[Nix] Update flake.lock (59 weeks behind) + Fix CI for Nix

[RyanPrussin]

Overview

A bunch of Nix CI commands are failing, and as a result the process you guys have to automate updating the flake.lock file has failed for 59 weeks straight and therefore the version of Nix being used is over a year behind.

I did the following:

• Ran the command nix flake update manually to update the flake.lock file
• Made changes to to fix the GitHub Action for checking the Nix flake
• Made changes to fix the GitHub Action for updating flake dependencies

Type of change

• Created a new plugin
• Improved an existing plugin
• Fixed a bug in an existing plugin
• Improved contributor utilities or experience

How To Test

• Run: nix flake check --all-systems

Changelog

Update flake.lock to most recent version of nixpkgs and fix GitHub CI workflows related to Nix.

[RyanPrussin]

The purpose of this change is to fix the automated Nix CI workflow for the nix flake check command.

The Problem

The old workflow used pull_request_target, which caused it to run checks against the outdated flake.lock file from the main branch, leading to consistent failures due to the constraints of this workflow (which requires the tested branch to have a flake.lock file generated in the last 30 days).

See image source here

The Solution

This change switches the workflow to the pull_request trigger, which correctly runs checks against the flake.lock being added in a pull request branch rather than against the flake.lock in the main branch.

Why It's Still Failing

Because the workflow specifications are read from the main branch, the new pull_request trigger will not take effect until this change is merged. The checks will continue to fail until then, and as a result you will likely have to override the checks to deploy this.

[RyanPrussin]

The purpose of this change is to ensure that this CI check is triggered in all cases it is required, i.e. whenever any changes are made to any files in the project that have a .nix file extension.

The Problem

'*.nix' only grabs Nix files in the project root directory, e.g. flake.nix. This means this check won't get triggered if a PR has changes applied to .nix files elsewhere in the project, such as in the nix directory. This effectively means files outside of the root directory like nix/shell-plugins.nix can be changed without this workflow being triggered.

The Solution

'**.nix' is the format recommended by GitHub's docs; it should ensure that this GitHub workflow will trigger on changes to any Nix files in any directories in the project, avoiding situations where checks should have been run but were not.

[RyanPrussin]

The purpose of this change is to fix the broken weekly Update flake dependencies GitHub workflow.

The Problem

Once a week and on manual workflow executions, the same branch name automation/update-flake-dependencies is being created even though it is never being updated or cleaned up, which causes it to fail on on each subsequent run of this GitHub Action.

See full error log from screenshot here.

The Solution

Add a timestamp to the end of the branch name so it is unique. This means that a new branch + PR will be created on every run of this workflow.

[RyanPrussin]

Note: the reason I made a separate branch was under the assumption that if a new branch and PR is created every week, it will notify the 2nd reviewer more frequently and may result in more of the PRs getting the 2nd approvals they need, but obviously it's more of a spammy solution.

[RyanPrussin]

Normally I would not have updated the lock file in the same PR as CI changes, but your entire CI pipeline for Nix is not working as expected and that is partially because it is dependent on an up-to-date flake.lock file generated within the last 30 days in order to pass checks. See The Problem in this comment for more details.

[RyanPrussin]

Hi @mrjones2014,

I noticed you're a key maintainer for the Nix tooling on this project, and I'm a big fan of the work you've done.

I saw that the Nix-related GitHub Actions workflows have been failing recently and that the flake.lock file is quite out of date. This PR aims to correct some of those issues.

I've left detailed comments to explain the fixes. Please note that the CI checks on this PR are currently failing because the existing broken workflow from the main branch is being used. My proposed changes won't be active until this PR is merged (the comments go more into depth on this).

If you have the bandwidth, I'd be happy to submit a few more small fixes to help get the project's Nix tooling back on track.

Thanks for your work making 1Password/shell-plugins available to the Nix community, and let me know if there is anything else I can help with!

[mrjones2014]

Hi, thanks for your contribution!

I've previously attempted to solve part of this problem by making it update the existing PR if one exists.

I've also attempted to reduce the approval burden by automating one of two required approvals.

Unfortunately, this stuff has just not merged because the repo policy requires two approvals, including one from a user with write access to the repo (which I don't have).

As I've also been unable to get any of the Nix related PRs merged, I've unfortunately resorted to just vendoring the Nix 1Password Shell Plugins functionality into my own dotfiles.

[RyanPrussin]

I really think fixing the approval burden would help enormously -- I almost mentioned in my last comment it seemed like that was the big blocker from what I've seen. I wish I could approve that 1-liner for the 1Password-bot to help you out, but obviously as someone from outside of your organization I understand that probably isn't possible.

Thanks for sharing your vendoring solution -- I will do something similar for the time being! Let me know if there's anything else you think I can do to contribute.

[mrjones2014]

Hi @RyanPrussin thanks for your contributions! We've kickstarted Nix maintenance again internally, partly thanks to your PR!

This PR has been superseded now by the combination of:

• [automation]: Update Flake dependencies #469
• fix(ci): Don't try to create a PR if one already exists #542
• fix(nix): Resolve warning about 1Password nixpkgs name #541
• Pass args to plugin shell functions #545

Closing this one as the issues are now resolved by the above PRs, thanks again!

[RyanPrussin]

Glad to hear it, @mrjones2014 !

I did just want to mention that you should probably still make these changes:

• Replace pull_request_target trigger with pull_request, as per this comment
  • This makes sure nix flake check is run on the most recent commit in this PR rather than on the base of the PR
  • GitHub docs state: Avoid using [the pull_request_target] event if you need to build or run code from the pull request. (see docs)
  • Otherwise, the nix flake check isn't really testing the new changes on a PR, but rather the current state of main at the time this branch was created
  • Without this, people could break things in their PRs and you won't find out until after it is merged into main
• Update *.nix to **.nix, as per this comment
  • This ensures that nix flake check is triggered by changes to .nix files anywhere in the project
  • Currently, changes to any of the .nix files in the nix/ directory will not trigger nix flake check to run, which is why you can see no automated checks were run in your PRs here and here

[mrjones2014]

Gotcha, if you submit a PR with those changes I'm happy to review!