Update to determinate by default (#208)

* Update to determinate by default

Implements https://github.com/DeterminateSystems/nix-src/issues/201

* Fixup the version verification script

.github/verify-version.sh

@@ -7,9 +7,8 @@ EXPECTED_VERSION="${1}"
 
 INSTALLED_NIX_VERSION_OUTPUT=$(nix --version)
 INSTALLED_NIX_VERSION=$(echo "${INSTALLED_NIX_VERSION_OUTPUT}" | awk '{print $NF}')
-EXPECTED_OUTPUT="nix (Nix) ${EXPECTED_VERSION}"
 
-if [ "${INSTALLED_NIX_VERSION_OUTPUT}" != "${EXPECTED_OUTPUT}" ]; then
+if [ "${INSTALLED_NIX_VERSION}" != "${EXPECTED_VERSION}" ]; then
   echo "Nix version ${INSTALLED_NIX_VERSION} didn't match expected version ${EXPECTED_VERSION}"
   exit 1
 else

.github/workflows/ci.yml

@@ -78,7 +78,7 @@ jobs:
         run: echo $PATH
 
       - name: Render the devshell
-        if: success() || failure()
+        if: (success() || failure()) && matrix.runner != 'macos-13-large' && matrix.runner != 'macos-14-large'
         run: |
           nix develop --command date
 
@@ -150,14 +150,10 @@ jobs:
     strategy:
       matrix:
         inputs:
-          # https://github.com/DeterminateSystems/nix-installer/blob/v0.18.0
+          # https://github.com/DeterminateSystems/nix-installer/blob/v3.11.3
           - key: url
-            value: https://github.com/DeterminateSystems/nix-installer/releases/download/v0.18.0/nix-installer-x86_64-linux
-            nix-version: "2.21.2"
-          # https://github.com/DeterminateSystems/nix-installer/tree/7011c077ec491da410fbc39f68676b0908b9ce7e
-          - key: revision
-            value: 7011c077ec491da410fbc39f68676b0908b9ce7e
-            nix-version: "2.19.2"
+            value: https://github.com/DeterminateSystems/nix-installer/releases/download/v3.11.3/nix-installer-x86_64-linux
+            nix-version: "2.31.2" # 3.11.3 is based on 2.31.2
 
     steps:
       - uses: actions/checkout@v4

README.md

@@ -34,7 +34,7 @@ jobs:
 
 ### With FlakeHub
 
-To fetch private flakes from FlakeHub and Nix builds from FlakeHub Cache, update the `permissions` block and pass `determinate: true`:
+To fetch private flakes from FlakeHub and Nix builds from FlakeHub Cache, update the `permissions` block and use [`determinate-nix-action`][determinate-nix-action]:
 
 ```yaml
 on:
@@ -51,14 +51,25 @@ jobs:
       contents: "read"
     steps:
       - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@main
-        with:
-          determinate: true
+      - uses: DeterminateSystems/determinate-nix-action@v3
       - run: nix build .
 ```
 
 See [`.github/workflows/ci.yml`](.github/workflows/ci.yml) for a full example.
 
+### Pinning the version
+
+This GitHub Action uses the most recent version of the Determinate Nix Installer, even when the Action itself is pinned.
+If you wish to pin your CI workflows to a specific version, use the [`determinate-nix-action`][determinate-nix-action].
+That Action is updated and tagged for every Determinate release.
+
+The `DeterminateSystems/determinate-nix-action@v3.5.2` reference, for example, always installs Determinate Nix v3.5.2.
+
+Additionally, an extra tag on the major version is kept up to date with the current release.
+The `DeterminateSystems/determinate-nix-action@v3` reference, for example, installs the most recent release in the `v3.x.y` series.
+
+If you do tag to a specific version, please [use Dependabot to update your actions][dependabot-actions].
+
 ### Advanced Usage
 
 - If KVM is available, the installer sets up KVM so that Nix can use it ,and exports the `DETERMINATE_NIX_KVM` environment variable set to 1.
@@ -85,11 +96,11 @@ Differing from the upstream [Nix](https://github.com/NixOS/nix) installer script
 | Parameter               | Description                                                                                                                                                                                                                                                                    | Type                                       | Default                                                        |
 | :---------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------- | :------------------------------------------------------------- |
 | `backtrace`             | The setting for [`RUST_BACKTRACE`][backtrace]                                                                                                                                                                                                                                  | string                                     |                                                                |
-| `determinate`           | Whether to install [Determinate Nix](https://determinate.systems/enterprise) and log in to FlakeHub for private Flakes and binary caches.                                                                                                                                      | Boolean                                    | `false`                                                        |
+| `determinate`           | Whether to install [Determinate Nix](https://determinate.systems/enterprise) and log in to FlakeHub for private Flakes and binary caches.                                                                                                                                      | Boolean                                    | `true`                                                         |
 | `extra-args`            | Extra arguments to pass to the planner (prefer using structured `with:` arguments unless using a custom [planner]!)                                                                                                                                                            | string                                     |                                                                |
 | `extra-conf`            | Extra configuration lines for `/etc/nix/nix.conf` (includes `access-tokens` with `secrets.GITHUB_TOKEN` automatically if `github-token` is set)                                                                                                                                | string                                     |                                                                |
 | `flakehub`              | Deprecated. Implies `determinate`.                                                                                                                                                                                                                                             | Boolean                                    | `false`                                                        |
-| `force-docker-shim`     | Force the use of Docker as a process supervisor. This setting is automatically enabled when necessary.                                                                                                                                                                         | Boolean                                    | `false`                                                        |
+| `force-no-systemd`      | Force using other methods than systemd to launch the daemon. This setting is automatically enabled when necessary.                                                                                                                                                             | Boolean                                    | `false`                                                        |
 | `github-token`          | A [GitHub token] for making authenticated requests (which have a higher rate-limit quota than unauthenticated requests)                                                                                                                                                        | string                                     | `${{ github.token }}`                                          |
 | `github-server-url`     | The URL for the GitHub server, to use with the `github-token` token. Defaults to the current GitHub server, supporting GitHub Enterprise Server automatically. Only change this value if the provided `github-token` is for a different GitHub server than the current server. | string                                     | `${{ github.server }}`                                         |
 | `init`                  | The init system to configure (requires `planner: linux-multi`)                                                                                                                                                                                                                 | enum (`none` or `systemd`)                 |                                                                |
@@ -123,6 +134,8 @@ Differing from the upstream [Nix](https://github.com/NixOS/nix) installer script
 
 [apfs]: https://en.wikipedia.org/wiki/Apple_File_System
 [backtrace]: https://doc.rust-lang.org/std/backtrace/index.html#environment-variables
+[dependabot-actions]: https://github.com/DeterminateSystems/determinate-nix-action?tab=readme-ov-file#-automate-updates-with-dependabot
+[determinate-nix-action]: https://github.com/DeterminateSystems/determinate-nix-action
 [github token]: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
 [planner]: https://github.com/determinateSystems/nix-installer#usage
 [profile]: https://nixos.org/manual/nix/stable/package-management/profiles

action.yml

@@ -10,7 +10,7 @@ inputs:
   determinate:
     description: |
       Whether to install [Determinate Nix](https://determinate.systems/enterprise) and log in to FlakeHub for private Flakes and binary caches.
-    default: false
+    default: true
   extra-args:
     description: Extra args to pass to the planner (prefer using structured `with:` arguments unless using a custom planner!)
     required: false
@@ -21,8 +21,8 @@ inputs:
     description: Deprecated. Implies `determinate`.
     required: false
     default: false
-  force-docker-shim:
-    description: Force the use of Docker as a process supervisor. This setting is automatically enabled when necessary.
+  force-no-systemd:
+    description: Force using other methods than systemd to launch the daemon. This setting is automatically enabled when necessary.
     required: false
     default: false
   github-token:

docker-shim/Dockerfile

@@ -1,19 +0,0 @@
-# Determinate Nix Installer: Docker Shim
-#
-# This empty image exists to lean on Docker as a process supervisor when
-# systemd isn't available. Specifically intended for self-hosted GitHub
-# Actions runners using Docker-in-Docker.
-#
-# See: https://github.com/DeterminateSystems/nix-installer-action 
-
-FROM scratch
-
-ENTRYPOINT [ "/nix/var/nix/profiles/default/bin/nix-daemon"]
-CMD []
-
-HEALTHCHECK \
-    --interval=5m \
-    --timeout=3s \
-    CMD ["/nix/var/nix/profiles/default/bin/nix", "store", "ping", "--store", "daemon"]
-
-COPY ./Dockerfile /README.md

docker-shim/README.md

@@ -1,52 +0,0 @@
-# Determinate Nix Installer Action: Docker Shim
-
-The image in this repository is a product of the contained Dockerfile.
-It is an otherwise empty image with a configuration layer.
-
-This image is to be used in GitHub Actions runners which don't have systemd available, like self-hosted ARC runners.
-
-The image would have no layers / content at all, however Docker has a bug and refuses to export those images.
-This isn't a technical limitation preventing us from creating and distributing that image, but an ease-of-use limitation.
-Since some of Docker's inspection tools break on an empty image, the image contains a single layer containing a README.
-
-To build:
-
-```shell
-docker build . --tag determinate-nix-shim:latest
-docker image save determinate-nix-shim:latest | gzip --best > amd64.tar
-```
-
-Then, extract the tarball:
-
-```
-mkdir extract
-cd extract
-tar -xf ../amd64.tar
-```
-
-It'll look like this, though the hashes will be different.
-
-```
-.
-├── 771204abb853cdde06bbbc680001a02642050a1db1a7b0a48cf5f20efa8bdc5d.json
-├── c4088111818e553e834adfc81bda8fe6da281afa9a40012eaa82796fb5476e98
-│   ├── VERSION
-│   ├── json
-│   └── layer.tar
-├── manifest.json
-└── repositories
-```
-
-Ignore `manifest.json`, and edit the other two JSON documents to replace `amd64` with `arm64`, both in a key named "architecture:
-
-```
-"architecture":"amd64"
-```
-
-Then re-create the tar, from within the `extract` directory:
-
-```
-tar --options gzip:compression-level=9 -zcf ../arm64.tar.gz .
-```
-
-Then `git add` the two .tar.gz's and you're done.

flake.nix

@@ -9,7 +9,7 @@
 
   outputs = { self, flake-schemas, nixpkgs }:
     let
-      supportedSystems = [ "x86_64-linux" "aarch64-darwin" "aarch64-linux" "x86_64-darwin" ];
+      supportedSystems = [ "x86_64-linux" "aarch64-darwin" "aarch64-linux" ];
       forEachSupportedSystem = f: nixpkgs.lib.genAttrs supportedSystems (system: f {
         pkgs = import nixpkgs { inherit system; };
       });

package.json

@@ -28,25 +28,25 @@
   "dependencies": {
     "@actions/core": "^1.11.1",
     "@actions/exec": "^1.1.1",
-    "@actions/github": "^6.0.0",
+    "@actions/github": "^6.0.1",
     "detsys-ts": "github:DeterminateSystems/detsys-ts",
-    "got": "^14.4.7",
+    "got": "^14.6.2",
     "string-argv": "^0.3.2",
-    "vitest": "^3.1.1"
+    "vitest": "^3.2.4"
   },
   "devDependencies": {
     "@trivago/prettier-plugin-sort-imports": "^4.3.0",
-    "@types/node": "^20.17.30",
+    "@types/node": "^20.19.24",
     "@types/uuid": "^9.0.8",
     "@typescript-eslint/eslint-plugin": "^7.18.0",
-    "@vercel/ncc": "^0.38.3",
+    "@vercel/ncc": "^0.38.4",
     "eslint": "^8.57.1",
-    "eslint-import-resolver-typescript": "^3.10.0",
+    "eslint-import-resolver-typescript": "^3.10.1",
     "eslint-plugin-github": "^4.10.2",
-    "eslint-plugin-import": "^2.31.0",
-    "eslint-plugin-prettier": "^5.2.6",
-    "prettier": "^3.5.3",
-    "tsup": "^8.4.0",
-    "typescript": "^5.8.3"
+    "eslint-plugin-import": "^2.32.0",
+    "eslint-plugin-prettier": "^5.5.4",
+    "prettier": "^3.6.2",
+    "tsup": "^8.5.0",
+    "typescript": "^5.9.3"
   }
 }

src/events.test.ts

@@ -12,7 +12,7 @@ if (false) {
 }
 
 test("Parsing existing events", () => {
-  const events = parseEvents([
+  const { events } = parseEvents([
     {
       v: "1",
       c: "BuiltPathResponseEventV1",

src/events.ts

@@ -10,12 +10,26 @@ export interface DEvent {
   };
 }
 
-export function parseEvents(data: unknown): DEvent[] {
+export interface ParsedEventsResult {
+  readonly events: DEvent[];
+  readonly hasMismatches: boolean;
+}
+
+export function parseEvents(data: unknown): ParsedEventsResult {
+  let hasMismatches = false;
+
   if (!Array.isArray(data)) {
-    return [];
+    return { events: [], hasMismatches };
   }
 
-  return data.flatMap((event) => {
+  const events = data.flatMap((event) => {
+    // If this was a hash mismatch event, note it and move on
+    if (event.v === "1" && event.c === "HashMismatchResponseEventV1") {
+      hasMismatches = true;
+      return [];
+    }
+
+    // Otherwise, determine if it's an event we're interested in
     if (
       event.v === "1" &&
       (event.c === "BuildFailureResponseEventV1" ||
@@ -53,9 +67,13 @@ export function parseEvents(data: unknown): DEvent[] {
 
     return [];
   });
+
+  return { events, hasMismatches };
 }
 
-export async function getRecentEvents(since: Date): Promise<DEvent[]> {
+export async function getRecentEvents(
+  since: Date,
+): Promise<ParsedEventsResult> {
   const queryParam = encodeURIComponent(since.toISOString());
 
   const resp = await got

src/failuresummary.test.ts

@@ -248,8 +248,9 @@ test("Omit some logs if there are too many", async () => {
 
 </details>
 
+
 > [!NOTE]
-> The following failure has been ommitted due to GitHub Actions summary length limitations.
+> The following failure has been omitted due to GitHub Actions' summary length limitations.
 > The full logs are available in the post-run phase of the Nix Installer Action.
 > * \`/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-3.drv\``);
 

src/failuresummary.ts

@@ -97,8 +97,9 @@ export async function summarizeFailures(
 
   if (skippedChunks.length > 0) {
     markdownLines.push(
+      "",
       "> [!NOTE]",
-      `> The following ${skippedChunks.length === 1 ? "failure has" : "failures have"} been ommitted due to GitHub Actions summary length limitations.`,
+      `> The following ${skippedChunks.length === 1 ? "failure has" : "failures have"} been omitted due to GitHub Actions' summary length limitations.`,
       "> The full logs are available in the post-run phase of the Nix Installer Action.",
     );
 

src/index.ts

@@ -1,58 +1,61 @@
 import * as actionsCore from "@actions/core";
 import * as actionsExec from "@actions/exec";
 import * as github from "@actions/github";
-import { access, readFile, stat } from "node:fs/promises";
+import { access, readFile, stat, writeFile } from "node:fs/promises";
 import { join } from "node:path";
-import fs from "node:fs";
+import fs, { mkdirSync, openSync } from "node:fs";
 import { userInfo } from "node:os";
 import stringArgv from "string-argv";
 import * as path from "path";
 import { DetSysAction, inputs, platform, stringifyError } from "detsys-ts";
-import { randomUUID } from "node:crypto";
 import got from "got";
 import { setTimeout } from "node:timers/promises";
 import { getFixHashes } from "./fixHashes.js";
 import { annotateMismatches } from "./annotate.js";
-import { getRecentEvents } from "./events.js";
+import { DEvent, getRecentEvents } from "./events.js";
 import { makeMermaidReport } from "./mermaid.js";
 import { summarizeFailures } from "./failuresummary.js";
+import { SpawnOptions, spawn } from "node:child_process";
 
 // Nix installation events
 const EVENT_INSTALL_NIX_FAILURE = "install_nix_failure";
 const EVENT_INSTALL_NIX_START = "install_nix_start";
-const EVENT_INSTALL_NIX_SUCCESS = "install_nix_start";
+const EVENT_INSTALL_NIX_SUCCESS = "install_nix_success";
 const EVENT_SETUP_KVM = "setup_kvm";
 const EVENT_UNINSTALL_NIX = "uninstall";
 
-// Docker events
-const EVENT_CLEAN_UP_DOCKER_SHIM = "clean_up_docker_shim";
-const EVENT_START_DOCKER_SHIM = "start_docker_shim";
-
 // FlakeHub events
-const EVENT_LOGIN_TO_FLAKEHUB = "login_to_flakehub";
+const EVENT_LOGIN_START = "flakehub-login:start";
+const EVENT_LOGIN_FAILURE = "flakehub-login:failure";
+const EVENT_LOGIN_SUCCESS = "flakehub-login:success";
+const EVENT_LOGIN_END = "flakehub-login:end";
 
 // Other events
 const EVENT_CONCLUDE_JOB = "conclude_job";
 const EVENT_FOD_ANNOTATE = "fod_annotate";
+const EVENT_NO_SYSTEMD_SHIM_FAILED = "no-systemd-shim-failed";
 
 // Feature flag names
 const FEAT_ANNOTATIONS = "hash-mismatch-annotations";
 
 // Facts
 const FACT_DETERMINATE_NIX = "determinate_nix";
-const FACT_HAS_DOCKER = "has_docker";
 const FACT_HAS_SYSTEMD = "has_systemd";
 const FACT_IN_ACT = "in_act";
 const FACT_IN_NAMESPACE_SO = "in_namespace_so";
 const FACT_NIX_INSTALLER_PLANNER = "nix_installer_planner";
+const FACT_SENT_SIGTERM = "sent_sigterm";
 
 // Flags
 const FLAG_DETERMINATE = "--determinate";
+const FLAG_PREFER_UPSTREAM_NIX = "--prefer-upstream-nix";
 
 // Pre/post state keys
+const STATE_DAEMONDIR = "DNI_DAEMONDIR";
 const STATE_START_DATETIME = "DETERMINATE_NIXD_START_DATETIME";
 
 class NixInstallerAction extends DetSysAction {
+  private daemonDir: string;
   determinate: boolean;
   platform: string;
   nixPackageUrl: string | null;
@@ -62,7 +65,7 @@ class NixInstallerAction extends DetSysAction {
   kvm: boolean;
   githubServerUrl: string | null;
   githubToken: string | null;
-  forceDockerShim: boolean;
+  forceNoSystemd: boolean;
   init: string | null;
   jobConclusion: string | null;
   localRoot: string | null;
@@ -87,6 +90,20 @@ class NixInstallerAction extends DetSysAction {
   runnerOs: string | undefined;
 
   constructor() {
+    if (platform.getArchOs() === "X64-macOS") {
+      // Holy guacamole this is ugly
+      actionsCore.error(
+        "Determinate Nix Installer no longer supports macOS on Intel. Please migrate to Apple Silicon, and use Nix's built-in Rosetta support to build for Intel. See: https://github.com/DeterminateSystems/nix-src/issues/224",
+      );
+      const sourceTag = inputs.getStringOrUndefined("source-tag");
+      if (sourceTag === undefined) {
+        actionsCore.notice(
+          "Pinning the installer tag to v3.12.2 (the last version to support Intel Macs) as a temporary fallback.",
+        );
+        process.env["INPUT_SOURCE-TAG"] = "v3.12.2";
+      }
+    }
+
     super({
       name: "nix-installer",
       fetchStyle: "nix-style",
@@ -95,6 +112,14 @@ class NixInstallerAction extends DetSysAction {
       diagnosticsSuffix: "diagnostic",
     });
 
+    if (actionsCore.getState(STATE_DAEMONDIR) !== "") {
+      this.daemonDir = actionsCore.getState(STATE_DAEMONDIR);
+    } else {
+      this.daemonDir = this.getTemporaryName();
+      mkdirSync(this.daemonDir);
+      actionsCore.saveState(STATE_DAEMONDIR, this.daemonDir);
+    }
+
     this.determinate =
       inputs.getBool("determinate") || inputs.getBool("flakehub");
     this.platform = platform.getNixPlatform(platform.getArchOs());
@@ -103,7 +128,7 @@ class NixInstallerAction extends DetSysAction {
     this.extraArgs = inputs.getStringOrNull("extra-args");
     this.extraConf = inputs.getMultilineStringOrNull("extra-conf");
     this.kvm = inputs.getBool("kvm");
-    this.forceDockerShim = inputs.getBool("force-docker-shim");
+    this.forceNoSystemd = inputs.getBool("force-no-systemd");
     this.githubToken = inputs.getStringOrNull("github-token");
     this.githubServerUrl = inputs.getStringOrNull("github-server-url");
     this.init = inputs.getStringOrNull("init");
@@ -131,10 +156,10 @@ class NixInstallerAction extends DetSysAction {
   }
 
   async main(): Promise<void> {
-    await this.scienceDebugFly();
-    await this.detectAndForceDockerShim();
-    await this.install();
     actionsCore.saveState(STATE_START_DATETIME, new Date().toISOString());
+    await this.scienceDebugFly();
+    await this.detectAndForceNoSystemd();
+    await this.install();
   }
 
   async post(): Promise<void> {
@@ -146,7 +171,7 @@ class NixInstallerAction extends DetSysAction {
         exception: stringifyError(err),
       });
     }
-    await this.cleanupDockerShim();
+    await this.cleanupNoSystemd();
     await this.reportOverall();
   }
 
@@ -207,211 +232,37 @@ class NixInstallerAction extends DetSysAction {
     }
   }
 
-  // Detect if we're in a GHA runner which is Linux, doesn't have Systemd, and does have Docker.
+  // Detect if we're in a GHA runner which is Linux and doesn't have Systemd.
   // This is a common case in self-hosted runners, providers like [Namespace](https://namespace.so/),
   // and especially GitHub Enterprise Server.
-  async detectAndForceDockerShim(): Promise<void> {
+  async detectAndForceNoSystemd(): Promise<void> {
     if (!this.isLinux) {
-      if (this.forceDockerShim) {
+      if (this.forceNoSystemd) {
+        this.forceNoSystemd = false;
         actionsCore.warning(
-          "Ignoring force-docker-shim which is set to true, as it is only supported on Linux.",
+          "Ignoring force-no-systemd which is set to true, as it is only supported on Linux.",
         );
-        this.forceDockerShim = false;
       }
       return;
     }
 
-    if (this.isRunningInAct) {
-      actionsCore.debug(
-        "Not bothering to detect if the docker shim should be used, as it is typically incompatible with act.",
-      );
-      return;
-    }
-
+    actionsCore.startGroup("Detecting systemd...");
     const systemdCheck = fs.statSync("/run/systemd/system", {
       throwIfNoEntry: false,
     });
     if (systemdCheck?.isDirectory()) {
       this.addFact(FACT_HAS_SYSTEMD, true);
-      if (this.forceDockerShim) {
-        actionsCore.warning(
-          "Systemd is detected, but ignoring it since force-docker-shim is enabled.",
-        );
-      } else {
-        return;
-      }
-    }
-    this.addFact(FACT_HAS_SYSTEMD, false);
+    } else {
+      this.addFact(FACT_HAS_SYSTEMD, false);
 
-    actionsCore.debug(
-      "Linux detected without systemd, testing for Docker with `docker info` as an alternative daemon supervisor.",
-    );
-
-    this.addFact(FACT_HAS_DOCKER, false); // Set to false here, and only in the success case do we set it to true
-    let exitCode;
-    try {
-      exitCode = await actionsExec.exec("docker", ["info"], {
-        silent: true,
-        listeners: {
-          stdout: (data: Buffer) => {
-            const trimmed = data.toString("utf-8").trimEnd();
-            if (trimmed.length >= 0) {
-              actionsCore.debug(trimmed);
-            }
-          },
-          stderr: (data: Buffer) => {
-            const trimmed = data.toString("utf-8").trimEnd();
-            if (trimmed.length >= 0) {
-              actionsCore.debug(trimmed);
-            }
-          },
-        },
-      });
-    } catch {
-      actionsCore.debug("Docker not detected, not enabling docker shim.");
-      return;
-    }
-
-    if (exitCode !== 0) {
-      if (this.forceDockerShim) {
-        actionsCore.warning(
-          "docker info check failed, but trying anyway since force-docker-shim is enabled.",
-        );
-      } else {
-        return;
-      }
-    }
-    this.addFact(FACT_HAS_DOCKER, true);
-
-    if (
-      !this.forceDockerShim &&
-      (await this.detectDockerWithMountedDockerSocket())
-    ) {
-      actionsCore.debug(
-        "Detected a Docker container with a Docker socket mounted, not enabling docker shim.",
-      );
-      return;
-    }
-
-    actionsCore.startGroup(
-      "Enabling the Docker shim for running Nix on Linux in CI without Systemd.",
-    );
-
-    if (this.init !== "none") {
-      actionsCore.info(`Changing init from '${this.init}' to 'none'`);
+      this.forceNoSystemd = true;
       this.init = "none";
-    }
-    if (this.planner !== "linux") {
-      actionsCore.info(`Changing planner from '${this.planner}' to 'linux'`);
       this.planner = "linux";
     }
 
-    this.forceDockerShim = true;
-
     actionsCore.endGroup();
   }
 
-  // Detect if we are running under `act` or some other system which is not using docker-in-docker,
-  // and instead using a mounted docker socket.
-  // In the case of the socket mount solution, the shim will cause issues since the given mount paths will
-  // equate to mount paths on the host, not mount paths to the docker container in question.
-  async detectDockerWithMountedDockerSocket(): Promise<boolean> {
-    let cgroupsBuffer;
-    try {
-      // If we are inside a docker container, the last line of `/proc/self/cgroup` should be
-      // 0::/docker/$SOME_ID
-      //
-      // If we are not, the line will likely be `0::/`
-      cgroupsBuffer = await readFile("/proc/self/cgroup", {
-        encoding: "utf-8",
-      });
-    } catch (e) {
-      actionsCore.debug(
-        `Did not detect \`/proc/self/cgroup\` existence, bailing on docker container ID detection:\n${e}`,
-      );
-      return false;
-    }
-
-    const cgroups = cgroupsBuffer.trim().split("\n");
-    const lastCgroup = cgroups[cgroups.length - 1];
-    const lastCgroupParts = lastCgroup.split(":");
-    const lastCgroupPath = lastCgroupParts[lastCgroupParts.length - 1];
-    if (!lastCgroupPath.includes("/docker/")) {
-      actionsCore.debug(
-        "Did not detect a container ID, bailing on docker.sock detection",
-      );
-      return false;
-    }
-    // We are in a docker container, now to determine if this container is visible from
-    // the `docker` command, and if so, if there is a `docker.socket` mounted.
-    const lastCgroupPathParts = lastCgroupPath.split("/");
-    const containerId = lastCgroupPathParts[lastCgroupPathParts.length - 1];
-
-    // If we cannot `docker inspect` this discovered container ID, we'll fall through to the `catch` below.
-    let stdoutBuffer = "";
-    let stderrBuffer = "";
-    let exitCode;
-    try {
-      exitCode = await actionsExec.exec("docker", ["inspect", containerId], {
-        silent: true,
-        listeners: {
-          stdout: (data: Buffer) => {
-            stdoutBuffer += data.toString("utf-8");
-          },
-          stderr: (data: Buffer) => {
-            stderrBuffer += data.toString("utf-8");
-          },
-        },
-      });
-    } catch (e) {
-      actionsCore.debug(
-        `Could not execute \`docker inspect ${containerId}\`, bailing on docker container inspection:\n${e}`,
-      );
-      return false;
-    }
-
-    if (exitCode !== 0) {
-      actionsCore.debug(
-        `Unable to inspect detected docker container with id \`${containerId}\`, bailing on container inspection (exit ${exitCode}):\n${stderrBuffer}`,
-      );
-      return false;
-    }
-
-    const output = JSON.parse(stdoutBuffer);
-    // `docker inspect $ID` prints an array containing objects.
-    // In our use case, we should only see 1 item in the array.
-    if (output.length !== 1) {
-      actionsCore.debug(
-        `Got \`docker inspect ${containerId}\` output which was not one item (was ${output.length}), bailing on docker.sock detection.`,
-      );
-      return false;
-    }
-    const item = output[0];
-    // On this array item we want the `Mounts` field, which is an array
-    // containing `{ Type, Source, Destination, Mode}`.
-    // We are looking for a `Destination` ending with `docker.sock`.
-    const mounts = item["Mounts"];
-    if (typeof mounts !== "object") {
-      actionsCore.debug(
-        `Got non-object in \`Mounts\` field of \`docker inspect ${containerId}\` output, bailing on docker.sock detection.`,
-      );
-      return false;
-    }
-
-    let foundDockerSockMount = false;
-    for (const mount of mounts) {
-      const destination = mount["Destination"];
-      if (typeof destination === "string") {
-        if (destination.endsWith("docker.sock")) {
-          foundDockerSockMount = true;
-          break;
-        }
-      }
-    }
-
-    return foundDockerSockMount;
-  }
-
   private async executionEnvironment(): Promise<ExecuteEnvironment> {
     const executionEnv: ExecuteEnvironment = {};
 
@@ -449,7 +300,7 @@ class NixInstallerAction extends DetSysAction {
     }
 
     if (this.nixBuildUserBase !== null) {
-      executionEnv.NIX_INSTALLER_NIX_BUILD_USER_ID_BASE = `${this.nixBuildUserCount}`;
+      executionEnv.NIX_INSTALLER_NIX_BUILD_USER_ID_BASE = `${this.nixBuildUserBase}`;
     }
 
     if (this.nixPackageUrl !== null) {
@@ -596,6 +447,8 @@ class NixInstallerAction extends DetSysAction {
       if (this.extraArgs && !this.extraArgs.includes(FLAG_DETERMINATE)) {
         args.push(FLAG_DETERMINATE);
       }
+    } else {
+      args.push(FLAG_PREFER_UPSTREAM_NIX);
     }
 
     return args;
@@ -667,8 +520,8 @@ class NixInstallerAction extends DetSysAction {
     await this.executeInstall(binaryPath);
     actionsCore.endGroup();
 
-    if (this.forceDockerShim) {
-      await this.spawnDockerShim();
+    if (this.forceNoSystemd) {
+      await this.spawnDetached();
     }
 
     await this.setGithubPath();
@@ -678,192 +531,83 @@ class NixInstallerAction extends DetSysAction {
     }
   }
 
-  async spawnDockerShim(): Promise<void> {
+  async spawnDetached(): Promise<void> {
     actionsCore.startGroup(
-      "Configuring the Docker shim as the Nix Daemon's process supervisor",
+      "Directly spawning the daemon, since systemd is not available.",
     );
 
-    const images: { [key: string]: string } = {
-      X64: path.join(__dirname, "/../docker-shim/amd64.tar.gz"),
-      ARM64: path.join(__dirname, "/../docker-shim/arm64.tar.gz"),
+    const outputPath = path.join(this.daemonDir, "daemon.log");
+    const output = openSync(outputPath, "a");
+
+    const opts: SpawnOptions = {
+      stdio: ["ignore", output, output],
+      detached: true,
     };
 
-    const runnerArch = process.env["RUNNER_ARCH"];
-    let arch;
+    const daemonBin = this.determinate
+      ? "/usr/local/bin/determinate-nixd"
+      : "/nix/var/nix/profiles/default/bin/nix-daemon";
+    const daemonCliFlags = this.determinate ? ["daemon"] : [];
 
-    if (runnerArch === "X64") {
-      arch = "X64";
-    } else if (runnerArch === "ARM64") {
-      arch = "ARM64";
+    let executable: string;
+    let args: string[];
+
+    if (userInfo().uid === 0) {
+      executable = daemonBin;
+      args = daemonCliFlags;
     } else {
-      throw Error("Architecture not supported in Docker shim mode.");
-    }
-    actionsCore.debug("Loading image: determinate-nix-shim:latest...");
-    {
-      const exitCode = await actionsExec.exec(
-        "docker",
-        ["image", "load", "--input", images[arch]],
-        {
-          silent: true,
-          listeners: {
-            stdout: (data: Buffer) => {
-              const trimmed = data.toString("utf-8").trimEnd();
-              if (trimmed.length >= 0) {
-                actionsCore.debug(trimmed);
-              }
-            },
-            stderr: (data: Buffer) => {
-              const trimmed = data.toString("utf-8").trimEnd();
-              if (trimmed.length >= 0) {
-                actionsCore.debug(trimmed);
-              }
-            },
-          },
-        },
-      );
-
-      if (exitCode !== 0) {
-        throw new Error(
-          `Failed to build the shim image, exit code: \`${exitCode}\``,
-        );
-      }
+      executable = "sudo";
+      args = [daemonBin].concat(daemonCliFlags);
     }
 
-    {
-      actionsCore.debug("Starting the Nix daemon through Docker...");
+    // Display the final command for debugging purposes
+    actionsCore.debug("Full daemon start command:");
+    actionsCore.debug(`${executable} ${args.join(" ")}`);
 
-      const candidateDirectories = [
-        {
-          dir: "/bin",
-          readOnly: true,
-        },
-        {
-          dir: "/etc",
-          readOnly: true,
-        },
-        {
-          dir: "/home",
-          readOnly: true,
-        },
-        {
-          dir: "/lib",
-          readOnly: true,
-        },
-        {
-          dir: "/lib64",
-          readOnly: true,
-        },
-        {
-          dir: "/tmp",
-          readOnly: false,
-        },
-        {
-          dir: "/usr",
-          readOnly: true,
-        },
-        {
-          dir: "/nix",
-          readOnly: false,
-        },
-      ];
+    // Start the server, and wait for the socket to exist
+    const daemon = spawn(executable, args, opts);
 
-      const mountArguments = [];
+    const pidFile = path.join(this.daemonDir, "daemon.pid");
+    if (daemon.pid) {
+      await writeFile(pidFile, daemon.pid.toString());
+    }
 
-      for (const { dir, readOnly } of candidateDirectories) {
-        try {
-          await access(dir);
-          actionsCore.debug(`Will mount ${dir} in the docker shim.`);
-          mountArguments.push("--mount");
-          mountArguments.push(
-            `type=bind,src=${dir},dst=${dir}${readOnly ? ",readonly" : ""}`,
-          );
-        } catch {
-          actionsCore.debug(
-            `Not mounting ${dir} in the docker shim: it doesn't appear to exist.`,
-          );
+    try {
+      for (let i = 0; i <= 2400; i++) {
+        // Approximately 2 minutes
+        if (daemon.signalCode !== null || daemon.exitCode !== null) {
+          let msg: string;
+          if (daemon.signalCode) {
+            msg = `Daemon was killed by signal ${daemon.signalCode}`;
+          } else {
+            msg = `Daemon exited with code ${daemon.exitCode}`;
+          }
+
+          throw new Error(msg);
         }
+
+        if (await this.doesTheSocketExistYet()) {
+          break;
+        }
+
+        await setTimeout(50);
       }
 
-      const plausibleDeterminateOptions = [];
-      const plausibleDeterminateArguments = [];
-      if (this.determinate) {
-        plausibleDeterminateOptions.push("--entrypoint");
-        plausibleDeterminateOptions.push("/usr/local/bin/determinate-nixd");
-        plausibleDeterminateArguments.push("daemon");
+      if (!(await this.doesTheSocketExistYet())) {
+        throw new Error("Timed out waiting for the daemon socket to appear.");
       }
+    } catch (error: unknown) {
+      this.recordEvent(EVENT_NO_SYSTEMD_SHIM_FAILED, {
+        error: stringifyError(error),
+        log: await readFile(outputPath, "utf-8"),
+      });
 
-      this.recordEvent(EVENT_START_DOCKER_SHIM);
-      const exitCode = await actionsExec.exec(
-        "docker",
-        [
-          "--log-level=debug",
-          "run",
-          "--detach",
-          "--privileged",
-          "--network=host",
-          "--userns=host",
-          "--pid=host",
-          "--restart",
-          "always",
-          "--init",
-          "--name",
-          `determinate-nix-shim-${this.getUniqueId()}-${randomUUID()}`,
-        ]
-          .concat(plausibleDeterminateOptions)
-          .concat(mountArguments)
-          .concat(["determinate-nix-shim:latest"])
-          .concat(plausibleDeterminateArguments),
-        {
-          silent: true,
-          listeners: {
-            stdline: (data: string) => {
-              actionsCore.saveState("docker_shim_container_id", data.trimEnd());
-            },
-            stdout: (data: Buffer) => {
-              const trimmed = data.toString("utf-8").trimEnd();
-              if (trimmed.length >= 0) {
-                actionsCore.debug(trimmed);
-              }
-            },
-            stderr: (data: Buffer) => {
-              const trimmed = data.toString("utf-8").trimEnd();
-              if (trimmed.length >= 0) {
-                actionsCore.debug(trimmed);
-              }
-            },
-          },
-        },
-      );
-
-      if (exitCode !== 0) {
-        throw new Error(
-          `Failed to start the Nix daemon through Docker, exit code: \`${exitCode}\``,
-        );
-      }
+      throw error;
     }
 
-    const maxDurationSeconds = 120;
-    const delayPerAttemptInMiliseconds = 50;
-    const maxAttempts =
-      (maxDurationSeconds * 1000) / delayPerAttemptInMiliseconds;
-    let didSucceed = false;
-
-    for (let attempt = 0; attempt <= maxAttempts; attempt += 1) {
-      if (await this.doesTheSocketExistYet()) {
-        didSucceed = true;
-        break;
-      }
-
-      await setTimeout(50);
-    }
-
-    if (!didSucceed) {
-      throw new Error("Timed out waiting for the Nix Daemon");
-    }
+    daemon.unref();
 
     actionsCore.endGroup();
-
-    return;
   }
 
   async doesTheSocketExistYet(): Promise<boolean> {
@@ -881,7 +625,7 @@ class NixInstallerAction extends DetSysAction {
       actionsCore.warning(
         `Error waiting for the Nix Daemon socket: ${stringifyError(error)}`,
       );
-      this.recordEvent("docker-shim:wait-for-socket", {
+      this.recordEvent("shim:wait-for-socket", {
         exception: stringifyError(error),
       });
       throw error;
@@ -890,12 +634,16 @@ class NixInstallerAction extends DetSysAction {
 
   async summarizeExecution(): Promise<void> {
     const startDate = new Date(actionsCore.getState(STATE_START_DATETIME));
-    const events = await getRecentEvents(startDate);
+    const { events, hasMismatches } = await getRecentEvents(startDate);
+
+    await this.reportPassFailCount(events);
 
     const mermaidSummary = makeMermaidReport(events);
     const failureSummary = await summarizeFailures(events);
 
-    if (mermaidSummary || failureSummary) {
+    const showResults = mermaidSummary || failureSummary || hasMismatches;
+
+    if (showResults) {
       actionsCore.summary.addRaw(
         `## ![](https://avatars.githubusercontent.com/u/80991770?s=30) Determinate Nix build summary`,
         true,
@@ -908,6 +656,18 @@ class NixInstallerAction extends DetSysAction {
       actionsCore.summary.addRaw("\n", true);
     }
 
+    if (hasMismatches) {
+      actionsCore.summary.addRaw(
+        [
+          "> [!TIP]",
+          "> Some derivations failed to build due to the hash in the Nix expression being outdated.",
+          "> To find out how to automatically update your Nix expressions in GitHub Actions, see [our guide](https://docs.determinate.systems/guides/automatically-fix-hashes-in-github-actions).",
+          "",
+        ].join("\n"),
+        true,
+      );
+    }
+
     if (failureSummary !== undefined) {
       for (const logLine of failureSummary.logLines) {
         actionsCore.info(logLine);
@@ -917,7 +677,7 @@ class NixInstallerAction extends DetSysAction {
       actionsCore.summary.addRaw("\n", true);
     }
 
-    if (mermaidSummary || failureSummary) {
+    if (showResults) {
       actionsCore.summary.addRaw("---", true);
       actionsCore.summary.addRaw(
         `_Please let us know what you think about this summary on the [Determinate Systems Discord](https://determinate.systems/discord)._`,
@@ -928,42 +688,27 @@ class NixInstallerAction extends DetSysAction {
     }
   }
 
-  async cleanupDockerShim(): Promise<void> {
-    const containerId = actionsCore.getState("docker_shim_container_id");
+  async reportPassFailCount(events: DEvent[]): Promise<void> {
+    let built = 0;
+    let failed = 0;
+    let unknown = 0;
 
-    if (containerId !== "") {
-      actionsCore.startGroup("Cleaning up the Nix daemon's Docker shim");
-
-      let cleaned = false;
-      try {
-        await actionsExec.exec("docker", ["rm", "--force", containerId]);
-        cleaned = true;
-      } catch {
-        actionsCore.warning("failed to cleanup nix daemon container");
+    for (const event of events) {
+      switch (event.c) {
+        case "BuiltPathResponseEventV1":
+          built++;
+          break;
+        case "BuildFailureResponseEventV1":
+          failed++;
+          break;
+        default:
+          unknown++;
       }
-
-      if (!cleaned) {
-        actionsCore.info("trying to pkill the container's shim process");
-        try {
-          await actionsExec.exec("pkill", [containerId]);
-          cleaned = true;
-        } catch {
-          actionsCore.warning(
-            "failed to forcibly kill the container's shim process",
-          );
-        }
-      }
-
-      if (cleaned) {
-        this.recordEvent(EVENT_CLEAN_UP_DOCKER_SHIM);
-      } else {
-        actionsCore.warning(
-          "Giving up on cleaning up the nix daemon container",
-        );
-      }
-
-      actionsCore.endGroup();
     }
+
+    this.addFact("nix_builds_succeeded", built);
+    this.addFact("nix_builds_failed", failed);
+    this.addFact("nix_builds_unknown_event", unknown);
   }
 
   async setGithubPath(): Promise<void> {
@@ -990,6 +735,8 @@ class NixInstallerAction extends DetSysAction {
   }
 
   async flakehubLogin(): Promise<void> {
+    this.recordEvent(EVENT_LOGIN_START);
+
     const canLogin =
       process.env["ACTIONS_ID_TOKEN_REQUEST_URL"] &&
       process.env["ACTIONS_ID_TOKEN_REQUEST_TOKEN"];
@@ -1000,14 +747,20 @@ class NixInstallerAction extends DetSysAction {
       const head = pr?.head?.repo?.full_name;
 
       if (pr && base !== head) {
+        this.recordEvent(EVENT_LOGIN_FAILURE, { reason: "fork" });
+        this.recordEvent(EVENT_LOGIN_END);
+
         actionsCore.info(
-          `Not logging in to FlakeHub: GitHub Actions does not allow OIDC authentication from forked repositories ("${head}" is not the same repository as "${base}").`,
+          `FlakeHub is disabled because this is a fork. GitHub Actions does not allow OIDC authentication from forked repositories ("${head}" is not from the same repository as "${base}").`,
         );
         return;
       }
 
+      this.recordEvent(EVENT_LOGIN_FAILURE, { reason: "not-configured" });
+      this.recordEvent(EVENT_LOGIN_END);
+
       actionsCore.info(
-        `Not logging in to FlakeHub: GitHub Actions has not provided OIDC token endpoints; please make sure that \`id-token: write\` and \`contents: read\` are set for this step's (or job's) permissions.`,
+        "FlakeHub is disabled because the workflow is misconfigured. Please make sure that `id-token: write` and `contents: read` are set for this step's (or job's) permissions so that GitHub Actions provides OIDC token endpoints.",
       );
       actionsCore.info(
         `For more information, see https://docs.determinate.systems/guides/github-actions/#nix-installer-action`,
@@ -1016,15 +769,18 @@ class NixInstallerAction extends DetSysAction {
     }
 
     actionsCore.startGroup("Logging in to FlakeHub");
-    this.recordEvent(EVENT_LOGIN_TO_FLAKEHUB);
     try {
       await actionsExec.exec(`determinate-nixd`, ["login", "github-action"]);
+      this.recordEvent(EVENT_LOGIN_SUCCESS);
     } catch (e: unknown) {
       actionsCore.warning(`FlakeHub Login failure: ${stringifyError(e)}`);
-      this.recordEvent("flakehub-login:failure", {
+      this.recordEvent(EVENT_LOGIN_FAILURE, {
+        reason: "failed",
         exception: stringifyError(e),
       });
     }
+
+    this.recordEvent(EVENT_LOGIN_END);
     actionsCore.endGroup();
   }
 
@@ -1198,6 +954,47 @@ class NixInstallerAction extends DetSysAction {
     }
   }
 
+  async cleanupNoSystemd(): Promise<void> {
+    if (!this.forceNoSystemd) {
+      // Nothing to do, we didn't use the double fork
+      return;
+    }
+
+    const pidFile = path.join(this.daemonDir, "daemon.pid");
+    const pid = parseInt(await readFile(pidFile, { encoding: "ascii" }));
+    actionsCore.debug(`found daemon pid: ${pid}`);
+    if (!pid) {
+      throw new Error("the daemon did not start successfully");
+    }
+
+    actionsCore.debug(`killing daemon process ${pid}`);
+
+    try {
+      // Repeatedly signal 0 the daemon to test if it is up.
+      // If it exits, kill will raise an exception which breaks us out of this control flow and skips the sigterm.
+      // If it doesn't exit in 30s, we SIGTERM it.
+      for (let i = 0; i < 30 * 10; i++) {
+        process.kill(pid, 0);
+        await setTimeout(100);
+      }
+
+      this.addFact(FACT_SENT_SIGTERM, true);
+      actionsCore.info(`Sending the daemon a SIGTERM`);
+      process.kill(pid, "SIGTERM");
+    } catch {
+      // Perfectly normal to get an exception here, because the process shut down.
+    }
+
+    if (actionsCore.isDebug()) {
+      actionsCore.info("Entire log:");
+      const entireLog = await readFile(
+        path.join(this.daemonDir, "daemon.log"),
+        "utf-8",
+      );
+      actionsCore.info(entireLog);
+    }
+  }
+
   async reportOverall(): Promise<void> {
     try {
       this.recordEvent(EVENT_CONCLUDE_JOB, {

src/mermaid.test.ts

@@ -22,62 +22,62 @@ function generateEvents(count: number): DEvent[] {
   return events;
 }
 
+test("Empty event list returns no report", () => {
+  const report = makeMermaidReport([]);
+
+  expect(report).toBeUndefined();
+});
+
 test("Create a very large report doc and make sure it is small enough", () => {
-  {
-    const report = makeMermaidReport(generateEvents(2000))!;
+  const report = makeMermaidReport(generateEvents(2500))!;
 
-    // Assert the `.drv` suffix was pruned (1 reference = the NOTE at the end)
-    expect(report.match(/\.drv/g)!.length).equals(1);
+  // Assert the `.drv` suffix was pruned (1 reference = the NOTE at the end)
+  expect(report.match(/\.drv/g)!.length).equals(1);
 
-    // Assert the `/nix/store` prefix was pruned (1 reference = the NOTE at the end)
-    expect(report.match(/\/nix\/store\//g)!.length).equals(1);
+  // Assert the `/nix/store` prefix was pruned (1 reference = the NOTE at the end)
+  expect(report.match(/\/nix\/store\//g)!.length).equals(1);
 
-    // Assert that some events were pruned
-    expect(report.match(/dep-/g)!.length).lessThan(2000);
-    expect(report.match(/dep-/g)!.length).greaterThan(1500);
+  // Assert that some events were pruned
+  expect(report.match(/dep-/g)!.length).lessThan(2500);
+  expect(report.match(/dep-/g)!.length).greaterThan(1500);
 
-    expect(report).toContain("suffix, and builds that took less than 3");
+  expect(report).toContain("suffix, and builds that took less than ");
 
-    expect(report.length).lessThan(50200);
-    expect(report.length).greaterThan(49000);
-  }
+  expect(report.length).lessThan(50200);
+  expect(report.length).greaterThan(49000);
 });
 
 test("Create a medium large report doc and make sure it is small enough", () => {
-  {
-    const eventCount = 675;
-    const report = makeMermaidReport(generateEvents(eventCount))!;
+  const eventCount = 675;
+  const report = makeMermaidReport(generateEvents(eventCount))!;
 
-    // Assert the `.drv` suffix was pruned (1 reference = the NOTE at the end)
-    expect(report.match(/\.drv/g)!.length).equals(1);
+  // Assert the `.drv` suffix was pruned (1 reference = the NOTE at the end)
+  expect(report.match(/\.drv/g)!.length).equals(1);
 
-    // Assert the `/nix/store` prefix was pruned (1 reference = the NOTE at the end)
-    expect(report.match(/\/nix\/store\//g)!.length).equals(1);
+  // Assert the `/nix/store` prefix was pruned (1 reference = the NOTE at the end)
+  expect(report.match(/\/nix\/store\//g)!.length).equals(1);
 
-    // Assert that no lines were pruned
-    expect(report.match(/dep-/g)!.length).toStrictEqual(eventCount);
+  // Assert that no lines were pruned
+  expect(report.match(/dep-/g)!.length).toStrictEqual(eventCount);
 
-    expect(report).toContain(
-      "suffixes have been removed to make the graph small enough to render",
-    );
+  expect(report).toContain(
+    "suffixes have been removed to make the graph small enough to render",
+  );
 
-    expect(report.length).lessThan(50200);
-    expect(report.length).greaterThan(18000);
-  }
+  expect(report.length).lessThan(50200);
+  expect(report.length).greaterThan(18000);
 });
 
 test("Create a small report doc and make sure it isn't pruned", () => {
-  {
-    const report = makeMermaidReport(generateEvents(100))!;
+  const report = makeMermaidReport(generateEvents(100))!;
 
-    // Assert 100 events have the `.drv` suffix, ie: were not pruned
-    expect(report.match(/\.drv/g)!.length).equals(100);
+  // Assert 100 events have the `.drv` suffix, ie: were not pruned
+  expect(report.match(/\.drv/g)!.length).equals(100);
 
-    // Assert 100 events have the `.drv` suffix, ie: were not pruned
-    expect(report.match(/\/nix\/store\//g)!.length).equals(100);
+  // Assert 100 events have the `.drv` suffix, ie: were not pruned
+  expect(report.match(/\/nix\/store\//g)!.length).equals(100);
 
-    expect(report.length).lessThan(50000);
-  }
+  expect(report.length).lessThan(50000);
 });
 
 test("Generate a really big report and shrink it", () => {
@@ -94,7 +94,7 @@ test("Generate a really big report and shrink it", () => {
 });
 
 test("Generate a rough report of various length", () => {
-  const events = parseEvents([
+  const { events } = parseEvents([
     {
       v: "1",
       c: "BuiltPathResponseEventV1",
@@ -169,3 +169,39 @@ dep-2 (2s):d, 0, 2s
 hash-mismatch-md5-base16 (4s):crit, 3, 4s
 \`\`\``);
 });
+
+test("Generate a really big report and shrink it", () => {
+  const events = generateEvents(1000);
+
+  const originalLength = mermaidify(events, -1)!.length;
+  const limitedLengthZero = mermaidify(events, 0)!.length;
+  const limitedLengthOne = mermaidify(events, 1)!.length;
+  const limitedLengthTwo = mermaidify(events, 2)!.length;
+
+  expect(originalLength).greaterThan(limitedLengthZero);
+  expect(limitedLengthZero).greaterThan(limitedLengthOne);
+  expect(limitedLengthOne).greaterThan(limitedLengthTwo);
+});
+
+test("Really long builds get multi-unit timestamps", () => {
+  const { events } = parseEvents([
+    {
+      v: "1",
+      c: "BuiltPathResponseEventV1",
+      drv: "/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-0.drv",
+      outputs: ["/nix/store/qwlgz5da3pfb53gqpgdmazaj9jczrnly-dep-0"],
+      timing: {
+        startTime: "2025-04-11T14:38:02Z",
+        stopTime: "2026-05-14T13:32:01Z",
+        durationSeconds: 34383239,
+      },
+    },
+  ]);
+
+  expect(mermaidify(events, -1)).toStrictEqual(`\`\`\`mermaid
+gantt
+    dateFormat X
+    axisFormat %Mm%Ss
+/nix/store/rz9hrpay90sjrid5hx3x8v606ji679xa-dep-0.drv (573053m59s):d, 0, 34383239s
+\`\`\``);
+});

src/mermaid.ts

@@ -12,7 +12,7 @@ export function makeMermaidReport(events: DEvent[]): string | undefined {
     mermaid = mermaidify(events, pruneLevel) ?? "";
   } while (mermaid.length > maxLength);
 
-  if (mermaid === undefined) {
+  if (!mermaid) {
     return undefined;
   }
 
@@ -31,7 +31,7 @@ export function makeMermaidReport(events: DEvent[]): string | undefined {
   } else if (pruneLevel > 0) {
     lines.push("> [!NOTE]");
     lines.push(
-      `> \`/nix/store/[hash]\`, the \`.drv\` suffix, and builds that took less than ${pruneLevel}s have been removed to make the graph small enough to render.`,
+      `> \`/nix/store/[hash]\`, the \`.drv\` suffix, and builds that took less than ${formatDuration(pruneLevel)} have been removed to make the graph small enough to render.`,
     );
   }
 
@@ -81,10 +81,16 @@ export function mermaidify(
       (event.timing.startTime.getTime() - zeroMoment) / 1000;
 
     lines.push(
-      `${label} (${duration}s):${tag}, ${relativeStartTime}, ${duration}s`,
+      `${label} (${formatDuration(duration)}):${tag}, ${relativeStartTime}, ${duration}s`,
     );
   }
   lines.push("```");
 
   return lines.join("\n");
 }
+
+function formatDuration(duration: number): string {
+  const durSeconds = duration % 60;
+  const durMinutes = (duration - durSeconds) / 60;
+  return `${durMinutes > 0 ? `${durMinutes}m` : ""}${durSeconds}s`;
+}