Merge pull request #252 from detsys-pr-bot/detsys-ts-update-bc7c106804f775f17c754b620f1dfd23add68e03

Update `detsys-ts`: Merge pull request #177 from DeterminateSystems/dependabot/npm_and_yarn/fast-xml-parser-5.7.3

.github/workflows/ci.yml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   tests:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     needs:
       - check-dist-up-to-date
       - install-nix
@@ -24,48 +24,46 @@ jobs:
 
   check-dist-up-to-date:
     name: Check the dist/ folder is up to date
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/flakehub-cache-action@main
-      - name: pnpm install
-        run: nix develop --command pnpm install
+      - name: npm install
+        run: nix develop --command npm ci
       - name: prettier format
-        run: nix develop --command pnpm run check-fmt
+        run: nix develop --command npm run check-fmt
       - name: ESLint
-        run: nix develop --command pnpm run lint
+        run: nix develop --command npm run lint
       - name: tsup build
-        run: nix develop --command pnpm run build
+        run: nix develop --command npm run build
       - name: ncc package
-        run: nix develop --command pnpm run package
+        run: nix develop --command npm run package
       - name: Git status
         run: git status --porcelain=v1
       - name: Ensure no staged changes
         run: git diff --exit-code
 
   install-nix:
-    name: "Test: ${{ matrix.runner }}${{ matrix.determinate && ' with determinate' || '' }}"
+    name: "Test: ${{ matrix.system.nix-system }} on ${{ matrix.system.runner }}${{ matrix.determinate && ' with determinate' || '' }}"
     strategy:
       fail-fast: false
       matrix:
-        runner:
-          - ubuntu-latest
-          - nscloud-ubuntu-22.04-amd64-4x16
-          - namespace-profile-default-arm64
-          # - macos-12-large # determinate-nixd is broken on macos-12
-          - macos-13-large
-          - macos-14-large
-          - macos-14-xlarge # arm64
+        system:
+          - {
+              nix-system: x86_64-linux,
+              runner: nscloud-ubuntu-22.04-amd64-4x16,
+            }
+          - { nix-system: aarch64-darwin, runner: macos-latest }
         determinate:
           - true
           - false
-    runs-on: ${{ matrix.runner }}
+    runs-on: ${{ matrix.system.runner }}
     permissions:
       contents: read
       id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Install Nix
         uses: ./
         with:
@@ -78,7 +76,7 @@ jobs:
         run: echo $PATH
 
       - name: Render the devshell
-        if: (success() || failure()) && matrix.runner != 'macos-13-large' && matrix.runner != 'macos-14-large'
+        if: (success() || failure())
         run: |
           nix develop --command date
 
@@ -146,7 +144,7 @@ jobs:
 
   install-with-non-default-source-inputs:
     name: Install Nix using non-default source-${{ matrix.inputs.key }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     strategy:
       matrix:
         inputs:
@@ -156,7 +154,7 @@ jobs:
             nix-version: "2.31.2" # 3.11.3 is based on 2.31.2
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Install with alternative source-${{ matrix.inputs.key }}
         uses: ./
         with:
@@ -167,9 +165,9 @@ jobs:
 
   install-no-id-token:
     name: Install Nix without an ID token
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: ./
         with:
           _internal-strict-mode: true

.prettierignore

@@ -1,3 +1,6 @@
+.direnv/
 dist/
 lib/
-node_modules/
+node_modules/
+package-lock.json
+

CONTRIBUTING.md

@@ -1,5 +1,5 @@
 # Submitting Pull Requests
 
-Run `pnpm install` to install necessary JS tools.
+Run `npm ci` to install necessary JS tools.
 
 This action is based off https://github.com/actions/javascript-action. As part of your contributing flow you **must** run `npm run all` before we can merge.

README.md

@@ -1,14 +1,14 @@
 # The Determinate Nix Installer Action
 
-Based on the [Determinate Nix Installer](https://github.com/DeterminateSystems/nix-installer), responsible for over tens of thousands of Nix installs daily.
-The fast, friendly, and reliable GitHub Action to install Nix with Flakes.
+The fast, friendly, and reliable GitHub Action to install [Determinate Nix][det-nix] with [flakes].
+The Determinate Nix Installer Action is based on [Determinate Nix Installer][installer], which is responsible for tens of thousands of installs daily.
 
 ## Supports
 
 - ✅ **Accelerated KVM** on open source projects and larger runners. See [GitHub's announcement](https://github.blog/changelog/2023-02-23-hardware-accelerated-android-virtualization-on-actions-windows-and-linux-larger-hosted-runners/) for more info.
-- ✅ Linux, x86_64, aarch64, and i686
-- ✅ macOS, x86_64 and aarch64
-- ✅ WSL2, x86_64 and aarch64
+- ✅ Linux (x86_64 and aarch64)
+- ✅ macOS (aarch64)
+- ✅ Windows Subsystem for Linux (WSL) (x86_64 and aarch64)
 - ✅ Containers
 - ✅ Valve's SteamOS
 - ✅ GitHub Enterprise Server
@@ -27,14 +27,18 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: DeterminateSystems/nix-installer-action@main
       - run: nix build .
 ```
 
+> [!NOTE]
+> This Action installs [Determinate Nix][det-nix] by default.
+> You can, however, use it to install [upstream Nix](#installing-upstream-nix) until **January 1, 2026**.
+
 ### With FlakeHub
 
-To fetch private flakes from FlakeHub and Nix builds from FlakeHub Cache, update the `permissions` block and use [`determinate-nix-action`][determinate-nix-action]:
+To fetch private flakes from FlakeHub and Nix builds from FlakeHub Cache, update the `permissions` block and use [`determinate-nix-action`][determinate-nix-action] instead of this Action:
 
 ```yaml
 on:
@@ -50,7 +54,7 @@ jobs:
       id-token: "write"
       contents: "read"
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: DeterminateSystems/determinate-nix-action@v3
       - run: nix build .
 ```
@@ -59,8 +63,8 @@ See [`.github/workflows/ci.yml`](.github/workflows/ci.yml) for a full example.
 
 ### Pinning the version
 
-This GitHub Action uses the most recent version of the Determinate Nix Installer, even when the Action itself is pinned.
-If you wish to pin your CI workflows to a specific version, use the [`determinate-nix-action`][determinate-nix-action].
+This GitHub Action uses the most recent version of Determinate Nix Installer, even when the Action itself is pinned.
+If you wish to pin your CI workflows to a specific Determinate Nix version, use the [`determinate-nix-action`][determinate-nix-action].
 That Action is updated and tagged for every Determinate release.
 
 The `DeterminateSystems/determinate-nix-action@v3.5.2` reference, for example, always installs Determinate Nix v3.5.2.
@@ -84,8 +88,8 @@ Differing from the upstream [Nix](https://github.com/NixOS/nix) installer script
   - the `nix-command` and `flakes` features are enabled
   - `bash-prompt-prefix` is set
   - `auto-optimise-store` is set to `true` (On Linux only)
-  * `extra-nix-path` is set to `nixpkgs=flake:nixpkgs`
-  * `max-jobs` is set to `auto`
+  - `extra-nix-path` is set to `nixpkgs=flake:nixpkgs`
+  - `max-jobs` is set to `auto`
 - KVM is enabled by default.
 - an installation receipt (for uninstalling) is stored at `/nix/receipt.json` as well as a copy of the install binary at `/nix/nix-installer`
 - `nix-channel --update` is not run, `~/.nix-channels` is not provisioned
@@ -128,15 +132,32 @@ Differing from the upstream [Nix](https://github.com/NixOS/nix) installer script
 | `reinstall`             | Force a reinstall if an existing installation is detected (consider backing up `/nix/store`)                                                                                                                                                                                   | Boolean                                    | `false`                                                        |
 | `start-daemon`          | If the daemon should be started, requires `planner: linux-multi`                                                                                                                                                                                                               | Boolean                                    | `false`                                                        |
 | `trust-runner-user`     | Whether to make the runner user trusted by the Nix daemon                                                                                                                                                                                                                      | Boolean                                    | `true`                                                         |
+| `summarize`             | Whether to add a build summary and timeline chart to the GitHub job summary                                                                                                                                                                                                    | Boolean                                    | `true`                                                         |
 | `diagnostic-endpoint`   | Diagnostic endpoint url where the installer sends install [diagnostic reports](https://github.com/DeterminateSystems/nix-installer#diagnostics) to, to disable set this to an empty string                                                                                     | string                                     | `https://install.determinate.systems/nix-installer/diagnostic` |
 | `proxy`                 | The proxy to use (if any), valid proxy bases are `https://$URL`, `http://$URL` and `socks5://$URL`                                                                                                                                                                             | string                                     |                                                                |
 | `ssl-cert-file`         | An SSL cert to use (if any), used for fetching Nix and sets `NIX_SSL_CERT_FILE` for Nix                                                                                                                                                                                        | string                                     |                                                                |
 
+## Installing upstream Nix
+
+Although Determinate Nix is the default, you can also use this Action to install [upstream Nix][upstream].
+Make sure to set `determinate: false` in the Action's configuration:
+
+```yaml
+- uses: DeterminateSystems/nix-installer-action@main
+  with:
+    determinate: false
+```
+
+This option will be available until **January 1, 2026**, at which point installing upstream Nix using this Action will no longer be possible.
+
 [apfs]: https://en.wikipedia.org/wiki/Apple_File_System
 [backtrace]: https://doc.rust-lang.org/std/backtrace/index.html#environment-variables
 [dependabot-actions]: https://github.com/DeterminateSystems/determinate-nix-action?tab=readme-ov-file#-automate-updates-with-dependabot
+[det-nix]: https://docs.determinate.systems/determinate-nix
 [determinate-nix-action]: https://github.com/DeterminateSystems/determinate-nix-action
 [github token]: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
+[installer]: https://github.com/DeterminateSystems/nix-installer
 [planner]: https://github.com/determinateSystems/nix-installer#usage
 [profile]: https://nixos.org/manual/nix/stable/package-management/profiles
 [tracing directives]: https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html#directives
+[upstream]: https://github.com/NixOS/nix

action.yml

@@ -126,6 +126,9 @@ inputs:
   trust-runner-user:
     description: Whether to make the runner user trusted by the Nix daemon
     default: true
+  summarize:
+    description: Whether to add a build summary and timeline chart to the GitHub job summary
+    default: true
   nix-installer-branch:
     description: (deprecated) The branch of `nix-installer` to use (conflicts with `nix-installer-tag`, `nix-installer-revision`, `nix-installer-pr`)
     required: false
@@ -147,6 +150,6 @@ inputs:
     default: false
 
 runs:
-  using: "node20"
+  using: "node24"
   main: "dist/index.js"
   post: "dist/index.js"

flake.lock

@@ -1,36 +1,21 @@
 {
   "nodes": {
-    "flake-schemas": {
-      "locked": {
-        "lastModified": 1693491534,
-        "narHash": "sha256-ifw8Td8kD08J8DxFbYjeIx5naHcDLz7s2IFP3X42I/U=",
-        "rev": "c702cbb663d6d70bbb716584a2ee3aeb35017279",
-        "revCount": 21,
-        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/flake-schemas/0.1.1/018a4c59-80e1-708a-bb4d-854930c20f72/source.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://flakehub.com/f/DeterminateSystems/flake-schemas/%2A.tar.gz"
-      }
-    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1696879762,
-        "narHash": "sha256-Ud6bH4DMcYHUDKavNMxAhcIpDGgHMyL/yaDEAVSImQY=",
-        "rev": "f99e5f03cc0aa231ab5950a15ed02afec45ed51a",
-        "revCount": 534224,
+        "lastModified": 1777954456,
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
+        "revCount": 992384,
         "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.534224%2Brev-f99e5f03cc0aa231ab5950a15ed02afec45ed51a/018b1d3c-12f0-76a5-b796-7668d7633f08/source.tar.gz"
+        "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.992384%2Brev-549bd84d6279f9852cae6225e372cc67fb91a4c1/019df915-70b5-73a2-a5a4-63c620b45d9f/source.tar.gz"
       },
       "original": {
         "type": "tarball",
-        "url": "https://flakehub.com/f/NixOS/nixpkgs/0.1.0.tar.gz"
+        "url": "https://flakehub.com/f/NixOS/nixpkgs/0.1"
       }
     },
     "root": {
       "inputs": {
-        "flake-schemas": "flake-schemas",
         "nixpkgs": "nixpkgs"
       }
     }

flake.nix

@@ -2,30 +2,44 @@
 {
   description = "Development environment for the Nix Installer action for GitHub.";
 
-  inputs = {
-    flake-schemas.url = "https://flakehub.com/f/DeterminateSystems/flake-schemas/*.tar.gz";
-    nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1.0.tar.gz";
-  };
+  inputs.nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1";
 
-  outputs = { self, flake-schemas, nixpkgs }:
+  outputs =
+    { self, ... }@inputs:
     let
-      supportedSystems = [ "x86_64-linux" "aarch64-darwin" "aarch64-linux" ];
-      forEachSupportedSystem = f: nixpkgs.lib.genAttrs supportedSystems (system: f {
-        pkgs = import nixpkgs { inherit system; };
-      });
+      supportedSystems = [
+        "x86_64-linux"
+        "aarch64-darwin"
+      ];
+      forEachSupportedSystem =
+        f:
+        inputs.nixpkgs.lib.genAttrs supportedSystems (
+          system:
+          f {
+            inherit system;
+            pkgs = import inputs.nixpkgs { inherit system; };
+          }
+        );
     in
     {
-      schemas = flake-schemas.schemas;
+      devShells = forEachSupportedSystem (
+        { pkgs, system }:
+        {
+          default = pkgs.mkShell {
+            packages = with pkgs; [
+              nodejs_latest
+              self.formatter.${system}
 
-      devShells = forEachSupportedSystem ({ pkgs }: {
-        default = pkgs.mkShell {
-          packages = with pkgs; [
-            nodejs_latest
-            nixpkgs-fmt
-            nodePackages_latest.pnpm
-            nodePackages_latest.typescript-language-server
-          ];
-        };
-      });
+              # Keep people from accidentally running pnpm
+              (writeScriptBin "pnpm" ''
+                echo "pnpm is no longer used in this repo; use npm instead"
+                exit 1
+              '')
+            ];
+          };
+        }
+      );
+
+      formatter = forEachSupportedSystem ({ pkgs, ... }: pkgs.nixfmt);
     };
 }

package.json

@@ -12,7 +12,7 @@
     "lint": "eslint src/**/*.ts",
     "package": "ncc build",
     "test": "vitest --watch false",
-    "all": "pnpm run test && pnpm run format && pnpm run lint && pnpm run build && pnpm run package"
+    "all": "npm run test && npm run format && npm run lint && npm run build && npm run package"
   },
   "repository": {
     "type": "git",
@@ -26,17 +26,17 @@
   },
   "homepage": "https://github.com/DeterminateSystems/nix-installer-action#readme",
   "dependencies": {
-    "@actions/core": "^1.11.1",
-    "@actions/exec": "^1.1.1",
-    "@actions/github": "^6.0.1",
+    "@actions/core": "^3.0.0",
+    "@actions/exec": "^3.0.0",
+    "@actions/github": "^9.0.0",
     "detsys-ts": "github:DeterminateSystems/detsys-ts",
-    "got": "^14.6.2",
+    "got": "^14.6.6",
     "string-argv": "^0.3.2",
     "vitest": "^3.2.4"
   },
   "devDependencies": {
     "@trivago/prettier-plugin-sort-imports": "^4.3.0",
-    "@types/node": "^20.19.24",
+    "@types/node": "^20.19.37",
     "@types/uuid": "^9.0.8",
     "@typescript-eslint/eslint-plugin": "^7.18.0",
     "@vercel/ncc": "^0.38.4",
@@ -44,9 +44,9 @@
     "eslint-import-resolver-typescript": "^3.10.1",
     "eslint-plugin-github": "^4.10.2",
     "eslint-plugin-import": "^2.32.0",
-    "eslint-plugin-prettier": "^5.5.4",
-    "prettier": "^3.6.2",
-    "tsup": "^8.5.0",
+    "eslint-plugin-prettier": "^5.5.5",
+    "prettier": "^3.8.1",
+    "tsup": "^8.5.1",
     "typescript": "^5.9.3"
   }
 }

src/index.ts

@@ -88,6 +88,7 @@ class NixInstallerAction extends DetSysAction {
   startDaemon: boolean;
   trustRunnerUser: boolean;
   runnerOs: string | undefined;
+  summarize: boolean;
 
   constructor() {
     if (platform.getArchOs() === "X64-macOS") {
@@ -152,6 +153,7 @@ class NixInstallerAction extends DetSysAction {
     this.reinstall = inputs.getBool("reinstall");
     this.startDaemon = inputs.getBool("start-daemon");
     this.trustRunnerUser = inputs.getBool("trust-runner-user");
+    this.summarize = inputs.getBool("summarize");
     this.runnerOs = process.env["RUNNER_OS"];
   }
 
@@ -164,12 +166,14 @@ class NixInstallerAction extends DetSysAction {
 
   async post(): Promise<void> {
     await this.annotateMismatches();
-    try {
-      await this.summarizeExecution();
-    } catch (err: unknown) {
-      this.recordEvent("summarize-execution:error", {
-        exception: stringifyError(err),
-      });
+    if (this.summarize) {
+      try {
+        await this.summarizeExecution();
+      } catch (err: unknown) {
+        this.recordEvent("summarize-execution:error", {
+          exception: stringifyError(err),
+        });
+      }
     }
     await this.cleanupNoSystemd();
     await this.reportOverall();
@@ -392,6 +396,7 @@ class NixInstallerAction extends DetSysAction {
       }
       extraConf += "\n";
     }
+    extraConf += `build-provenance-tags = ${JSON.stringify(this.getBuildProvenanceTags())}\n`;
     if (this.extraConf !== null && this.extraConf.length !== 0) {
       extraConf += this.extraConf.join("\n");
       extraConf += "\n";
@@ -417,6 +422,26 @@ class NixInstallerAction extends DetSysAction {
     return executionEnv;
   }
 
+  getBuildProvenanceTags(): Record<string, string> {
+    const mapping = {
+      GITHUB_WORKFLOW_REF: "github_workflow_ref",
+      GITHUB_WORKFLOW_SHA: "github_workflow_sha",
+      GITHUB_SHA: "github_sha",
+      GITHUB_RUN_ATTEMPT: "github_run_attempt",
+      GITHUB_RUN_ID: "github_run_id",
+      GITHUB_RUN_NUMBER: "github_run_number",
+      GITHUB_JOB: "github_job",
+      GITHUB_REF: "github_ref",
+      GITHUB_REPOSITORY: "github_repository",
+      GITHUB_SERVER_URL: "github_server_url",
+    };
+
+    const tags = Object.entries(mapping)
+      .map(([sourceKey, targetKey]) => [targetKey, process.env[sourceKey]])
+      .filter(([_, value]) => value !== undefined);
+    return { ...Object.fromEntries(tags), builder: "github-actions" };
+  }
+
   private get installerArgs(): string[] {
     const args = ["install"];
 

tsup.config.ts

@@ -5,7 +5,7 @@ export default defineConfig({
   name,
   entry: ["src/index.ts"],
   format: ["esm"],
-  target: "node20",
+  target: "node24",
   bundle: true,
   splitting: false,
   clean: true,

vitest.config.ts

@@ -0,0 +1,5 @@
+export default {
+  test: {
+    exclude: ["**/node_modules/**", "**/.direnv/**"],
+  },
+};