chore: update terraform to 1.11.1 in nix image (#16880)

Followup PR to #16781, update the terraform version in our Nix devshell. Additionally: 1. Switches from DeterminateSystems/nix-installer-action to nixbuild/nix-quick-install-action -- quicker installer, reduces actions time from ~60 seconds to ~1 seconds. 2. Adds nix-community/cache-nix-action for better caching with garbage collection -- avoids unnecessary rebuilding on subsequent runs, reduces nix image build time from ~6 minutes to <4 minutes. 3. Adds nixpkgs-unstable input to use Terraform 1.11.1 Change-Id: I05d6dfd3f3cf1af48cf8a2d9e61b396bcd2b7191 Signed-off-by: Thomas Kosiewski <tk@coder.com>
2025-03-14 10:09:57 +00:00 · 2025-03-11 16:23:33 +01:00
parent 09dd69a7e8
commit 5285c12b9e
4 changed files with 58 additions and 9 deletions
--- a/.github/workflows/dogfood.yaml
+++ b/.github/workflows/dogfood.yaml
@ -35,7 +35,26 @@ jobs:
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Setup Nix
-        uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d # v16
+        uses: nixbuild/nix-quick-install-action@5bb6a3b3abe66fd09bbf250dce8ada94f856a703 # v30
+
+      - uses: nix-community/cache-nix-action@aee88ae5efbbeb38ac5d9862ecbebdb404a19e69 # v6.1.1
+        with:
+          # restore and save a cache using this key
+          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
+          # if there's no cache hit, restore a cache by this prefix
+          restore-prefixes-first-match: nix-${{ runner.os }}-
+          # collect garbage until Nix store size (in bytes) is at most this number
+          # before trying to save a new cache
+          # 1G = 1073741824
+          gc-max-store-size-linux: 5G
+          # do purge caches
+          purge: true
+          # purge all versions of the cache
+          purge-prefixes: nix-${{ runner.os }}-
+          # created more than this number of seconds ago relative to the start of the `Post Restore` phase
+          purge-created: 0
+          # except the version with the `primary-key`, if it exists
+          purge-primary-key: never

      - name: Get branch name
        id: branch-name
--- a/dogfood/coder/nix.hash
+++ b/dogfood/coder/nix.hash
@ -1,2 +1,2 @@
-f41c80bd08bfef063a9cfe907d0ea1f377974ebe011751f64008a3a07a6b152a  flake.nix
-32c441011f1f3054a688c036a85eac5e4c3dbef0f8cfa4ab85acd82da577dc35  flake.lock
+f09cd2cbbcdf00f5e855c6ddecab6008d11d871dc4ca5e1bc90aa14d4e3a2cfd  flake.nix
+0d2489a26d149dade9c57ba33acfdb309b38100ac253ed0c67a2eca04a187e37  flake.lock
--- a/flake.lock
+++ b/flake.lock
@ -44,11 +44,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1737885640,
-        "narHash": "sha256-GFzPxJzTd1rPIVD4IW+GwJlyGwBDV1Tj5FLYwDQQ9sM=",
+        "lastModified": 1741600792,
+        "narHash": "sha256-yfDy6chHcM7pXpMF4wycuuV+ILSTG486Z/vLx/Bdi6Y=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "4e96537f163fad24ed9eb317798a79afc85b51b7",
+        "rev": "ebe2788eafd539477f83775ef93c3c7e244421d3",
        "type": "github"
      },
      "original": {
@ -74,6 +74,22 @@
        "type": "github"
      }
    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1741513245,
+        "narHash": "sha256-7rTAMNTY1xoBwz0h7ZMtEcd8LELk9R5TzBPoHuhNSCk=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "e3e32b642a31e6714ec1b712de8c91a3352ce7e1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "pnpm2nix": {
      "inputs": {
        "flake-utils": [
@ -103,6 +119,7 @@
        "flake-utils": "flake-utils",
        "nixpkgs": "nixpkgs",
        "nixpkgs-pinned": "nixpkgs-pinned",
+        "nixpkgs-unstable": "nixpkgs-unstable",
        "pnpm2nix": "pnpm2nix"
      }
    },
--- a/flake.nix
+++ b/flake.nix
@ -3,6 +3,7 @@

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
    nixpkgs-pinned.url = "github:nixos/nixpkgs/5deee6281831847857720668867729617629ef1f";
    flake-utils.url = "github:numtide/flake-utils";
    pnpm2nix = {
@ -22,6 +23,7 @@
      self,
      nixpkgs,
      nixpkgs-pinned,
+      nixpkgs-unstable,
      flake-utils,
      drpc,
      pnpm2nix,
@ -31,7 +33,7 @@
      let
        pkgs = import nixpkgs {
          inherit system;
-          # Workaround for: terraform has an unfree license (‘bsl11’), refusing to evaluate.
+          # Workaround for: google-chrome has an unfree license (‘unfree’), refusing to evaluate.
          config.allowUnfree = true;
        };

@ -41,6 +43,17 @@
          inherit system;
        };

+        unstablePkgs = import nixpkgs-unstable {
+          inherit system;
+
+          # Workaround for: terraform has an unfree license (‘bsl11’), refusing to evaluate.
+          config.allowUnfreePredicate =
+            pkg:
+            builtins.elem (pkgs.lib.getName pkg) [
+              "terraform"
+            ];
+        };
+
        formatter = pkgs.nixfmt-rfc-style;

        nodejs = pkgs.nodejs_20;
@ -148,7 +161,7 @@
            shellcheck
            (pinnedPkgs.shfmt)
            sqlc
-            terraform
+            unstablePkgs.terraform
            typos
            which
            # Needed for many LD system libs!
@ -185,7 +198,7 @@
            name = "coder-${osArch}";
            # Updated with ./scripts/update-flake.sh`.
            # This should be updated whenever go.mod changes!
-            vendorHash = "sha256-QjqF+QZ5JKMnqkpNh6ZjrJU2QcSqiT4Dip1KoicwLYc=";
+            vendorHash = "sha256-6sdvX0Wglj0CZiig2VD45JzuTcxwg7yrGoPPQUYvuqU=";
            proxyVendor = true;
            src = ./.;
            nativeBuildInputs = with pkgs; [