Skip to content

Add extra-nix-conf #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RossComputerGuy merged 1 commit into from
Feb 24, 2026
Merged

Add extra-nix-conf #43

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .github/workflows/workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,12 @@ on:
"x86_64-linux": "ubuntu-latest",
"aarch64-linux": "ubuntu-24.04-arm"
}
extra-nix-conf:
description: |
Extra Nix configuration passed to Determinate Nix
required: false
type: string
default: ""
outputs:
flake_name:
value: ${{ jobs.success.outputs.flake_name }}
Expand Down Expand Up @@ -126,6 +132,7 @@ jobs:
with:
extra-conf: |
extra-experimental-features = provenance
${{ inputs.extra-nix-conf }}
Comment on lines 133 to +135
Copy link

@coderabbitai coderabbitai bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Show all Determinate Nix action usages and their surrounding context.
rg -n -C3 'DeterminateSystems/determinate-nix-action@v3' .github/workflows/workflow.yml

Repository: DeterminateSystems/ci

Length of output: 1449

Propagate extra-nix-conf to all Determinate Nix steps.

The extra-conf block with extra-experimental-features = provenance and ${{ inputs.extra-nix-conf }} is only applied in the build job (lines 131-135). The inventory job (line 103) and success/publish job (line 171) also run Determinate Nix without this config, which can break workflows that rely on extra Nix settings before build or during publish. Apply the same extra-conf block to all Determinate Nix action invocations.

Suggested fix (apply extra-conf consistently) 
@@
-      - uses: DeterminateSystems/determinate-nix-action@v3
+      - uses: DeterminateSystems/determinate-nix-action@v3
+        with:
+          extra-conf: |
+            extra-experimental-features = provenance
+            ${{ inputs.extra-nix-conf }}
@@
-      - uses: DeterminateSystems/determinate-nix-action@v3
+      - uses: DeterminateSystems/determinate-nix-action@v3
         if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }}
+        with:
+          extra-conf: |
+            extra-experimental-features = provenance
+            ${{ inputs.extra-nix-conf }}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/workflow.yml around lines 133 - 135, The Determinate Nix
invocations only include the extra-conf block in the build job; mirror that same
extra-conf block (containing "extra-experimental-features = provenance" and "${{
inputs.extra-nix-conf }}") on the other Determinate Nix action steps so
inventory and success/publish runs receive the same settings—update the
Determinate Nix steps in the inventory job and the success/publish job to
include the identical extra-conf block used in the build job.

- uses: DeterminateSystems/flakehub-cache-action@main
- uses: webfactory/ssh-agent@v0.9.0
if: ${{ inputs.enable-ssh-agent }}
Expand Down
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ You'll see something like this when your workflow has run successfully:
| `directory` | The root directory of your flake. | `.` |
| `fail-fast` | Whether to cancel all in-progress jobs if any matrix job fails | `true` |
| `runner-map` | A custom mapping of [Nix system types][nix-system] to desired Actions runners | `{ "aarch64-darwin": "macos-latest", "x86_64-linux": "ubuntu-latest", "aarch64-linux": "ubuntu-latest" }` |
| `extra-nix-conf` | Extra Nix configuration to pass to Determinate Nix | |

## Example configurations

Expand Down