Determinate in GitHub Actions

Determinate Systems provides a suite of GitHub Actions that you can use to streamline your CI/CD workflows. These Actions are currently available:

Action	What it does
`DeterminateSystems/nix-installer-action`	Quickly and reliably installs Nix in your workflow
`DeterminateSystems/flakehub-cache-action`	Automatically caches all Nix builds in FlakeHub Cache
`DeterminateSystems/flake-checker-action`	Performs health checks for your `flake.lock` file
`DeterminateSystems/update-flake-lock`	Automatically updates your `flake.lock` at the specified time interval
`DeterminateSystems/ci`	A “one-stop shop” Action for using Nix in CI

`DeterminateSystems/nix-installer-action`

Our Determinate Nix Installer Action enables you to quickly and reliably install Nix in your workflows. Here’s an example configuration that installs Determinate Nix:

.github/workflows/ci.yml

on:
  pull_request:
  workflow_dispatch:
  push:
    branches:
      - main
 
jobs:
  nix-ci:
    runs-on: ubuntu-latest
    # Include this block to log in to FlakeHub and access private flakes
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@main
        with:
          determinate: true
      - uses: DeterminateSystems/flakehub-cache-action@main
      - uses: DeterminateSystems/nix-flake-checker-action@main
      - run: nix flake check

See the README for more detailed instructions.

`DeterminateSystems/flakehub-cache-action`

When you use this Action, all Nix builds are automatically cached in FlakeHub Cache, a zero-configuration binary cache for Nix on GitHub Actions.

Here’s an example configuration:

.github/workflows/ci.yml

on:
  pull_request:
  workflow_dispatch:
  push:
    branches:
      - main
      - master
 
jobs:
  nix-ci:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@main
        with:
          determinate: true
      - uses: DeterminateSystems/magic-nix-cache-action@main
      - uses: DeterminateSystems/nix-flake-checker-action@main
      - run: nix flake check

See the README for more detailed instructions.

`DeterminateSystems/flake-checker-action`

Flake Checker performs health checks on the flake.lock files in your flake-powered Nix projects. Stay safe and secure by using recent, supported versions of Nixpkgs. Especially useful in conjunction with the update-flake-lock Action.

Here’s an example configuration:

.github/workflows/ci.yml

on:
  pull_request:
  workflow_dispatch:
  push:
    branches:
      - main
      - master
 
jobs:
  nix-ci:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@main
        with:
          determinate: true
      - uses: DeterminateSystems/magic-nix-cache-action@main
      - uses: DeterminateSystems/flake-checker-action@main
      - run: nix flake check

See the README for more detailed instructions.

`DeterminateSystems/update-flake-lock`

Frequently updating your flake.lock files up is crucial to maintaining up-to-date flakes. We provide a GitHub Action that periodically updates them. Especially useful in conjunction with flake-checker-action.

Here’s an example configuration:

.github/workflows/update-flake-lock.yml

on:
  workflow_dispatch: # allows manual triggering
  schedule:
    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00
 
jobs:
  update-flake-inputs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@main
      - name: Update flake.lock
        uses: DeterminateSystems/update-flake-lock@main
        with:
          pr-title: "Update flake.lock" # Title of PR to be created
          pr-labels: |                  # Labels to be set on the PR
            dependencies
            automated

See the README for more detailed instructions.

`DeterminateSystems/ci`

Our ci Action provides a kind of “one-stop shop” for Nix in GitHub Actions. We recommend this Action only if you’re signed up to use FlakeHub Cache. It does all of these:

Automatically builds on all the architectures your flake supports.
Caches all of your flake outputs using FlakeHub Cache.
Discovers and builds your entire flake using flake schemas.
Publishes your flake to FlakeHub if you opt in.

Here’s an example configuration:

.github/workflows/nix-ci.yml

on:
  pull_request:
  workflow_dispatch:
  push:
    branches:
      - main
    tags:
      - v?[0-9]+.[0-9]+.[0-9]+*
 
concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 
jobs:
  nix-ci:
    uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main
    permissions:
      id-token: write
      contents: read

See the README for more detailed instructions.

Deploying with resolve-only tokens Onboarding with Entra