Skip to content

post-inventory command, plus a toggle to turn off cache.nixos.org #44

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
grahamc wants to merge 9 commits into
base: main
Choose a base branch
from
+76 −10
Open

post-inventory command, plus a toggle to turn off cache.nixos.org #44

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
634b46a
Add a step that runs post-inventory
grahamc Feb 27, 2026
d3c81b5
Add a test that makes sure cache.nixos.org is disabled (it'll fail.)
grahamc Feb 27, 2026
ef8ae33
success: depend on inventory
grahamc Feb 27, 2026
bbcfbf0
Add a tunable to turn off cache.nixos.org
grahamc Feb 27, 2026
54f059b
Add policy checks to enforce cache.nixos.org is disabled if it is pre…
grahamc Feb 27, 2026
a77a72c
Fixup docs for ubuntu-24.04-arm
grahamc Feb 27, 2026
6c44412
oeunthoesnuth
grahamc Feb 27, 2026
b9d4c43
fixup
grahamc Feb 27, 2026
0d18a34
Document disable-cache-nixos-org
grahamc Feb 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .github/workflows/validate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,25 @@ jobs:
- run: nix develop -c prettier --check .

DeterminateCI:
needs: DisabledCacheNixOSOrg
uses: ./.github/workflows/workflow.yml
permissions:
id-token: write
contents: read
with:
directory: ./tests/smoke

DisabledCacheNixOSOrg:
uses: ./.github/workflows/workflow.yml
permissions:
id-token: write
contents: read
with:
directory: ./tests/smoke
disable-cache-nixos-org: true
post-inventory-commands: |
if nix config show substituters | grep -q "cache.nixos.org"; then
echo "Nix has cache.nixos.org enabled as a substituter, which is prohibited by configuration:"
nix config show substituters
exit 1
fi
50 changes: 49 additions & 1 deletion .github/workflows/workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,20 @@ on:
required: false
type: string
default: ""
disable-cache-nixos-org:
description: |
Whether to disable cache.nixos.org as a substituter
required: false
type: boolean
default: false
post-inventory-commands:
description: |
A command or set of commands to run at the end of the Inventory job.

For example, a linting step.
required: false
type: string
default: ""
outputs:
flake_name:
value: ${{ jobs.success.outputs.flake_name }}
Expand Down Expand Up @@ -101,7 +115,21 @@ jobs:
# disabled pending strategy discussion on exposing tunables
# - uses: Determinatesystems/flake-checker-action@main
- uses: DeterminateSystems/determinate-nix-action@v3
with:
extra-conf: |
${{ (inputs.disable-cache-nixos-org == true) && 'substituters =' || '' }}
- uses: DeterminateSystems/flakehub-cache-action@main
- &policy_step
name: "Configuration policy checks"
if: ${{ inputs.disable-cache-nixos-org == true }}
run: |
if nix config show substituters | grep -q cache.nixos.org; then
echo "❌ Nix has cache.nixos.org enabled as a substituter, which is prohibited by configuration:"
nix config show substituters
exit 1
else
echo "✅ Nix does not have cache.nixos.org enabled as a substituter."
fi
- uses: webfactory/ssh-agent@v0.9.0
if: ${{ inputs.enable-ssh-agent }}
with:
Expand All @@ -114,6 +142,9 @@ jobs:
working-directory: ${{ inputs.directory }}
run: |
nix run "$FLAKE_ITER_FLAKEREF" -- systems
- name: Post-inventory commands
if: ${{ inputs.post-inventory-commands != '' }}
run: ${{ inputs.post-inventory-commands }}
Comment on lines +145 to +147
Copy link

@coderabbitai coderabbitai bot Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Run post-inventory commands in the configured flake directory.

On Line 127, commands run from the repository root, but the inventory command runs in inputs.directory (Line 122). For non-root flakes, post-inventory commands can execute against the wrong path.

Suggested fix 
       - name: Post-inventory commands
         if: ${{ inputs.post-inventory-commands != '' }}
+        working-directory: ${{ inputs.directory }}
         run: ${{ inputs.post-inventory-commands }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Post-inventory commands
if: ${{ inputs.post-inventory-commands != '' }}
run: ${{ inputs.post-inventory-commands }}
- name: Post-inventory commands
if: ${{ inputs.post-inventory-commands != '' }}
working-directory: ${{ inputs.directory }}
run: ${{ inputs.post-inventory-commands }}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/workflow.yml around lines 125 - 127, The "Post-inventory
commands" step currently runs commands from the repo root causing wrong paths
for non-root flakes; update that step to execute in the configured flake
directory by either adding working-directory: ${{ inputs.directory }} to the
"Post-inventory commands" job step or prefixing the run command with cd ${{
inputs.directory }} && ${{ inputs.post-inventory-commands }} so the step uses
the same inputs.directory as the inventory step.

build:
runs-on: ${{ matrix.systems.runner }}
needs: inventory
Expand All @@ -133,7 +164,9 @@ jobs:
extra-conf: |
extra-experimental-features = provenance
${{ inputs.extra-nix-conf }}
${{ (inputs.disable-cache-nixos-org == true) && 'substituters =' || '' }}
- uses: DeterminateSystems/flakehub-cache-action@main
- *policy_step
- uses: webfactory/ssh-agent@v0.9.0
if: ${{ inputs.enable-ssh-agent }}
with:
Expand All @@ -147,7 +180,9 @@ jobs:

success:
runs-on: ubuntu-latest
needs: build
needs:
- inventory
- build
if: ${{ always() }}
permissions:
id-token: write
Expand All @@ -169,9 +204,22 @@ jobs:
- uses: actions/checkout@main
if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }}
- uses: DeterminateSystems/determinate-nix-action@v3
with:
extra-conf: |
${{ (inputs.disable-cache-nixos-org == true) && 'substituters =' || '' }}
if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }}
- uses: DeterminateSystems/flakehub-cache-action@main
if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }}
- name: "Configuration policy checks"
if: ${{ inputs.disable-cache-nixos-org == true && (!github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/'))) }}
run: |
if nix config show substituters | grep -q cache.nixos.org; then
echo "❌ Nix has cache.nixos.org enabled as a substituter, which is prohibited by configuration:"
nix config show substituters
exit 1
else
echo "✅ Nix does not have cache.nixos.org enabled as a substituter."
fi
- uses: DeterminateSystems/flakehub-push@main
if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }}
id: publish
Expand Down
20 changes: 11 additions & 9 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,15 +51,17 @@ You'll see something like this when your workflow has run successfully:

## Configuration options

| Parameter | Description | Default |
| :----------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------- |
| `visibility` | `public`, `unlisted`, or `private` ([private flakes][private-flakes] are available only on a [FlakeHub paid plan][signup]) | |
| `default-branch` | The [default Git branch][default-branch] for the repository | `${{ github.event.repository.default_branch }}` |
| `enable-ssh-agent` | Whether to enable [`webfactory/ssh-agent`][ssh-agent] in the workflow. If you set this to `true` you need to supply a secret named `ssh-private-key`. | `false` |
| `directory` | The root directory of your flake. | `.` |
| `fail-fast` | Whether to cancel all in-progress jobs if any matrix job fails | `true` |
| `runner-map` | A custom mapping of [Nix system types][nix-system] to desired Actions runners | `{ "aarch64-darwin": "macos-latest", "x86_64-linux": "ubuntu-latest", "aarch64-linux": "ubuntu-latest" }` |
| `extra-nix-conf` | Extra Nix configuration to pass to Determinate Nix | |
| Parameter | Description | Default |
| :------------------------ | :---------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------------------- |
| `visibility` | `public`, `unlisted`, or `private` ([private flakes][private-flakes] are available only on a [FlakeHub paid plan][signup]) | |
| `default-branch` | The [default Git branch][default-branch] for the repository | `${{ github.event.repository.default_branch }}` |
| `enable-ssh-agent` | Whether to enable [`webfactory/ssh-agent`][ssh-agent] in the workflow. If you set this to `true` you need to supply a secret named `ssh-private-key`. | `false` |
| `directory` | The root directory of your flake. | `.` |
| `fail-fast` | Whether to cancel all in-progress jobs if any matrix job fails | `true` |
| `runner-map` | A custom mapping of [Nix system types][nix-system] to desired Actions runners | `{ "aarch64-darwin": "macos-latest", "x86_64-linux": "ubuntu-latest", "aarch64-linux": "ubuntu-24.04-arm" }` |
| `extra-nix-conf` | Extra Nix configuration to pass to Determinate Nix | |
| `post-inventory-commands` | Commands to run after the inventory step. For example, a linting command. | unset |
| `disable-cache-nixos-org` | Do not substitute from cache.nixos.org. | `false` (use cache.nixos.org) |

## Example configurations

Expand Down