Automatically update Nix expression hashes in GitHub Actions

Dependency management automation systems like Dependabot can cause your CI workflows to fail when hashes in your Nix expressions become outdated. Determinate Nix’s determinate-nixd fix hashes command enables you to automatically update those hashes, reducing the friction of dependency management.

This example workflow pushes a commit to the pull request fixing the Nix expression if Nix encounters a hash mismatch:

on:
  pull_request:
 
jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: read
      contents: write
    steps:
      - uses: actions/checkout@v4
 
      - uses: DeterminateSystems/nix-installer-action@main
        with:
          determinate: true
      - uses: DeterminateSystems/flakehub-cache-action@main
 
      - run: nix flake check -L
 
      - name: Fix hash mismatches
        if: failure() && github.event_name == 'pull_request'
        id: fix-hashes
        run: |
          git stash --include-untracked
          git fetch --depth=1 origin "$GITHUB_HEAD_REF"
          git checkout -B "$GITHUB_HEAD_REF" "${{ github.event.pull_request.head.sha }}"
 
          determinate-nixd fix hashes --auto-apply
 
          if ! git diff --quiet; then
            git config user.name "github-actions[bot]"
            git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
            git add --update --ignore-removal .
            git commit -m "[dependabot skip] Automatically fix Nix hashes"
            git push origin "$GITHUB_HEAD_REF"
          fi
 
          git checkout -
          git stash pop || true

If you use buildGoModule to build Go packages, you can add goSum = ./go.sum; to your derivation to make this more reliable. See this pull request against Nixpkgs for more information.

Onboarding with Entra Deploy Nix on macOS EC2