Skip to content

DeterminateSystems/flake-checker-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

The Nix Flake Checker Action

This repo houses a Github Action from Determinate Systems that performs health checks on your repos' flake.lock files. Specifically, it wraps the Nix Flake Checker tool, which verifies that your root Nixpkgs inputs:

  • Have been updated within the last 30 days
  • Have the NixOS GitHub org as their owner
  • Are from a supported Git branch

Here's an example configuration that uses flake-checker-action as part of a broader Actions workflow involving Nix.

on:
  pull_request:
  push:
    branches: [main]

jobs:
  build:
    name: Build Nix targets
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v3
      - name: Check Nix flake inputs
        uses: DeterminateSystems/flake-checker-action@v4 # This action
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v3
      - name: Build default package
        run: nix build

Configuration

The Nix Flake Checker Action has a number of configuration parameters that you can set in the with block:

Parameter Description Default
condition An optional Common Expression Language (CEL) condition expressing your flake policy. Supersedes all check-* parameters.
flake-lock-path The path to the flake.lock file you want to check. flake.lock
check-outdated Whether to check that the root Nixpkgs input is less than 30 days old. true
check-owner Whether to check that the root Nixpkgs input has the NixOS GitHub org as its owner. true
check-supported Whether to check that the root Nixpkgs input has a supported Git ref. Currently supported refs: nixos-22.11, nixos-22.11-small, nixos-23.05, nixos-23.05-small, nixos-unstable, nixos-unstable-small, nixpkgs-22.11-darwin, nixpkgs-23.05-darwin, nixpkgs-unstable. true
nixpkgs-keys The names of the Nixpkgs inputs you want to check. By default the checker only checks the nixpkgs but you can specify multiple names as a comma-separated list, such as nixpkgs,nixpkgs-macos,nixpkgs-unstable. nixpkgs
ignore-missing-flake-lock Whether to ignore a missing flake.lock file, where the path to the file is the value of flake-lock-path parameter. If set to false (the default is true), the Action throws an error and the job fails if the lockfile is missing. true
fail-mode Fail with an exit code of 1 if any issues are encountered. false
send-statistics Anonymously report the number of issues detected by the flake checker. This reporting helps measure the effectiveness of the flake checker. Set to false to disable. true

Here's an example non-default configuration:

- name: Check Nix flake inputs
  uses: DeterminateSystems/flake-checker-action@v2
  with:
    flake-lock-path: ./nix/flake.lock
    check-owner: false
    ignore-missing-flake-lock: false
    fail-mode: true