Automatically update Nix expression hashes in GitHub Actions
Dependency management automation systems like Dependabot can cause your CI workflows to fail when hashes in your Nix expressions become outdated.
Determinate Nix’s determinate-nixd fix hashes command enables you to automatically update those hashes, reducing the friction of dependency management.
This example workflow pushes a commit to the pull request fixing the Nix expression if Nix encounters a hash mismatch:
on:
pull_request:
jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: read
contents: write
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/determinate-nix-action@v3
- uses: DeterminateSystems/flakehub-cache-action@main
- run: nix flake check -L
- name: Fix hash mismatches
if: failure() && github.event_name == 'pull_request'
id: fix-hashes
run: |
git stash --include-untracked
git fetch --depth=1 origin "$GITHUB_HEAD_REF"
git checkout -B "$GITHUB_HEAD_REF" "${{ github.event.pull_request.head.sha }}"
determinate-nixd fix hashes --auto-apply
if ! git diff --quiet; then
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add --update --ignore-removal .
git commit -m "[dependabot skip] Automatically fix Nix hashes"
git push origin "$GITHUB_HEAD_REF"
fi
git checkout -
git stash pop || trueIf you use buildGoModule to build Go packages, you can add goSum = ./go.sum; to your derivation to make this more
reliable.
See this pull request against Nixpkgs for more information.