Log in to flakehub on existing installs (#129 )

* Log in to flakehub if the machine is already installed * Put the nix store paths first (in the PATH) * set the path earlier * Warn on login failures
Update detsys-ts for: Merge pull request #67 from DeterminateSystems/allow-obliterating-id-token-privs (4280bc94c9545f31ccf08001cc16f20ccb91b770) (#128 )
2024-11-14 11:41:23 -05:00 · 2024-11-06 14:54:15 -05:00 · 2024-10-03 11:40:44 -04:00 · 2024-09-13 12:36:49 -07:00
6 changed files with 2336 additions and 3358 deletions
@@ -11,9 +11,9 @@ jobs:
    runs-on: ubuntu-22.04
    needs:
      - check-dist-up-to-date
-      - install-nix-linux
-      - install-nix-macos
+      - install-nix
      - install-with-non-default-source-inputs
+      - install-no-id-token
    # NOTE(cole-h): GitHub treats "skipped" as "OK" for the purposes of required checks on branch
    # protection, so we take advantage of this fact and fail if any of the dependent actions failed,
    # or "skip" (which is a success for GHA's purposes) if none of them did.
@@ -44,14 +44,21 @@ jobs:
      - name: Ensure no staged changes
        run: git diff --exit-code

-  install-nix-linux:
-    name: Run test suite for Linux systems
+  install-nix:
+    name: "Test: ${{ matrix.runner }}${{ matrix.determinate && ' with determinate' || '' }}"
    strategy:
      matrix:
        runner:
          - ubuntu-latest
          - nscloud-ubuntu-22.04-amd64-4x16
          - namespace-profile-default-arm64
+          # - macos-12-large # determinate-nixd is broken on macos-12
+          - macos-13-large
+          - macos-14-large
+          - macos-14-xlarge # arm64
+        determinate:
+          - true
+          - false
    runs-on: ${{ matrix.runner }}
    permissions:
      contents: read
@@ -65,6 +72,7 @@ jobs:
          log-directives: nix_installer=trace
          backtrace: full
          _internal-strict-mode: true
+          determinate: ${{ matrix.determinate }}
      - name: echo $PATH
        run: echo $PATH

@@ -82,85 +90,6 @@ jobs:
          nix store gc
          nix run nixpkgs#hello

-      - name: Test bash
-        run: nix-instantiate -E 'builtins.currentTime' --eval
-        if: success() || failure()
-        shell: bash --login {0}
-      - name: Test sh
-        run: nix-instantiate -E 'builtins.currentTime' --eval
-        if: success() || failure()
-        shell: sh -l {0}
-      - name: Install Nix again (noop)
-        uses: ./
-        with:
-          logger: pretty
-          log-directives: nix_installer=trace
-          backtrace: full
-          _internal-strict-mode: true
-      - name: Test `nix` with `$GITHUB_PATH`
-        if: success() || failure()
-        run: |
-          nix run nixpkgs#hello
-          nix profile install nixpkgs#hello
-          hello
-          nix store gc
-          nix run nixpkgs#hello
-      - name: Reinstall Nix
-        uses: ./
-        with:
-          logger: pretty
-          log-directives: nix_installer=trace
-          backtrace: full
-          reinstall: true
-          extra-conf: |
-            use-sqlite-wal = true
-          _internal-strict-mode: true
-      - name: Test `nix` with `$GITHUB_PATH`
-        if: success() || failure()
-        run: |
-          nix run nixpkgs#hello
-          nix profile install nixpkgs#hello
-          hello
-          nix store gc
-          nix run nixpkgs#hello
-      - name: Verify the generated nix.conf
-        run: |
-          cat -n /etc/nix/nix.conf
-          grep -E "^trusted-users = .*$USER" /etc/nix/nix.conf
-          grep -E "^use-sqlite-wal = true" /etc/nix/nix.conf
-
-  install-nix-macos:
-    name: Run test suite for macOS systems
-    strategy:
-      matrix:
-        runner:
-          # x86_64-darwin
-          - macos-12
-          # aarch64-darwin
-          - macos-latest-xlarge
-    runs-on: ${{ matrix.runner }}
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - uses: actions/checkout@v4
-      - name: Install Nix
-        uses: ./
-        with:
-          logger: pretty
-          log-directives: nix_installer=trace
-          backtrace: full
-          _internal-strict-mode: true
-      - name: echo $PATH
-        run: echo $PATH
-      - name: Test `nix` with `$GITHUB_PATH`
-        if: success() || failure()
-        run: |
-          nix run nixpkgs#hello
-          nix profile install nixpkgs#hello
-          hello
-          nix store gc
-          nix run nixpkgs#hello
      - name: Test bash
        run: nix-instantiate -E 'builtins.currentTime' --eval
        if: success() || failure()
@@ -170,9 +99,8 @@ jobs:
        if: success() || failure()
        shell: sh -l {0}
      - name: Test zsh
-        run: nix-instantiate -E 'builtins.currentTime' --eval
+        run: if (zsh --help > /dev/null); then zsh --login --interactive -c "nix-instantiate -E 'builtins.currentTime' --eval"; fi
        if: success() || failure()
-        shell: zsh --login --interactive {0}
      - name: Install Nix again (noop)
        uses: ./
        with:
@@ -180,6 +108,7 @@ jobs:
          log-directives: nix_installer=trace
          backtrace: full
          _internal-strict-mode: true
+          determinate: ${{ matrix.determinate }}
      - name: Test `nix` with `$GITHUB_PATH`
        if: success() || failure()
        run: |
@@ -198,6 +127,7 @@ jobs:
          extra-conf: |
            use-sqlite-wal = true
          _internal-strict-mode: true
+          determinate: ${{ matrix.determinate }}
      - name: Test `nix` with `$GITHUB_PATH`
        if: success() || failure()
        run: |
@@ -208,9 +138,10 @@ jobs:
          nix run nixpkgs#hello
      - name: Verify the generated nix.conf
        run: |
-          cat /etc/nix/nix.conf
-          grep -E "^trusted-users = .*$USER" /etc/nix/nix.conf
-          grep -E "^use-sqlite-wal = true" /etc/nix/nix.conf
+          nix config show
+          cat -n /etc/nix/nix.conf
+          nix config show | grep -E "^trusted-users = .*$USER"
+          nix config show | grep -E "^use-sqlite-wal = true"

  install-with-non-default-source-inputs:
    name: Install Nix using non-default source-${{ matrix.inputs.key }}
@@ -236,3 +167,13 @@ jobs:
          _internal-strict-mode: true
      - name: Ensure that the expected Nix version ${{ matrix.inputs.nix-version }} is installed via alternative source-${{ matrix.inputs.key }}
        run: .github/verify-version.sh ${{ matrix.inputs.nix-version }}
+
+  install-no-id-token:
+    name: Install Nix without an ID token
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./
+        with:
+          _internal-strict-mode: true
+          determinate: true
@@ -34,7 +34,7 @@ jobs:

 ### With FlakeHub

-To fetch private flakes from FlakeHub, update the `permissions` block and pass `flakehub: true`:
+To fetch private flakes from FlakeHub and Nix builds from FlakeHub Cache, update the `permissions` block and pass `determinate: true`:

 ```yaml
 on:
@@ -53,7 +53,7 @@ jobs:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@main
        with:
-          flakehub: true
+          determinate: true
      - run: nix build .
 ```

@@ -85,9 +85,10 @@ Differing from the upstream [Nix](https://github.com/NixOS/nix) installer script
 | Parameter               | Description                                                                                                                                                                                                                                                                    | Type                                       | Default                                                        |
 | :---------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------- | :------------------------------------------------------------- |
 | `backtrace`             | The setting for [`RUST_BACKTRACE`][backtrace]                                                                                                                                                                                                                                  | string                                     |                                                                |
+| `determinate`           | Whether to install [Determinate Nix](https://determinate.systems/enterprise) and log in to FlakeHub for private Flakes and binary caches.                                                                                                                                      | Boolean                                    | `false`                                                        |
 | `extra-args`            | Extra arguments to pass to the planner (prefer using structured `with:` arguments unless using a custom [planner]!)                                                                                                                                                            | string                                     |                                                                |
 | `extra-conf`            | Extra configuration lines for `/etc/nix/nix.conf` (includes `access-tokens` with `secrets.GITHUB_TOKEN` automatically if `github-token` is set)                                                                                                                                | string                                     |                                                                |
-| `flakehub`              | Log in to FlakeHub to pull private flakes using the GitHub Actions [JSON Web Token](https://jwt.io) (JWT), which is bound to the `api.flakehub.com` audience.                                                                                                                  | Boolean                                    | `false`                                                        |
+| `flakehub`              | Deprecated. Implies `determinate`.                                                                                                                                                                                                                                             | Boolean                                    | `false`                                                        |
 | `force-docker-shim`     | Force the use of Docker as a process supervisor. This setting is automatically enabled when necessary.                                                                                                                                                                         | Boolean                                    | `false`                                                        |
 | `github-token`          | A [GitHub token] for making authenticated requests (which have a higher rate-limit quota than unauthenticated requests)                                                                                                                                                        | string                                     | `${{ github.token }}`                                          |
 | `github-server-url`     | The URL for the GitHub server, to use with the `github-token` token. Defaults to the current GitHub server, supporting GitHub Enterprise Server automatically. Only change this value if the provided `github-token` is for a different GitHub server than the current server. | string                                     | `${{ github.server }}`                                         |
@@ -7,6 +7,10 @@ inputs:
  backtrace:
    description: The setting for `RUST_BACKTRACE` (see https://doc.rust-lang.org/std/backtrace/index.html#environment-variables)
    required: false
+  determinate:
+    description: |
+      Whether to install [Determinate Nix](https://determinate.systems/enterprise) and log in to FlakeHub for private Flakes and binary caches.
+    default: false
  extra-args:
    description: Extra args to pass to the planner (prefer using structured `with:` arguments unless using a custom planner!)
    required: false
@@ -14,7 +18,7 @@ inputs:
    description: Extra configuration lines for `/etc/nix/nix.conf` (includes `access-tokens` with `secrets.GITHUB_TOKEN` automatically if `github-token` is set)
    required: false
  flakehub:
-    description: Automatically log in to your [FlakeHub](https://flakehub.com) account, for accessing private flakes.
+    description: Deprecated. Implies `determinate`.
    required: false
    default: false
  force-docker-shim:
@@ -30,6 +34,9 @@ inputs:
  init:
    description: "The init system to configure, requires `planner: linux-multi` (allowing the choice between `none` or `systemd`)"
    required: false
+  job-status:
+    description: The overall status of the job. Set automatically, for aggregate analysis of Nix stability.
+    default: ${{ job.status }}
  kvm:
    description: Automatically configure the GitHub Actions Runner for NixOS test supports, if the host supports it.
    required: false
@@ -16,7 +16,7 @@ dependencies:
    version: 5.1.1
  detsys-ts:
    specifier: github:DeterminateSystems/detsys-ts
-    version: github.com/DeterminateSystems/detsys-ts/65dd73c562ac60a068340f8e0c040bdcf2c59afe
+    version: github.com/DeterminateSystems/detsys-ts/4280bc94c9545f31ccf08001cc16f20ccb91b770
  got:
    specifier: ^14.3.0
    version: 14.3.0
@@ -96,6 +96,16 @@ packages:
      uuid: 8.3.2
    dev: false

+  /@actions/core@1.11.1:
+    resolution:
+      {
+        integrity: sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A==,
+      }
+    dependencies:
+      "@actions/exec": 1.1.1
+      "@actions/http-client": 2.2.3
+    dev: false
+
  /@actions/exec@1.1.1:
    resolution:
      {
@@ -139,6 +149,16 @@ packages:
      undici: 5.28.4
    dev: false

+  /@actions/http-client@2.2.3:
+    resolution:
+      {
+        integrity: sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==,
+      }
+    dependencies:
+      tunnel: 0.0.6
+      undici: 5.28.4
+    dev: false
+
  /@actions/io@1.1.3:
    resolution:
      {
@@ -1270,10 +1290,10 @@ packages:
    engines: { node: ">=16" }
    dev: false

-  /@sindresorhus/is@7.0.0:
+  /@sindresorhus/is@7.0.1:
    resolution:
      {
-        integrity: sha512-WDTlVTyvFivSOuyvMeedzg2hdoBLZ3f1uNVuEida2Rl9BrfjrIRjWA/VZIrMRLvSwJYCAlCRA3usDt1THytxWQ==,
+        integrity: sha512-QWLl2P+rsCJeofkDNIT3WFmb6NrRud1SUYW8dIhXK/46XFV8Q/g7Bsvib0Askb0reRLe+WYPeeE+l5cH7SlkuQ==,
      }
    engines: { node: ">=18" }
    dev: false
@@ -1467,7 +1487,7 @@ packages:
      "@typescript-eslint/types": 7.18.0
      "@typescript-eslint/typescript-estree": 7.18.0(typescript@5.4.5)
      "@typescript-eslint/visitor-keys": 7.18.0
-      debug: 4.3.6
+      debug: 4.3.7
      eslint: 8.57.0
      typescript: 5.4.5
    transitivePeerDependencies:
@@ -1574,12 +1594,12 @@ packages:
    dependencies:
      "@typescript-eslint/types": 7.18.0
      "@typescript-eslint/visitor-keys": 7.18.0
-      debug: 4.3.6
+      debug: 4.3.7
      globby: 11.1.0
      is-glob: 4.0.3
      minimatch: 9.0.5
      semver: 7.6.3
-      ts-api-utils: 1.3.0(typescript@5.4.5)
+      ts-api-utils: 1.4.0(typescript@5.4.5)
      typescript: 5.4.5
    transitivePeerDependencies:
      - supports-color
@@ -2213,10 +2233,10 @@ packages:
      ms: 2.1.2
    dev: true

-  /debug@4.3.6:
+  /debug@4.3.7:
    resolution:
      {
-        integrity: sha512-O/09Bd4Z1fBrU4VzkhFqVgpPzaGbw6Sm9FEkBT1A/YBXQFGuuSxa1dN2nxgxS34JmKXqYx8CZAwEVoJFImUXIg==,
+        integrity: sha512-Er2nc/H7RrMXZBFCEim6TCmMk02Z8vLC2Rbi1KEBggpo0fS6l0S1nnapwmIi3yW/+GOJap1Krg4w0Hg80oCqgQ==,
      }
    engines: { node: ">=6.0" }
    peerDependencies:
@@ -2225,7 +2245,7 @@ packages:
      supports-color:
        optional: true
    dependencies:
-      ms: 2.1.2
+      ms: 2.1.3
    dev: true

  /decompress-response@6.0.0:
@@ -3448,14 +3468,14 @@ packages:
      responselike: 3.0.0
    dev: false

-  /got@14.4.2:
+  /got@14.4.4:
    resolution:
      {
-        integrity: sha512-+Te/qEZ6hr7i+f0FNgXx/6WQteSM/QqueGvxeYQQFm0GDfoxLVJ/oiwUKYMTeioColWUTdewZ06hmrBjw6F7tw==,
+        integrity: sha512-tqiF7eSgTBwQkxb1LxsEpva8TaMYVisbhplrFVmw9GQE3855Z+MH/mnsXLLOkDxR6hZJRFMj5VTAZ8lmTF8ZOA==,
      }
    engines: { node: ">=20" }
    dependencies:
-      "@sindresorhus/is": 7.0.0
+      "@sindresorhus/is": 7.0.1
      "@szmarczak/http-timer": 5.0.1
      cacheable-lookup: 7.0.0
      cacheable-request: 12.0.1
@@ -3465,7 +3485,7 @@ packages:
      lowercase-keys: 3.0.0
      p-cancelable: 4.0.1
      responselike: 3.0.0
-      type-fest: 4.23.0
+      type-fest: 4.26.1
    dev: false

  /graceful-fs@4.2.11:
@@ -5256,6 +5276,18 @@ packages:
      typescript: 5.4.5
    dev: true

+  /ts-api-utils@1.4.0(typescript@5.4.5):
+    resolution:
+      {
+        integrity: sha512-032cPxaEKwM+GT3vA5JXNzIaizx388rhsSW79vGRNGXfRRAdEAn2mvk36PvK5HnOchyWZ7afLEXqYCvPCrzuzQ==,
+      }
+    engines: { node: ">=16" }
+    peerDependencies:
+      typescript: ">=4.2.0"
+    dependencies:
+      typescript: 5.4.5
+    dev: true
+
  /ts-interface-checker@0.1.13:
    resolution:
      {
@@ -5356,10 +5388,10 @@ packages:
    engines: { node: ">=10" }
    dev: true

-  /type-fest@4.23.0:
+  /type-fest@4.26.1:
    resolution:
      {
-        integrity: sha512-ZiBujro2ohr5+Z/hZWHESLz3g08BBdrdLMieYFULJO+tWc437sn8kQsWLJoZErY8alNhxre9K4p3GURAG11n+w==,
+        integrity: sha512-yOGpmOAL7CkKe/91I5O3gPICmJNLJ1G4zFYVAsRHg7M64biSnPtRj0WNQt++bRkjYOqjWXrhnUw1utzmVErAdg==,
      }
    engines: { node: ">=16" }
    dev: false
@@ -5685,19 +5717,19 @@ packages:
    engines: { node: ">=10" }
    dev: true

-  github.com/DeterminateSystems/detsys-ts/65dd73c562ac60a068340f8e0c040bdcf2c59afe:
+  github.com/DeterminateSystems/detsys-ts/4280bc94c9545f31ccf08001cc16f20ccb91b770:
    resolution:
      {
-        tarball: https://codeload.github.com/DeterminateSystems/detsys-ts/tar.gz/65dd73c562ac60a068340f8e0c040bdcf2c59afe,
+        tarball: https://codeload.github.com/DeterminateSystems/detsys-ts/tar.gz/4280bc94c9545f31ccf08001cc16f20ccb91b770,
      }
    name: detsys-ts
    version: 1.0.0
    dependencies:
      "@actions/cache": 3.2.4
-      "@actions/core": 1.10.1
+      "@actions/core": 1.11.1
      "@actions/exec": 1.1.1
-      got: 14.4.2
-      type-fest: 4.23.0
+      got: 14.4.4
+      type-fest: 4.26.1
    transitivePeerDependencies:
      - encoding
    dev: false
@@ -1,7 +1,6 @@
 import * as actionsCore from "@actions/core";
-import * as github from "@actions/github";
 import * as actionsExec from "@actions/exec";
-import { access, writeFile, readFile, mkdir } from "node:fs/promises";
+import { access, readFile } from "node:fs/promises";
 import { join } from "node:path";
 import fs from "node:fs";
 import { userInfo } from "node:os";
@@ -26,34 +25,32 @@ const EVENT_START_DOCKER_SHIM = "start_docker_shim";
 const EVENT_LOGIN_TO_FLAKEHUB = "login_to_flakehub";

 // Other events
-const EVENT_CONCLUDE_WORKFLOW = "conclude_workflow";
+const EVENT_CONCLUDE_JOB = "conclude_job";

 // Facts
+const FACT_DETERMINATE_NIX = "determinate_nix";
 const FACT_HAS_DOCKER = "has_docker";
 const FACT_HAS_SYSTEMD = "has_systemd";
 const FACT_IN_ACT = "in_act";
 const FACT_IN_NAMESPACE_SO = "in_namespace_so";
 const FACT_NIX_INSTALLER_PLANNER = "nix_installer_planner";

-type WorkflowConclusion =
-  | "success"
-  | "failure"
-  | "cancelled"
-  | "unavailable"
-  | "no-jobs";
+// Flags
+const FLAG_DETERMINATE = "--determinate";

 class NixInstallerAction extends DetSysAction {
+  determinate: boolean;
  platform: string;
  nixPackageUrl: string | null;
  backtrace: string | null;
  extraArgs: string | null;
  extraConf: string[] | null;
-  flakehub: boolean;
  kvm: boolean;
  githubServerUrl: string | null;
  githubToken: string | null;
  forceDockerShim: boolean;
  init: string | null;
+  jobConclusion: string | null;
  localRoot: string | null;
  logDirectives: string | null;
  logger: string | null;
@@ -84,17 +81,19 @@ class NixInstallerAction extends DetSysAction {
      diagnosticsSuffix: "diagnostic",
    });

+    this.determinate =
+      inputs.getBool("determinate") || inputs.getBool("flakehub");
    this.platform = platform.getNixPlatform(platform.getArchOs());
    this.nixPackageUrl = inputs.getStringOrNull("nix-package-url");
    this.backtrace = inputs.getStringOrNull("backtrace");
    this.extraArgs = inputs.getStringOrNull("extra-args");
    this.extraConf = inputs.getMultilineStringOrNull("extra-conf");
-    this.flakehub = inputs.getBool("flakehub");
    this.kvm = inputs.getBool("kvm");
    this.forceDockerShim = inputs.getBool("force-docker-shim");
    this.githubToken = inputs.getStringOrNull("github-token");
    this.githubServerUrl = inputs.getStringOrNull("github-server-url");
    this.init = inputs.getStringOrNull("init");
+    this.jobConclusion = inputs.getStringOrNull("job-status");
    this.localRoot = inputs.getStringOrNull("local-root");
    this.logDirectives = inputs.getStringOrNull("log-directives");
    this.logger = inputs.getStringOrNull("logger");
@@ -519,15 +518,6 @@ class NixInstallerAction extends DetSysAction {
      }
      extraConf += "\n";
    }
-    if (this.flakehub) {
-      try {
-        const flakeHubNetrcFile = await this.flakehubLogin();
-        extraConf += `netrc-file = ${flakeHubNetrcFile}`;
-        extraConf += "\n";
-      } catch (e) {
-        actionsCore.warning(`Failed to set up FlakeHub: ${e}`);
-      }
-    }
    if (this.extraConf !== null && this.extraConf.length !== 0) {
      extraConf += this.extraConf.join("\n");
      extraConf += "\n";
@@ -553,13 +543,9 @@ class NixInstallerAction extends DetSysAction {
    return executionEnv;
  }

-  private async executeInstall(binaryPath: string): Promise<number> {
-    const executionEnv = await this.executionEnvironment();
-    actionsCore.debug(
-      `Execution environment: ${JSON.stringify(executionEnv, null, 4)}`,
-    );
-
+  private get installerArgs(): string[] {
    const args = ["install"];
+
    if (this.planner) {
      this.addFact(FACT_NIX_INSTALLER_PLANNER, this.planner);
      args.push(this.planner);
@@ -573,8 +559,33 @@ class NixInstallerAction extends DetSysAction {
      args.push(...extraArgs);
    }

+    if (this.determinate) {
+      this.addFact(FACT_DETERMINATE_NIX, true);
+
+      actionsCore.info(
+        `Installing Determinate Nix using the ${FLAG_DETERMINATE} flag`,
+      );
+
+      if (!this.extraArgs) {
+        args.push(FLAG_DETERMINATE);
+      }
+
+      if (this.extraArgs && !this.extraArgs.includes(FLAG_DETERMINATE)) {
+        args.push(FLAG_DETERMINATE);
+      }
+    }
+
+    return args;
+  }
+
+  private async executeInstall(binaryPath: string): Promise<number> {
+    const executionEnv = await this.executionEnvironment();
+    actionsCore.debug(
+      `Execution environment: ${JSON.stringify(executionEnv, null, 4)}`,
+    );
+
    this.recordEvent(EVENT_INSTALL_NIX_START);
-    const exitCode = await actionsExec.exec(binaryPath, args, {
+    const exitCode = await actionsExec.exec(binaryPath, this.installerArgs, {
      env: {
        ...executionEnv,
        ...process.env, // To get $PATH, etc
@@ -603,8 +614,13 @@ class NixInstallerAction extends DetSysAction {
        );
        await this.executeUninstall();
      } else {
-        // We're already installed, and not reinstalling, just set GITHUB_PATH and finish early
+        // We're already installed, and not reinstalling, just log in to FlakeHub, set GITHUB_PATH and finish early
        await this.setGithubPath();
+
+        if (this.determinate) {
+          await this.flakehubLogin();
+        }
+
        actionsCore.info("Nix was already installed, using existing install");
        return;
      }
@@ -623,7 +639,6 @@ class NixInstallerAction extends DetSysAction {
      }
    }

-    // Normal just doing of the install
    actionsCore.startGroup("Installing Nix");
    const binaryPath = await this.fetchBinary();
    await this.executeInstall(binaryPath);
@@ -632,7 +647,12 @@ class NixInstallerAction extends DetSysAction {
    if (this.forceDockerShim) {
      await this.spawnDockerShim();
    }
+
    await this.setGithubPath();
+
+    if (this.determinate) {
+      await this.flakehubLogin();
+    }
  }

  async spawnDockerShim(): Promise<void> {
@@ -714,6 +734,10 @@ class NixInstallerAction extends DetSysAction {
          dir: "/tmp",
          readOnly: false,
        },
+        {
+          dir: "/usr",
+          readOnly: true,
+        },
        {
          dir: "/nix",
          readOnly: false,
@@ -737,6 +761,14 @@ class NixInstallerAction extends DetSysAction {
        }
      }

+      const plausibleDeterminateOptions = [];
+      const plausibleDeterminateArguments = [];
+      if (this.determinate) {
+        plausibleDeterminateOptions.push("--entrypoint");
+        plausibleDeterminateOptions.push("/usr/local/bin/determinate-nixd");
+        plausibleDeterminateArguments.push("daemon");
+      }
+
      this.recordEvent(EVENT_START_DOCKER_SHIM);
      const exitCode = await actionsExec.exec(
        "docker",
@@ -754,8 +786,10 @@ class NixInstallerAction extends DetSysAction {
          "--name",
          `determinate-nix-shim-${this.getUniqueId()}-${randomUUID()}`,
        ]
+          .concat(plausibleDeterminateOptions)
          .concat(mountArguments)
-          .concat(["determinate-nix-shim:latest"]),
+          .concat(["determinate-nix-shim:latest"])
+          .concat(plausibleDeterminateArguments),
        {
          silent: true,
          listeners: {
@@ -830,13 +864,19 @@ class NixInstallerAction extends DetSysAction {
  async setGithubPath(): Promise<void> {
    // Interim versions of the `nix-installer` crate may have already manipulated `$GITHUB_PATH`, as root even! Accessing that will be an error.
    try {
-      const nixVarNixProfilePath = "/nix/var/nix/profiles/default/bin";
-      const homeNixProfilePath = `${process.env["HOME"]}/.nix-profile/bin`;
-      actionsCore.addPath(nixVarNixProfilePath);
-      actionsCore.addPath(homeNixProfilePath);
-      actionsCore.info(
-        `Added \`${nixVarNixProfilePath}\` and \`${homeNixProfilePath}\` to \`$GITHUB_PATH\``,
-      );
+      const paths = [];
+
+      if (this.determinate) {
+        paths.push("/usr/local/bin");
+      }
+
+      paths.push("/nix/var/nix/profiles/default/bin");
+      paths.push(`${process.env["HOME"]}/.nix-profile/bin`);
+
+      for (const p of paths) {
+        actionsCore.addPath(p);
+        actionsCore.debug(`Added \`${p}\` to \`$GITHUB_PATH\``);
+      }
    } catch {
      actionsCore.info(
        "Skipping setting $GITHUB_PATH in action, the `nix-installer` crate seems to have done this already. From `nix-installer` version 0.11.0 and up, this step is done in the action. Prior to 0.11.0, this was only done in the `nix-installer` binary.",
@@ -844,38 +884,23 @@ class NixInstallerAction extends DetSysAction {
    }
  }

-  async flakehubLogin(): Promise<string> {
-    this.recordEvent(EVENT_LOGIN_TO_FLAKEHUB);
-    const netrcPath = `${process.env["RUNNER_TEMP"]}/determinate-nix-installer-netrc`;
-
-    const jwt = await actionsCore.getIDToken("api.flakehub.com");
-
-    await writeFile(
-      netrcPath,
-      [
-        `machine api.flakehub.com login flakehub password ${jwt}`,
-        `machine cache.flakehub.com login flakehub password ${jwt}`,
-        `machine flakehub.com login flakehub password ${jwt}`,
-      ].join("\n"),
-    );
-
-    const flakehubAuthDir = `${process.env["XDG_CONFIG_HOME"] || `${process.env["HOME"]}/.config`}/flakehub`;
-    await mkdir(flakehubAuthDir, { recursive: true });
-    const flakehubAuthPath = `${flakehubAuthDir}/auth`;
-
-    await writeFile(flakehubAuthPath, jwt);
-
-    actionsCore.info("Logging in to FlakeHub.");
-
-    // the join followed by a match on ^... looks silly, but extra_config
-    // could contain multi-line values
-    if (this.extraConf?.join("\n").match(/^netrc-file/m)) {
-      actionsCore.warning(
-        "Logging in to FlakeHub conflicts with the Nix option `netrc-file`.",
-      );
+  async flakehubLogin(): Promise<void> {
+    if (
+      process.env["ACTIONS_ID_TOKEN_REQUEST_URL"] &&
+      process.env["ACTIONS_ID_TOKEN_REQUEST_TOKEN"]
+    ) {
+      actionsCore.startGroup("Logging in to FlakeHub");
+      this.recordEvent(EVENT_LOGIN_TO_FLAKEHUB);
+      try {
+        await actionsExec.exec(`determinate-nixd`, ["login", "github-action"]);
+      } catch (e: unknown) {
+        actionsCore.warning(`FlakeHub Login failure: ${stringifyError(e)}`);
+        this.recordEvent("flakehub-login:failure", {
+          exception: stringifyError(e),
+        });
+      }
+      actionsCore.endGroup();
    }
-
-    return netrcPath;
  }

  async executeUninstall(): Promise<number> {
@@ -1017,63 +1042,14 @@ class NixInstallerAction extends DetSysAction {

  async reportOverall(): Promise<void> {
    try {
-      this.recordEvent(EVENT_CONCLUDE_WORKFLOW, {
-        conclusion: await this.getWorkflowConclusion(),
+      this.recordEvent(EVENT_CONCLUDE_JOB, {
+        conclusion: this.jobConclusion ?? "unknown",
      });
    } catch (e) {
      actionsCore.debug(`Error submitting post-run diagnostics report: ${e}`);
    }
  }

-  private async getWorkflowConclusion(): Promise<
-    undefined | WorkflowConclusion
-  > {
-    if (this.githubToken == null) {
-      return undefined;
-    }
-
-    try {
-      const octokit = github.getOctokit(this.githubToken);
-      const jobs = await octokit.paginate(
-        octokit.rest.actions.listJobsForWorkflowRun,
-        {
-          owner: github.context.repo.owner,
-          repo: github.context.repo.repo,
-          /* eslint-disable camelcase */
-          run_id: github.context.runId,
-        },
-      );
-
-      actionsCore.debug(`awaited jobs: ${jobs}`);
-      const job = jobs
-        .filter((candidate) => candidate.name === github.context.job)
-        .at(0);
-      if (job === undefined) {
-        return "no-jobs";
-      }
-
-      const outcomes = (job.steps ?? []).map((j) => j.conclusion ?? "unknown");
-
-      // Possible values: success, failure, cancelled, or skipped
-      // from: https://docs.github.com/en/actions/learn-github-actions/contexts
-
-      if (outcomes.includes("failure")) {
-        // Any failures fails the job
-        return "failure";
-      }
-      if (outcomes.includes("cancelled")) {
-        // Any cancellations cancels the job
-        return "cancelled";
-      }
-
-      // Assume success if no jobs failed or were canceled
-      return "success";
-    } catch (e) {
-      actionsCore.debug(`Error determining final disposition: ${e}`);
-      return "unavailable";
-    }
-  }
-
  private get defaultPlanner(): string {
    if (this.isMacOS) {
      return "macos";
Author	SHA1	Message	Date
Graham Christensen	e50d5f73bf	Log in to flakehub on existing installs (#129 ) * Log in to flakehub if the machine is already installed * Put the nix store paths first (in the PATH) * set the path earlier * Warn on login failures	2024-11-14 11:41:23 -05:00
detsys-pr-bot	25431d2798	Update `detsys-ts` for: `Merge pull request` `#67 from DeterminateSystems/allow-obliterating-id-token-privs` (`4280bc94c9545f31ccf08001cc16f20ccb91b770`) (#128 ) Co-authored-by: grahamc <76716+grahamc@users.noreply.github.com>	2024-11-06 14:54:15 -05:00
Graham Christensen	b92f66560d	Add the job-status option (#125 )	2024-10-03 11:40:44 -04:00
Graham Christensen	ddfca32d6f	Convert flakehub: true to determinate: true (#123 ) * Drop the flakehub param to deprecated, use determinate, and log in to flakehub * Expand the test suite to cover determinate on all our targets --------- Co-authored-by: Luc Perkins <lucperkins@gmail.com>	2024-09-13 12:36:49 -07:00