From 28f5af67b04ca578083b1704a66610c2506c50b5 Mon Sep 17 00:00:00 2001 From: Luc Perkins Date: Thu, 28 May 2026 16:41:13 -0700 Subject: [PATCH 1/5] GitHub Actions pinning --- .envrc | 2 + .github/dependabot.yml | 16 ++++++-- .github/workflows/build.yml | 57 +++++++++++++++++++--------- .github/workflows/ci.yml | 75 +++++++++++++++++++++++-------------- .github/zizmor.yml | 5 +++ 5 files changed, 106 insertions(+), 49 deletions(-) create mode 100644 .envrc create mode 100644 .github/zizmor.yml diff --git a/.envrc b/.envrc new file mode 100644 index 000000000000..0f94eedeb55d --- /dev/null +++ b/.envrc @@ -0,0 +1,2 @@ +# shellcheck shell=bash +use flake diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5ace4600a1f2..d89d38d5525b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,16 @@ version: 2 + updates: - - package-ecosystem: "github-actions" - directory: "/" + - package-ecosystem: github-actions + directory: / schedule: - interval: "weekly" + interval: weekly + cooldown: + default-days: 7 + groups: + actions: + patterns: ["*"] + ignore: + - dependency-name: DeterminateSystems/* + commit-message: + prefix: ci diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c10c3ee00892..f59b3643197d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -52,12 +52,16 @@ jobs: fail-fast: false runs-on: ${{ inputs.runner }} timeout-minutes: 60 + env: + SYSTEM: ${{ inputs.system }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - - run: nix build .#packages.${{ inputs.system }}.default .#packages.${{ inputs.system }}.binaryTarball --no-link -L - - run: nix build .#packages.${{ inputs.system }}.binaryTarball --out-link tarball + - run: nix build ".#packages.${SYSTEM}.default" ".#packages.${SYSTEM}.binaryTarball" --no-link -L + - run: nix build ".#packages.${SYSTEM}.binaryTarball" --out-link tarball - run: nix build .#^debug,out - name: Upload debug info to Sentry run: ./maintainers/upload-debug-info-to-sentry.py --debug-dir ./result-debug ./result/bin/nix @@ -66,9 +70,9 @@ jobs: SENTRY_AUTH_TOKEN: ${{ secrets.sentry_auth_token }} SENTRY_ORG: ${{ secrets.sentry_org }} SENTRY_PROJECT: ${{ secrets.sentry_project }} - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: - name: ${{ inputs.system }} + name: ${{ env.SYSTEM }} path: ./tarball/*.xz build_static: @@ -77,11 +81,15 @@ jobs: fail-fast: false runs-on: ${{ inputs.runner }} timeout-minutes: 60 + env: + SYSTEM: ${{ inputs.system }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - - run: nix build .#packages.${{ inputs.system }}.nix-cli-static --no-link -L + - run: nix build ".#packages.${SYSTEM}.nix-cli-static" --no-link -L test: if: ${{ inputs.if && inputs.run_tests}} @@ -90,18 +98,24 @@ jobs: fail-fast: false runs-on: ${{ inputs.runner }} timeout-minutes: 60 + env: + SYSTEM: ${{ inputs.system }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - - run: nix flake check -L --system ${{ inputs.system }} + - run: nix flake check -L --system "${SYSTEM}" vm_tests_smoke: if: inputs.run_vm_tests && github.event_name != 'merge_group' needs: build runs-on: ${{ inputs.runner_for_virt }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - run: | @@ -117,7 +131,9 @@ jobs: needs: build runs-on: ${{ inputs.runner_for_virt }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - run: | @@ -174,23 +190,28 @@ jobs: steps: - name: Checkout nix - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Checkout flake-regressions - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: NixOS/flake-regressions path: flake-regressions + persist-credentials: false - name: Checkout flake-regressions-data - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: NixOS/flake-regressions-data path: flake-regressions/tests + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - name: Run flake regression tests env: #PARALLEL: ${{ !contains(matrix.nix_config, 'eval-cores') && '-P 50%' || '-P 1' }} - PARALLEL: '-P 1' + PARALLEL: "-P 1" FLAKE_REGRESSION_GLOB: ${{ matrix.glob }} NIX_CONFIG: ${{ matrix.nix_config }} PREFETCH: "1" @@ -230,13 +251,15 @@ jobs: deployments: "write" steps: - name: Checkout nix - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - name: Build manual if: inputs.system == 'x86_64-linux' run: nix build .#hydraJobs.manual - - uses: nwtgck/actions-netlify@v3.0 + - uses: nwtgck/actions-netlify@4cbaf4c08f1a7bfa537d6113472ef4424e4eb654 # v3.0.0 if: inputs.publish_manual && inputs.system == 'x86_64-linux' with: publish-dir: "./result/share/doc/nix/manual" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 132f559ce16a..6b655c75c006 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,25 +13,25 @@ on: types: - published -permissions: - id-token: "write" - contents: "read" - pull-requests: "write" - statuses: "write" - deployments: "write" - jobs: eval: runs-on: UbuntuLatest32Cores128G + permissions: + id-token: write + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - run: nix flake show --all-systems --json build_x86_64-linux: uses: ./.github/workflows/build.yml + permissions: + id-token: write + contents: read with: system: x86_64-linux runner: namespace-profile-linuxamd32c64g-cache @@ -50,17 +50,20 @@ jobs: build_aarch64-linux: uses: ./.github/workflows/build.yml + permissions: + id-token: write + contents: read with: if: ${{ - github.event_name != 'pull_request' - || ( - github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-src' - && ( - (github.event.action == 'labeled' && github.event.label.name == 'upload to s3') - || (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3')) - ) - ) - }} + github.event_name != 'pull_request' + || ( + github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-src' + && ( + (github.event.action == 'labeled' && github.event.label.name == 'upload to s3') + || (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3')) + ) + ) + }} system: aarch64-linux runner: UbuntuLatest32Cores128GArm runner_for_virt: UbuntuLatest32Cores128GArm @@ -72,6 +75,9 @@ jobs: build_aarch64-darwin: uses: ./.github/workflows/build.yml + permissions: + id-token: write + contents: read with: system: aarch64-darwin runner: namespace-profile-mac-m2-12c28g @@ -84,6 +90,12 @@ jobs: success: runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + pull-requests: write + statuses: write + deployments: write needs: - eval - build_x86_64-linux @@ -102,14 +114,17 @@ jobs: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: DeterminateSystems/determinate-nix-action@main - name: Create artifacts directory run: mkdir -p ./artifacts - name: Fetch artifacts - uses: actions/download-artifact@v7 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: downloaded - name: Move downloaded artifacts to artifacts directory @@ -121,15 +136,15 @@ jobs: - name: Build fallback-paths.nix if: ${{ - github.event_name != 'pull_request' - || ( - github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-src' - && ( - (github.event.action == 'labeled' && github.event.label.name == 'upload to s3') - || (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3')) - ) - ) - }} + github.event_name != 'pull_request' + || ( + github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-src' + && ( + (github.event.action == 'labeled' && github.event.label.name == 'upload to s3') + || (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3')) + ) + ) + }} run: | nix build .#fallbackPathsNix --out-link fallback cat fallback > ./artifacts/fallback-paths.nix @@ -154,7 +169,9 @@ jobs: contents: write id-token: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-push@main with: diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000000..abdc40becdbb --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + DeterminateSystems/*: ref-pin From 44fc55eab30146e3e5d3a645146f91ddee8439e5 Mon Sep 17 00:00:00 2001 From: Luc Perkins Date: Thu, 28 May 2026 16:42:34 -0700 Subject: [PATCH 2/5] Add zizmor checking workflow --- .github/workflows/zizmor.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000000..e6a3c98e6b56 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,25 @@ +name: zizmor + +on: + push: + branches: + - main + pull_request: + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + config: .github/zizmor.yml From 49a75107b8f0187e52c02c2a8e2d8e33c0043524 Mon Sep 17 00:00:00 2001 From: Luc Perkins Date: Wed, 3 Jun 2026 16:48:46 -0700 Subject: [PATCH 3/5] Bump Action versions again --- .github/workflows/build.yml | 18 +++++++++--------- .github/workflows/ci.yml | 6 +++--- .github/workflows/zizmor.yml | 2 +- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f59b3643197d..9aefd8febe37 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -55,7 +55,7 @@ jobs: env: SYSTEM: ${{ inputs.system }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main @@ -84,7 +84,7 @@ jobs: env: SYSTEM: ${{ inputs.system }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main @@ -101,7 +101,7 @@ jobs: env: SYSTEM: ${{ inputs.system }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main @@ -113,7 +113,7 @@ jobs: needs: build runs-on: ${{ inputs.runner_for_virt }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main @@ -131,7 +131,7 @@ jobs: needs: build runs-on: ${{ inputs.runner_for_virt }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main @@ -190,18 +190,18 @@ jobs: steps: - name: Checkout nix - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - name: Checkout flake-regressions - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: NixOS/flake-regressions path: flake-regressions persist-credentials: false - name: Checkout flake-regressions-data - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: NixOS/flake-regressions-data path: flake-regressions/tests @@ -251,7 +251,7 @@ jobs: deployments: "write" steps: - name: Checkout nix - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6b655c75c006..7a8a73595f78 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,7 +20,7 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false @@ -114,7 +114,7 @@ jobs: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -169,7 +169,7 @@ jobs: contents: write id-token: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index e6a3c98e6b56..9397c97fe057 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -15,7 +15,7 @@ jobs: actions: read steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false From 0ac4c16ee10ca2c129280467dda6da6072b1b045 Mon Sep 17 00:00:00 2001 From: Luc Perkins Date: Tue, 9 Jun 2026 10:12:43 -0700 Subject: [PATCH 4/5] Update action hashes again --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0ca37569135c..b5fbbea21ab8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -278,7 +278,7 @@ jobs: - name: Build manual if: inputs.system == 'x86_64-linux' run: nix build "${FLAKE}#hydraJobs.manual" - - uses: nwtgck/actions-netlify@4cbaf4c08f1a7bfa537d6113472ef4424e4eb654 # v3.0.0 + - uses: nwtgck/actions-netlify@d22a32a27c918fe470bbc562e984f80ec48c2668 # v4.0.0 if: inputs.publish_manual && inputs.system == 'x86_64-linux' with: publish-dir: "./result/share/doc/nix/manual" From deeba6a5c52215719ab20a7a2346858b745f6a69 Mon Sep 17 00:00:00 2001 From: Luc Perkins Date: Tue, 9 Jun 2026 10:18:39 -0700 Subject: [PATCH 5/5] Set advanced-security to false for zizmor Action --- .github/workflows/zizmor.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 9397c97fe057..685f4ff10397 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -23,3 +23,4 @@ jobs: uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 with: config: .github/zizmor.yml + advanced-security: false