Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
version: 2

updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
cooldown:
default-days: 7
groups:
actions:
patterns: ["*"]
ignore:
- dependency-name: DeterminateSystems/*
commit-message:
prefix: ci
16 changes: 10 additions & 6 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,9 @@ jobs:
contents: read
steps:
- name: git checkout
uses: actions/checkout@v6
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

- name: Check Nixpkgs input
uses: DeterminateSystems/flake-checker-action@main
Expand All @@ -31,15 +33,15 @@ jobs:
echo "NPM_CACHE_DIRECTORY=$(nix develop --command npm config get cache | tr -d '\n')" >> $GITHUB_ENV

- name: Set up npm cache
uses: actions/cache@v5
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ${{ env.NPM_CACHE_DIRECTORY }}
key: npm-cache-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
npm-cache

- name: Restore Lychee cache
uses: actions/cache@v5
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: .lycheecache
key: lychee-cache-${{ github.sha }}
Expand All @@ -49,7 +51,7 @@ jobs:
run: nix develop --command ci

- name: Check external links
uses: lycheeverse/lychee-action@v2
uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
Expand All @@ -62,7 +64,7 @@ jobs:

- name: Save Lychee cache
if: success() || failure()
uses: actions/cache/save@v5
uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: .lycheecache
key: cache-lychee-${{ github.sha }}
Expand All @@ -87,7 +89,9 @@ jobs:
- nix-system: x86_64-linux
runner: UbuntuLatest32Cores128G
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
Comment on lines +92 to +94

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify that checkout credentials are disabled while git push is still used
rg -nC3 'persist-credentials:\s*false|git push origin' .github/workflows/ci.yml

# Verify there is no explicit authenticated remote setup before push
rg -nC3 'git remote set-url|x-access-token|https://.*github.com' .github/workflows/ci.yml

Repository: DeterminateSystems/zero-to-nix

Length of output: 56


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "== file = $FILE =="
ls -l "$FILE" || true
echo "== line 60-160 =="
sed -n '60,160p' "$FILE" | nl -ba -w3 -s':'
echo "== full grep matches =="
echo "--- persist-credentials ---"
rg -n "persist-credentials" "$FILE" || true
echo "--- git push ---"
rg -n "git push" "$FILE" || true
echo "--- git remote set-url ---"
rg -n "git remote set-url" "$FILE" || true
echo "--- token/x-access-token/https://github.com ---"
rg -n "x-access-token|https://.*github.com|GITHUB_TOKEN" "$FILE" || true

Repository: DeterminateSystems/zero-to-nix

Length of output: 265


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "== file = $FILE =="
ls -l "$FILE" || true
echo "== line 60-160 =="
sed -n '60,160p' "$FILE" | nl -ba -w3 -s':'
echo "== full grep matches =="
echo "--- persist-credentials ---"
rg -n "persist-credentials" "$FILE" || true
echo "--- git push ---"
rg -n "git push" "$FILE" || true
echo "--- git remote set-url ---"
rg -n "git remote set-url" "$FILE" || true
echo "--- token/x-access-token/https://github.com ---"
rg -n "x-access-token|https://.*github.com|GITHUB_TOKEN" "$FILE" || true

Repository: DeterminateSystems/zero-to-nix

Length of output: 265


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "== grep basics =="
echo "-- persist-credentials --"
rg -n "persist-credentials" "$FILE" || true
echo "-- git push --"
rg -n "git push" "$FILE" || true
echo "-- git remote set-url --"
rg -n "git remote set-url" "$FILE" || true
echo "-- token/https --"
rg -n "x-access-token|https://github\.com|GITHUB_TOKEN" "$FILE" || true

echo "== show around 70-140 with sed+awk line numbers =="
sed -n '70,140p' "$FILE" | awk '{printf "%4d:%s\n", NR+69, $0}'

Repository: DeterminateSystems/zero-to-nix

Length of output: 2633


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
wc -l "$FILE"
echo "== top 80 =="
sed -n '1,80p' "$FILE"
echo "== around token at line 1-70 and 40-70 =="
sed -n '1,70p' "$FILE" | nl -ba 2>/dev/null || sed -n '1,70p' "$FILE" # fallback if nl missing
echo "== around lines 85-140 =="
sed -n '85,140p' "$FILE"
echo "== search for reconfig/auth commands =="
rg -n "git (config|remote)|extraheader|http(s)?:\\/\\/github\\.com|credential|token\\b|GITHUB_TOKEN" "$FILE"

Repository: DeterminateSystems/zero-to-nix

Length of output: 6260


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "Lines: $(wc -l < "$FILE")"
echo "---- top 90 ----"
sed -n '1,90p' "$FILE"
echo "---- around Fix hash mismatches ----"
sed -n '90,150p' "$FILE"
echo "---- auth-related searches ----"
rg -n "git (config|remote|credential)|extraheader|http(s)?:\\/\\/github\\.com|x-access-token|GITHUB_TOKEN" "$FILE" || true

Repository: DeterminateSystems/zero-to-nix

Length of output: 4318


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "Lines: $(wc -l < "$FILE")"
echo "---- top 90 ----"
sed -n '1,90p' "$FILE"
echo "---- around Fix hash mismatches ----"
sed -n '90,150p' "$FILE"
echo "---- auth-related searches ----"
rg -n "git (config|remote|credential)|extraheader|http(s)?:\\/\\/github\\.com|x-access-token|GITHUB_TOKEN" "$FILE" || true

Repository: DeterminateSystems/zero-to-nix

Length of output: 4318


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "Lines: $(wc -l < "$FILE")"
echo "---- top 90 ----"
sed -n '1,90p' "$FILE"
echo "---- around Fix hash mismatches ----"
sed -n '90,150p' "$FILE"
echo "---- auth-related searches ----"
rg -n "git (config|remote|credential)|extraheader|http(s)?:\\/\\/github\\.com|x-access-token|GITHUB_TOKEN" "$FILE" || true

Repository: DeterminateSystems/zero-to-nix

Length of output: 4318


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"

echo "== git remote / set-url =="
rg -n "git remote|remote set-url" "$FILE" || true

echo "== extraheader / credential helpers / http auth =="
rg -n "extraheader|credential|http\\.|GIT_ASKPASS|GITHUB_TOKEN" "$FILE" || true

echo "== x-access-token or token in URL =="
rg -n "x-access-token|github\\.com/.*@" "$FILE" || true

echo "== any other checkout steps (re-persist credentials) =="
rg -n "uses: actions/checkout" "$FILE"

echo "== show around second persist-credentials (near line 94) =="
sed -n '80,140p' "$FILE"

Repository: DeterminateSystems/zero-to-nix

Length of output: 2321


Fix git push auth when using persist-credentials: false in ci workflow
build-shells-and-templates checks out with persist-credentials: false, but the later Fix hash mismatches step commits and runs git push origin "$GITHUB_HEAD_REF". There’s no authenticated origin reconfiguration (e.g., git remote set-url with a token) in this workflow before the push, so the fallback push path can fail.

Suggested patch
       - name: Fix hash mismatches
         if: failure() && github.event_name == 'pull_request'
         id: fix-hashes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}`@github.com/`${GITHUB_REPOSITORY}.git"
           git stash --include-untracked
           git fetch --depth=1 origin "$GITHUB_HEAD_REF"
           git checkout -B "$GITHUB_HEAD_REF" "${{ github.event.pull_request.head.sha }}"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 92 - 94, The workflow checks out with
actions/checkout@... using persist-credentials: false, then the "Fix hash
mismatches" step runs git commit && git push origin "$GITHUB_HEAD_REF" without
re-authenticating; fix it by either setting persist-credentials: true on that
checkout or add a step before the push that reconfigures origin to include the
GITHUB_TOKEN (e.g., git remote set-url origin
https://x-access-token:$GITHUB_TOKEN@github.com/${{ github.repository }}.git) so
the git push in the "Fix hash mismatches" step succeeds.

- uses: DeterminateSystems/determinate-nix-action@main
- uses: DeterminateSystems/flakehub-cache-action@main

Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/flakehub-cache.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,9 @@ jobs:
- nix-system: x86_64-linux
runner: UbuntuLatest32Cores128G
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- uses: DeterminateSystems/determinate-nix-action@main
- uses: DeterminateSystems/flakehub-cache-action@main
- name: Build dev shell for ${{ matrix.systems.nix-system }} on ${{ matrix.systems.runner }}
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/flakehub-publish-rolling.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@ jobs:
id-token: write
contents: read
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- uses: DeterminateSystems/determinate-nix-action@main
- uses: DeterminateSystems/flakehub-push@main
with:
Expand Down
14 changes: 9 additions & 5 deletions .github/workflows/update-flake-lock.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,10 @@ jobs:
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: DeterminateSystems/determinate-nix-action@v3
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- uses: DeterminateSystems/determinate-nix-action@9adf02b41cfdac2632e1c16f0480ff5bf3b05dd6 # v3.21.1
- uses: DeterminateSystems/update-flake-lock@main
with:
pr-title: "Update root Nix flake inputs" # Title of PR to be created
Expand All @@ -31,8 +33,10 @@ jobs:
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: DeterminateSystems/determinate-nix-action@v3
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- uses: DeterminateSystems/determinate-nix-action@9adf02b41cfdac2632e1c16f0480ff5bf3b05dd6 # v3.21.1
- uses: DeterminateSystems/flakehub-cache-action@main
- name: Update template flake.lock files
id: update
Expand All @@ -48,7 +52,7 @@ jobs:
fi
- name: Create pull request for changes
if: ${{ steps.detect-changes.outputs.changed == 'true' }}
uses: peter-evans/create-pull-request@v7
uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
with:
base: main
branch: flake-template-input-update
Expand Down
25 changes: 25 additions & 0 deletions .github/workflows/zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: zizmor

on:
push:
branches:
- main
pull_request:

jobs:
zizmor:
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

- name: Run zizmor
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
with:
config: .github/zizmor.yml
5 changes: 5 additions & 0 deletions .github/zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
rules:
unpinned-uses:
config:
policies:
DeterminateSystems/*: ref-pin
Loading