" : "d";
+    const relativeStartTime =
+      (event.timing.startTime.getTime() - zeroMoment) / 1000;
+
+    lines.push(
+      `${label} (${duration}s):${tag}, ${relativeStartTime}, ${duration}s`,
+    );
+  }
+  lines.push("```");
+
+  return lines.join("\n");
+}

src/util.ts

@@ -0,0 +1,3 @@
+export function truncateDerivation(drv: string): string {
+  return drv.replace(/^\/nix\/store\/[a-z0-9]+-/, "").replace(/\.drv$/, "");
+}

tsconfig.json

@@ -1,6 +1,6 @@
 {
   "compilerOptions": {
-    "target": "ES2020" /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */,
+    "target": "ES2022" /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */,
     "module": "Node16",
     "moduleResolution": "NodeNext",
     "outDir": "./dist",
@@ -11,5 +11,5 @@
     "resolveJsonModule": true,
     "declaration": true
   },
-  "exclude": ["node_modules", "**/*.test.ts", "dist"]
+  "exclude": ["node_modules", "dist"]
 }