fix: update nix to 2.34.6 for GHSA-g3g9-5vj6-r3gj (#2109)

* fix: update nix for GHSA-g3g9-5vj6-r3gj

* fix: make sure we install right version

* fix: print nix version on build

* fix: use same method everywhere to control version

* fix: handle adding nix to path for gh action

* chore: bump to release

* feat: actually nix 2.43.6 instead as nixpkgs jumped past 2.33.x

Author: samrose

.github/actions/nix-install-ephemeral/action.yml

@@ -41,15 +41,30 @@ runs:
         sudo chmod +x /etc/nix/upload-to-cache.sh
       env:
         NIX_SIGN_SECRET_KEY: ${{ env.NIX_SIGN_SECRET_KEY }}
-    - uses: NixOS/nix-installer-action@d6ef7ecd8f685af89869e5aca0580a33e3e3150c
-      with:
-        installer-version: 2.33.2
-        extra-conf: |
-          substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
-          trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
-          ${{ inputs.push-to-cache == 'true' && 'post-build-hook = /etc/nix/upload-to-cache.sh' || '' }}
-          max-jobs = 4
-          extra-system-features = kvm
+    - name: Install Nix
+      shell: bash
+      run: |
+        sudo tee /tmp/nix-extra.conf > /dev/null <<'NIXCONF'
+        extra-experimental-features = nix-command flakes
+        substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
+        trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+        max-jobs = 4
+        extra-system-features = kvm
+        NIXCONF
+
+        if [ "${{ inputs.push-to-cache }}" = "true" ]; then
+          echo "post-build-hook = /etc/nix/upload-to-cache.sh" | sudo tee -a /tmp/nix-extra.conf > /dev/null
+        fi
+
+        curl -L https://releases.nixos.org/nix/nix-2.34.6/install | sh -s -- --daemon --yes --nix-extra-conf-file /tmp/nix-extra.conf
+
+        # Add nix to PATH for subsequent steps
+        echo "/nix/var/nix/profiles/default/bin" >> "$GITHUB_PATH"
+        # Source the daemon profile so nix works in this step too
+        . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+    - name: Print Nix version
+      shell: bash
+      run: nix --version
     - name: Setup KVM permissions
       shell: bash
       run: |

.github/actions/nix-install-self-hosted/action.yml

@@ -18,6 +18,9 @@ runs:
         role-session-name: gha-oidc-${{ github.run_id }}
         role-duration-seconds: ${{ inputs.aws-role-duration }}
 
+    - name: Print Nix version
+      shell: bash
+      run: nix --version
     - name: Write creds files
       shell: bash
       run: |

Dockerfile-15

@@ -27,8 +27,9 @@ extra-experimental-features = nix-command flakes
 extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
 extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
 EOF
-RUN curl -L https://releases.nixos.org/nix/nix-2.33.2/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
+RUN curl -L https://releases.nixos.org/nix/nix-2.34.6/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
 ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
+RUN nix --version
 
 WORKDIR /nixpg
 COPY . .

Dockerfile-17

@@ -27,9 +27,9 @@ extra-experimental-features = nix-command flakes
 extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
 extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
 EOF
-RUN curl -L https://releases.nixos.org/nix/nix-2.33.2/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
-
+RUN curl -L https://releases.nixos.org/nix/nix-2.34.6/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
 ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
+RUN nix --version
 
 WORKDIR /nixpg
 COPY . .

Dockerfile-multigres

@@ -28,9 +28,9 @@ extra-experimental-features = nix-command flakes
 extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
 extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
 EOF
-RUN curl -L https://releases.nixos.org/nix/nix-2.33.2/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
-
+RUN curl -L https://releases.nixos.org/nix/nix-2.34.6/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
 ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
+RUN nix --version
 
 WORKDIR /nixpg
 COPY . .

Dockerfile-orioledb-17

@@ -27,9 +27,9 @@ extra-experimental-features = nix-command flakes
 extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
 extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
 EOF
-RUN curl -L https://releases.nixos.org/nix/nix-2.33.2/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
-
+RUN curl -L https://releases.nixos.org/nix/nix-2.34.6/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
 ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
+RUN nix --version
 
 WORKDIR /nixpg
 COPY . .

ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh

@@ -297,7 +297,7 @@ function initiate_upgrade {
                         --extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
                     else
                         echo "1.1.1. Installing Nix using the official installer"
-                        sh <(curl -L https://releases.nixos.org/nix/nix-2.33.2/install) --yes --daemon --nix-extra-conf-file /dev/stdin <<EXTRA_NIX_CONF
+                        sh <(curl -L https://releases.nixos.org/nix/nix-2.34.6/install) --yes --daemon --nix-extra-conf-file /dev/stdin <<EXTRA_NIX_CONF
 extra-experimental-features = nix-command flakes
 extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
 extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
@@ -312,6 +312,7 @@ EXTRA_NIX_CONF
         echo "1.2. Fetching store path for flake revision: $NIX_FLAKE_VERSION"
         # shellcheck disable=SC1091
         source /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+        nix --version
         nix-collect-garbage -d > /tmp/pg_upgrade-nix-gc.log 2>&1 || true
 
         # Determine system architecture

ansible/vars.yml

@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.6.0.064-orioledb-indata574-1"
-  postgres17: "17.6.1.107-indata574-1"
-  postgres15: "15.14.1.107-indata574-1"
+  postgresorioledb-17: "17.6.0.065-orioledb"
+  postgres17: "17.6.1.108"
+  postgres15: "15.14.1.108"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.25.1

docs/multigres-image.md

@@ -108,12 +108,12 @@ extra-substituters =
 
 **Important**: Replace `YOUR_USERNAME` with your actual username in the `trusted-users` line.
 
-### Step 2: Install Nix 2.33.1
+### Step 2: Install Nix 2.34.6
 
-Run the following command to install Nix 2.33.1 (the version used in CI) with the custom configuration:
+Run the following command to install Nix 2.34.6 (the version used in CI) with the custom configuration:
 
 ```bash
-curl -L https://releases.nixos.org/nix/nix-2.33.2/install | sh -s -- --daemon --yes --nix-extra-conf-file ./nix.conf
+curl -L https://releases.nixos.org/nix/nix-2.34.6/install | sh -s -- --daemon --yes --nix-extra-conf-file ./nix.conf
 ```
 
 This will install Nix with our build caches pre-configured, which should eliminate substituter-related errors.
@@ -128,7 +128,7 @@ same commands on your machine:
 
 ```
 $ nix --version
-nix (Nix) 2.33.1
+nix (Nix) 2.34.6
 ```
 
 

ebssurrogate/scripts/qemu-bootstrap-nix.sh

@@ -82,13 +82,14 @@ execute_playbook
 ####################
 
 function install_nix() {
-    sudo su -c "sh <(curl -L https://releases.nixos.org/nix/nix-2.33.2/install) --yes --daemon --nix-extra-conf-file /dev/stdin <<EXTRA_NIX_CONF
+    sudo su -c "sh <(curl -L https://releases.nixos.org/nix/nix-2.34.6/install) --yes --daemon --nix-extra-conf-file /dev/stdin <<EXTRA_NIX_CONF
 extra-experimental-features = nix-command flakes
 extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
 extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
 EXTRA_NIX_CONF" -s /bin/bash root
     #shellcheck disable=SC1091
     . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+    nix --version
 }
 
 function execute_stage2_playbook {