From 634b46a7457e7c40574ed844995c8210d113561c Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 27 Feb 2026 16:12:19 -0500 Subject: [PATCH 1/9] Add a step that runs post-inventory --- .github/workflows/workflow.yml | 11 +++++++++++ README.md | 19 ++++++++++--------- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index e448815..08fc231 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -53,6 +53,14 @@ on: required: false type: string default: "" + post-inventory-commands: + description: | + A command or set of commands to run at the end of the Inventory job. + + For example, a linting step. + required: false + type: string + default: "" outputs: flake_name: value: ${{ jobs.success.outputs.flake_name }} @@ -114,6 +122,9 @@ jobs: working-directory: ${{ inputs.directory }} run: | nix run "$FLAKE_ITER_FLAKEREF" -- systems + - name: Post-inventory commands + if: ${{ inputs.post-inventory-commands != '' }} + run: ${{ inputs.post-inventory-commands }} build: runs-on: ${{ matrix.systems.runner }} needs: inventory diff --git a/README.md b/README.md index 04a2415..599310c 100644 --- a/README.md +++ b/README.md @@ -51,15 +51,16 @@ You'll see something like this when your workflow has run successfully: ## Configuration options -| Parameter | Description | Default | -| :----------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------- | -| `visibility` | `public`, `unlisted`, or `private` ([private flakes][private-flakes] are available only on a [FlakeHub paid plan][signup]) | | -| `default-branch` | The [default Git branch][default-branch] for the repository | `${{ github.event.repository.default_branch }}` | -| `enable-ssh-agent` | Whether to enable [`webfactory/ssh-agent`][ssh-agent] in the workflow. If you set this to `true` you need to supply a secret named `ssh-private-key`. | `false` | -| `directory` | The root directory of your flake. | `.` | -| `fail-fast` | Whether to cancel all in-progress jobs if any matrix job fails | `true` | -| `runner-map` | A custom mapping of [Nix system types][nix-system] to desired Actions runners | `{ "aarch64-darwin": "macos-latest", "x86_64-linux": "ubuntu-latest", "aarch64-linux": "ubuntu-latest" }` | -| `extra-nix-conf` | Extra Nix configuration to pass to Determinate Nix | | +| Parameter | Description | Default | +| :------------------------ | :---------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------- | +| `visibility` | `public`, `unlisted`, or `private` ([private flakes][private-flakes] are available only on a [FlakeHub paid plan][signup]) | | +| `default-branch` | The [default Git branch][default-branch] for the repository | `${{ github.event.repository.default_branch }}` | +| `enable-ssh-agent` | Whether to enable [`webfactory/ssh-agent`][ssh-agent] in the workflow. If you set this to `true` you need to supply a secret named `ssh-private-key`. | `false` | +| `directory` | The root directory of your flake. | `.` | +| `fail-fast` | Whether to cancel all in-progress jobs if any matrix job fails | `true` | +| `runner-map` | A custom mapping of [Nix system types][nix-system] to desired Actions runners | `{ "aarch64-darwin": "macos-latest", "x86_64-linux": "ubuntu-latest", "aarch64-linux": "ubuntu-latest" }` | +| `extra-nix-conf` | Extra Nix configuration to pass to Determinate Nix | | +| `post-inventory-commands` | Commands to run after the inventory step. For example, a linting command. | unset | ## Example configurations From d3c81b555631d870b7fd9c13d1ab505bf24af4b2 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 27 Feb 2026 16:16:53 -0500 Subject: [PATCH 2/9] Add a test that makes sure cache.nixos.org is disabled (it'll fail.) --- .github/workflows/validate.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index b7e02ef..c92f6af 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -19,9 +19,24 @@ jobs: - run: nix develop -c prettier --check . DeterminateCI: + needs: DisabledCacheNixOSOrg uses: ./.github/workflows/workflow.yml permissions: id-token: write contents: read with: directory: ./tests/smoke + + DisabledCacheNixOSOrg: + uses: ./.github/workflows/workflow.yml + permissions: + id-token: write + contents: read + with: + directory: ./tests/smoke + post-inventory-commands: | + if nix config show substituters | grep -q "cache.nixos.org"; then + echo "Nix has cache.nixos.org enabled as a substituter, which is prohibited by configuration:" + nix config show substituters + exit 1 + fi From ef8ae335bbc4fa88590c7e6e69dfa1186dabb76f Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 27 Feb 2026 16:24:55 -0500 Subject: [PATCH 3/9] success: depend on inventory --- .github/workflows/workflow.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 08fc231..09dce16 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -158,7 +158,9 @@ jobs: success: runs-on: ubuntu-latest - needs: build + needs: + - inventory + - build if: ${{ always() }} permissions: id-token: write From bbcfbf095345491d1cc8749e264cac831d89dae2 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 27 Feb 2026 16:28:23 -0500 Subject: [PATCH 4/9] Add a tunable to turn off cache.nixos.org --- .github/workflows/validate.yml | 1 + .github/workflows/workflow.yml | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index c92f6af..41b3b0a 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -34,6 +34,7 @@ jobs: contents: read with: directory: ./tests/smoke + disable-cache-nixos-org: true post-inventory-commands: | if nix config show substituters | grep -q "cache.nixos.org"; then echo "Nix has cache.nixos.org enabled as a substituter, which is prohibited by configuration:" diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 09dce16..a240cd3 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -53,6 +53,12 @@ on: required: false type: string default: "" + disable-cache-nixos-org: + description: | + Whether to disable cache.nixos.org as a substituter + required: false + type: boolean + default: false post-inventory-commands: description: | A command or set of commands to run at the end of the Inventory job. @@ -109,6 +115,9 @@ jobs: # disabled pending strategy discussion on exposing tunables # - uses: Determinatesystems/flake-checker-action@main - uses: DeterminateSystems/determinate-nix-action@v3 + with: + extra-conf: | + ${{ inputs.disable-cache-nixos-org && 'substituters =' }} - uses: DeterminateSystems/flakehub-cache-action@main - uses: webfactory/ssh-agent@v0.9.0 if: ${{ inputs.enable-ssh-agent }} @@ -144,6 +153,7 @@ jobs: extra-conf: | extra-experimental-features = provenance ${{ inputs.extra-nix-conf }} + ${{ inputs.disable-cache-nixos-org && 'substituters =' }} - uses: DeterminateSystems/flakehub-cache-action@main - uses: webfactory/ssh-agent@v0.9.0 if: ${{ inputs.enable-ssh-agent }} From 54f059ba23f9e384d7f5e48eaa1eba1bb3685528 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 27 Feb 2026 17:01:37 -0500 Subject: [PATCH 5/9] Add policy checks to enforce cache.nixos.org is disabled if it is preferred to be disabled --- .github/workflows/workflow.yml | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index a240cd3..a995544 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -99,6 +99,18 @@ on: ssh-private-key: required: false +env: + POLICY_TESTS: | + ${{ inputs.disable-cache-nixos-org && env.POLICY_TEST_CACHE_NIXOS_ORG || 'true' }} + POLICY_TEST_CACHE_NIXOS_ORG: | + if nix config show substituters | grep -q cache.nixos.org; then + echo "❌ Nix has cache.nixos.org enabled as a substituter, which is prohibited by configuration:" + nix config show substituters + exit 1 + else + echo "✅ Nix does not have cache.nixos.org enabled as a substituter." + fi + jobs: inventory: runs-on: ubuntu-latest @@ -117,8 +129,10 @@ jobs: - uses: DeterminateSystems/determinate-nix-action@v3 with: extra-conf: | - ${{ inputs.disable-cache-nixos-org && 'substituters =' }} + ${{ inputs.disable-cache-nixos-org && 'substituters =' || '' }} - uses: DeterminateSystems/flakehub-cache-action@main + - name: "Configuration policy checks" + run: ${{ env.POLICY_TESTS }} - uses: webfactory/ssh-agent@v0.9.0 if: ${{ inputs.enable-ssh-agent }} with: @@ -153,8 +167,10 @@ jobs: extra-conf: | extra-experimental-features = provenance ${{ inputs.extra-nix-conf }} - ${{ inputs.disable-cache-nixos-org && 'substituters =' }} + ${{ inputs.disable-cache-nixos-org && 'substituters =' || '' }} - uses: DeterminateSystems/flakehub-cache-action@main + - name: "Configuration policy checks" + run: ${{ env.POLICY_TESTS }} - uses: webfactory/ssh-agent@v0.9.0 if: ${{ inputs.enable-ssh-agent }} with: @@ -192,9 +208,15 @@ jobs: - uses: actions/checkout@main if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }} - uses: DeterminateSystems/determinate-nix-action@v3 + with: + extra-conf: | + ${{ inputs.disable-cache-nixos-org && 'substituters =' || '' }} if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }} - uses: DeterminateSystems/flakehub-cache-action@main if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }} + - name: "Configuration policy checks" + if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }} + run: ${{ env.POLICY_TESTS }} - uses: DeterminateSystems/flakehub-push@main if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }} id: publish From a77a72c6cbb102b3a76949735cdc22e710491bb0 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 27 Feb 2026 17:04:12 -0500 Subject: [PATCH 6/9] Fixup docs for ubuntu-24.04-arm --- .github/workflows/workflow.yml | 4 ++-- README.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index a995544..f2b91fb 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -100,8 +100,6 @@ on: required: false env: - POLICY_TESTS: | - ${{ inputs.disable-cache-nixos-org && env.POLICY_TEST_CACHE_NIXOS_ORG || 'true' }} POLICY_TEST_CACHE_NIXOS_ORG: | if nix config show substituters | grep -q cache.nixos.org; then echo "❌ Nix has cache.nixos.org enabled as a substituter, which is prohibited by configuration:" @@ -110,6 +108,8 @@ env: else echo "✅ Nix does not have cache.nixos.org enabled as a substituter." fi + POLICY_TESTS: | + ${{ inputs.disable-cache-nixos-org && env.POLICY_TEST_CACHE_NIXOS_ORG || 'true' }} jobs: inventory: diff --git a/README.md b/README.md index 599310c..eccdec9 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ You'll see something like this when your workflow has run successfully: | `enable-ssh-agent` | Whether to enable [`webfactory/ssh-agent`][ssh-agent] in the workflow. If you set this to `true` you need to supply a secret named `ssh-private-key`. | `false` | | `directory` | The root directory of your flake. | `.` | | `fail-fast` | Whether to cancel all in-progress jobs if any matrix job fails | `true` | -| `runner-map` | A custom mapping of [Nix system types][nix-system] to desired Actions runners | `{ "aarch64-darwin": "macos-latest", "x86_64-linux": "ubuntu-latest", "aarch64-linux": "ubuntu-latest" }` | +| `runner-map` | A custom mapping of [Nix system types][nix-system] to desired Actions runners | `{ "aarch64-darwin": "macos-latest", "x86_64-linux": "ubuntu-latest", "aarch64-linux": "ubuntu-24.04-arm" }` | | `extra-nix-conf` | Extra Nix configuration to pass to Determinate Nix | | | `post-inventory-commands` | Commands to run after the inventory step. For example, a linting command. | unset | From 6c44412cb5ce3420f5bb383ca81e264127f0ac68 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 27 Feb 2026 18:11:06 -0500 Subject: [PATCH 7/9] oeunthoesnuth --- .github/workflows/workflow.yml | 45 ++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index f2b91fb..c86f8e5 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -99,18 +99,6 @@ on: ssh-private-key: required: false -env: - POLICY_TEST_CACHE_NIXOS_ORG: | - if nix config show substituters | grep -q cache.nixos.org; then - echo "❌ Nix has cache.nixos.org enabled as a substituter, which is prohibited by configuration:" - nix config show substituters - exit 1 - else - echo "✅ Nix does not have cache.nixos.org enabled as a substituter." - fi - POLICY_TESTS: | - ${{ inputs.disable-cache-nixos-org && env.POLICY_TEST_CACHE_NIXOS_ORG || 'true' }} - jobs: inventory: runs-on: ubuntu-latest @@ -129,10 +117,19 @@ jobs: - uses: DeterminateSystems/determinate-nix-action@v3 with: extra-conf: | - ${{ inputs.disable-cache-nixos-org && 'substituters =' || '' }} + ${{ (inputs.disable-cache-nixos-org == true) && 'substituters =' || '' }} - uses: DeterminateSystems/flakehub-cache-action@main - - name: "Configuration policy checks" - run: ${{ env.POLICY_TESTS }} + - &policy_step + name: "Configuration policy checks" + if: ${{ inputs.disable-cache-nixos-org == true }} + run: | + if nix config show substituters | grep -q cache.nixos.org; then + echo "❌ Nix has cache.nixos.org enabled as a substituter, which is prohibited by configuration:" + nix config show substituters + exit 1 + else + echo "✅ Nix does not have cache.nixos.org enabled as a substituter." + fi - uses: webfactory/ssh-agent@v0.9.0 if: ${{ inputs.enable-ssh-agent }} with: @@ -167,10 +164,9 @@ jobs: extra-conf: | extra-experimental-features = provenance ${{ inputs.extra-nix-conf }} - ${{ inputs.disable-cache-nixos-org && 'substituters =' || '' }} + ${{ (inputs.disable-cache-nixos-org == true) && 'substituters =' || '' }} - uses: DeterminateSystems/flakehub-cache-action@main - - name: "Configuration policy checks" - run: ${{ env.POLICY_TESTS }} + - *policy_step - uses: webfactory/ssh-agent@v0.9.0 if: ${{ inputs.enable-ssh-agent }} with: @@ -210,13 +206,20 @@ jobs: - uses: DeterminateSystems/determinate-nix-action@v3 with: extra-conf: | - ${{ inputs.disable-cache-nixos-org && 'substituters =' || '' }} + ${{ (inputs.disable-cache-nixos-org == true) && 'substituters =' || '' }} if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }} - uses: DeterminateSystems/flakehub-cache-action@main if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }} - name: "Configuration policy checks" - if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }} - run: ${{ env.POLICY_TESTS }} + if: ${{ inputs.disable-cache-nixos-org == true && (!github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/'))) }} + run: | + if nix config show substituters | grep -q cache.nixos.org; then + echo "❌ Nix has cache.nixos.org enabled as a substituter, which is prohibited by configuration:" + nix config show substituters + exit 1 + else + echo "✅ Nix does not have cache.nixos.org enabled as a substituter." + fi - uses: DeterminateSystems/flakehub-push@main if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }} id: publish From b9d4c439a6d0846eb119fb7b1904485cb718c96d Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 27 Feb 2026 18:16:14 -0500 Subject: [PATCH 8/9] fixup --- README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index eccdec9..14ddc2e 100644 --- a/README.md +++ b/README.md @@ -51,16 +51,16 @@ You'll see something like this when your workflow has run successfully: ## Configuration options -| Parameter | Description | Default | -| :------------------------ | :---------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------- | -| `visibility` | `public`, `unlisted`, or `private` ([private flakes][private-flakes] are available only on a [FlakeHub paid plan][signup]) | | -| `default-branch` | The [default Git branch][default-branch] for the repository | `${{ github.event.repository.default_branch }}` | -| `enable-ssh-agent` | Whether to enable [`webfactory/ssh-agent`][ssh-agent] in the workflow. If you set this to `true` you need to supply a secret named `ssh-private-key`. | `false` | -| `directory` | The root directory of your flake. | `.` | -| `fail-fast` | Whether to cancel all in-progress jobs if any matrix job fails | `true` | +| Parameter | Description | Default | +| :------------------------ | :---------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------------------- | +| `visibility` | `public`, `unlisted`, or `private` ([private flakes][private-flakes] are available only on a [FlakeHub paid plan][signup]) | | +| `default-branch` | The [default Git branch][default-branch] for the repository | `${{ github.event.repository.default_branch }}` | +| `enable-ssh-agent` | Whether to enable [`webfactory/ssh-agent`][ssh-agent] in the workflow. If you set this to `true` you need to supply a secret named `ssh-private-key`. | `false` | +| `directory` | The root directory of your flake. | `.` | +| `fail-fast` | Whether to cancel all in-progress jobs if any matrix job fails | `true` | | `runner-map` | A custom mapping of [Nix system types][nix-system] to desired Actions runners | `{ "aarch64-darwin": "macos-latest", "x86_64-linux": "ubuntu-latest", "aarch64-linux": "ubuntu-24.04-arm" }` | -| `extra-nix-conf` | Extra Nix configuration to pass to Determinate Nix | | -| `post-inventory-commands` | Commands to run after the inventory step. For example, a linting command. | unset | +| `extra-nix-conf` | Extra Nix configuration to pass to Determinate Nix | | +| `post-inventory-commands` | Commands to run after the inventory step. For example, a linting command. | unset | ## Example configurations From 0d18a341933a628d11e8a28c4fcdb032e49056f5 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 27 Feb 2026 18:25:39 -0500 Subject: [PATCH 9/9] Document disable-cache-nixos-org --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 14ddc2e..287a7cb 100644 --- a/README.md +++ b/README.md @@ -61,6 +61,7 @@ You'll see something like this when your workflow has run successfully: | `runner-map` | A custom mapping of [Nix system types][nix-system] to desired Actions runners | `{ "aarch64-darwin": "macos-latest", "x86_64-linux": "ubuntu-latest", "aarch64-linux": "ubuntu-24.04-arm" }` | | `extra-nix-conf` | Extra Nix configuration to pass to Determinate Nix | | | `post-inventory-commands` | Commands to run after the inventory step. For example, a linting command. | unset | +| `disable-cache-nixos-org` | Do not substitute from cache.nixos.org. | `false` (use cache.nixos.org) | ## Example configurations