Skip to content

Commit e37e083

Browse files
authored
fix: update nix to 2.34.6 for GHSA-g3g9-5vj6-r3gj (#2109)
* fix: update nix for GHSA-g3g9-5vj6-r3gj * fix: make sure we install right version * fix: print nix version on build * fix: use same method everywhere to control version * fix: handle adding nix to path for gh action * chore: bump to release * feat: actually nix 2.43.6 instead as nixpkgs jumped past 2.33.x
1 parent 7203785 commit e37e083

File tree

12 files changed

+53
-31
lines changed

12 files changed

+53
-31
lines changed

.github/actions/nix-install-ephemeral/action.yml

Lines changed: 24 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -41,15 +41,30 @@ runs:
4141
sudo chmod +x /etc/nix/upload-to-cache.sh
4242
env:
4343
NIX_SIGN_SECRET_KEY: ${{ env.NIX_SIGN_SECRET_KEY }}
44-
- uses: NixOS/nix-installer-action@d6ef7ecd8f685af89869e5aca0580a33e3e3150c
45-
with:
46-
installer-version: 2.33.2
47-
extra-conf: |
48-
substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
49-
trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
50-
${{ inputs.push-to-cache == 'true' && 'post-build-hook = /etc/nix/upload-to-cache.sh' || '' }}
51-
max-jobs = 4
52-
extra-system-features = kvm
44+
- name: Install Nix
45+
shell: bash
46+
run: |
47+
sudo tee /tmp/nix-extra.conf > /dev/null <<'NIXCONF'
48+
extra-experimental-features = nix-command flakes
49+
substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
50+
trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
51+
max-jobs = 4
52+
extra-system-features = kvm
53+
NIXCONF
54+
55+
if [ "${{ inputs.push-to-cache }}" = "true" ]; then
56+
echo "post-build-hook = /etc/nix/upload-to-cache.sh" | sudo tee -a /tmp/nix-extra.conf > /dev/null
57+
fi
58+
59+
curl -L https://releases.nixos.org/nix/nix-2.34.6/install | sh -s -- --daemon --yes --nix-extra-conf-file /tmp/nix-extra.conf
60+
61+
# Add nix to PATH for subsequent steps
62+
echo "/nix/var/nix/profiles/default/bin" >> "$GITHUB_PATH"
63+
# Source the daemon profile so nix works in this step too
64+
. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
65+
- name: Print Nix version
66+
shell: bash
67+
run: nix --version
5368
- name: Setup KVM permissions
5469
shell: bash
5570
run: |

.github/actions/nix-install-self-hosted/action.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,9 @@ runs:
1818
role-session-name: gha-oidc-${{ github.run_id }}
1919
role-duration-seconds: ${{ inputs.aws-role-duration }}
2020

21+
- name: Print Nix version
22+
shell: bash
23+
run: nix --version
2124
- name: Write creds files
2225
shell: bash
2326
run: |

Dockerfile-15

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,8 +27,9 @@ extra-experimental-features = nix-command flakes
2727
extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
2828
extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
2929
EOF
30-
RUN curl -L https://releases.nixos.org/nix/nix-2.33.2/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
30+
RUN curl -L https://releases.nixos.org/nix/nix-2.34.6/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
3131
ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
32+
RUN nix --version
3233

3334
WORKDIR /nixpg
3435
COPY . .

Dockerfile-17

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,9 +27,9 @@ extra-experimental-features = nix-command flakes
2727
extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
2828
extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
2929
EOF
30-
RUN curl -L https://releases.nixos.org/nix/nix-2.33.2/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
31-
30+
RUN curl -L https://releases.nixos.org/nix/nix-2.34.6/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
3231
ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
32+
RUN nix --version
3333

3434
WORKDIR /nixpg
3535
COPY . .

Dockerfile-multigres

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,9 +28,9 @@ extra-experimental-features = nix-command flakes
2828
extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
2929
extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
3030
EOF
31-
RUN curl -L https://releases.nixos.org/nix/nix-2.33.2/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
32-
31+
RUN curl -L https://releases.nixos.org/nix/nix-2.34.6/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
3332
ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
33+
RUN nix --version
3434

3535
WORKDIR /nixpg
3636
COPY . .

Dockerfile-orioledb-17

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,9 +27,9 @@ extra-experimental-features = nix-command flakes
2727
extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
2828
extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
2929
EOF
30-
RUN curl -L https://releases.nixos.org/nix/nix-2.33.2/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
31-
30+
RUN curl -L https://releases.nixos.org/nix/nix-2.34.6/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
3231
ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
32+
RUN nix --version
3333

3434
WORKDIR /nixpg
3535
COPY . .

ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -297,7 +297,7 @@ function initiate_upgrade {
297297
--extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
298298
else
299299
echo "1.1.1. Installing Nix using the official installer"
300-
sh <(curl -L https://releases.nixos.org/nix/nix-2.33.2/install) --yes --daemon --nix-extra-conf-file /dev/stdin <<EXTRA_NIX_CONF
300+
sh <(curl -L https://releases.nixos.org/nix/nix-2.34.6/install) --yes --daemon --nix-extra-conf-file /dev/stdin <<EXTRA_NIX_CONF
301301
extra-experimental-features = nix-command flakes
302302
extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
303303
extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
@@ -312,6 +312,7 @@ EXTRA_NIX_CONF
312312
echo "1.2. Fetching store path for flake revision: $NIX_FLAKE_VERSION"
313313
# shellcheck disable=SC1091
314314
source /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
315+
nix --version
315316
nix-collect-garbage -d > /tmp/pg_upgrade-nix-gc.log 2>&1 || true
316317

317318
# Determine system architecture

ansible/vars.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,9 @@ postgres_major:
1010

1111
# Full version strings for each major version
1212
postgres_release:
13-
postgresorioledb-17: "17.6.0.064-orioledb-indata574-1"
14-
postgres17: "17.6.1.107-indata574-1"
15-
postgres15: "15.14.1.107-indata574-1"
13+
postgresorioledb-17: "17.6.0.065-orioledb"
14+
postgres17: "17.6.1.108"
15+
postgres15: "15.14.1.108"
1616

1717
# Non Postgres Extensions
1818
pgbouncer_release: 1.25.1

docs/multigres-image.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -108,12 +108,12 @@ extra-substituters =
108108

109109
**Important**: Replace `YOUR_USERNAME` with your actual username in the `trusted-users` line.
110110

111-
### Step 2: Install Nix 2.33.1
111+
### Step 2: Install Nix 2.34.6
112112

113-
Run the following command to install Nix 2.33.1 (the version used in CI) with the custom configuration:
113+
Run the following command to install Nix 2.34.6 (the version used in CI) with the custom configuration:
114114

115115
```bash
116-
curl -L https://releases.nixos.org/nix/nix-2.33.2/install | sh -s -- --daemon --yes --nix-extra-conf-file ./nix.conf
116+
curl -L https://releases.nixos.org/nix/nix-2.34.6/install | sh -s -- --daemon --yes --nix-extra-conf-file ./nix.conf
117117
```
118118

119119
This will install Nix with our build caches pre-configured, which should eliminate substituter-related errors.
@@ -128,7 +128,7 @@ same commands on your machine:
128128

129129
```
130130
$ nix --version
131-
nix (Nix) 2.33.1
131+
nix (Nix) 2.34.6
132132
```
133133

134134

ebssurrogate/scripts/qemu-bootstrap-nix.sh

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -82,13 +82,14 @@ execute_playbook
8282
####################
8383

8484
function install_nix() {
85-
sudo su -c "sh <(curl -L https://releases.nixos.org/nix/nix-2.33.2/install) --yes --daemon --nix-extra-conf-file /dev/stdin <<EXTRA_NIX_CONF
85+
sudo su -c "sh <(curl -L https://releases.nixos.org/nix/nix-2.34.6/install) --yes --daemon --nix-extra-conf-file /dev/stdin <<EXTRA_NIX_CONF
8686
extra-experimental-features = nix-command flakes
8787
extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
8888
extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
8989
EXTRA_NIX_CONF" -s /bin/bash root
9090
#shellcheck disable=SC1091
9191
. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
92+
nix --version
9293
}
9394

9495
function execute_stage2_playbook {

0 commit comments

Comments
 (0)