ci: bump nixpkgs and use it everywhere

fricklerhandwerk · Erethon · commit 59d4fab9545a · 2025-06-17T15:16:54.000+03:00
historically there was a split between sources for development and
deployment. this had never been resolved, because up to some point in
the past, bumping nixpkgs would result in nasty build failures.
apparently these have been resolved.

now that we keep nixpkgs at unstable, there's no acute reason to have
two environments.
diff --git a/.github/workflows/bump.yaml b/.github/workflows/bump.yaml
@@ -19,7 +19,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: cachix/install-nix-action@v29
       - run: |
-          nix-shell default.nix -A ci --run "npins -d ./infra/npins update"
+          nix-shell default.nix -A ci --run "npins update"
       - uses: actions/create-github-app-token@v1
         id: generate-token
         with:
diff --git a/default.nix b/default.nix
@@ -119,7 +119,6 @@ rec {
       manage = pkgs.writeScriptBin "manage" ''
         exec ${python3}/bin/python ${toString ./src/manage.py} $@
       '';
-      deploymentSources = import ./infra/npins;
     in
     pkgs.mkShellNoCC {
       env = {
@@ -161,7 +160,7 @@ rec {
         pkgs.npins
         pkgs.hivemind
         pkgs.awscli
-        (import deploymentSources.agenix { inherit pkgs; }).agenix
+        (import sources.agenix { inherit pkgs; }).agenix
       ] ++ pre-commit-check.enabledPackages;
 
       shellHook = ''
diff --git a/infra/configuration.nix b/infra/configuration.nix
@@ -1,10 +1,6 @@
 { pkgs, lib, ... }:
 let
-  # Note: this might be surprising not to reuse the parent npins/ directory.
-  # The rationale is that the staging environment's sources are decorrelated from the development's sources.
-  # Sources here are managed on a different lifecycle and have different acceptance tests than the development.
-  # Also, the focus in the staging environment is a secure deployment, which trumps over dirty hacks.
-  sources = import ./npins;
+  sources = import ../npins;
 in
 {
   imports = [
diff --git a/infra/deploy.sh b/infra/deploy.sh
@@ -6,8 +6,6 @@ set -eo pipefail
 DIR=$(git rev-parse --show-toplevel)
 VERB=${1:-switch}
 # make sure we're building with the version of Nixpkgs under our control
-# TODO: fix the build on the latest nixpkgs-unstable and use that one for deployment
-# export NIX_PATH=nixpkgs=$(nix-instantiate --eval -E '(import ./infra/npins).nixpkgs.outPath' | tr -d '"')
 export NIX_PATH=nixpkgs=$(nix-instantiate --eval -A pkgs.path)
 
 # Note: we could refactor the conditional here.
diff --git a/infra/npins/default.nix b/infra/npins/default.nix
diff --git a/infra/npins/sources.json b/infra/npins/sources.json
diff --git a/infra/shell.nix b/infra/shell.nix
@@ -1,5 +1,5 @@
 {
-  sources ? import ../../npins,
+  sources ? import ../npins,
   system ? builtins.currentSystem,
   pkgs ? import sources.nixpkgs {
     config = { };
diff --git a/npins/sources.json b/npins/sources.json
@@ -1,5 +1,17 @@
 {
   "pins": {
+    "agenix": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "ryantm",
+        "repo": "agenix"
+      },
+      "branch": "main",
+      "revision": "4835b1dc898959d8547a871ef484930675cb47f1",
+      "url": "https://github.com/ryantm/agenix/archive/4835b1dc898959d8547a871ef484930675cb47f1.tar.gz",
+      "hash": "0ngkhf7qamibhbl9z1dryzscd36y4fz1m1h6fb2z6fylw0b8029p"
+    },
     "gitignore": {
       "type": "Git",
       "repository": {
@@ -21,16 +33,16 @@
       "pre_releases": false,
       "version_upper_bound": null,
       "release_prefix": null,
-      "version": "v2.0.3",
-      "revision": "d6e17abb13729d8ace72f312a4b82130d8355233",
+      "version": "v2.0.4",
+      "revision": "b82cf843e47e575dd8c2ad8fee547d8e2c3bb87f",
       "url": null,
-      "hash": "1dni9xpijx6risc0pfidqy3i9a898lnf357rypddd1rvkjan40a7"
+      "hash": "1c4zm3b7ym01ijydiss4amd14mv5fbgp1n71vqjk4alc35jlnqy2"
     },
     "nixpkgs": {
       "type": "Channel",
       "name": "nixpkgs-unstable",
-      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre683804.a1d92660c6b3/nixexprs.tar.xz",
-      "hash": "0lzd1g9x7ihscdajc2g9f0jyykymw6r1lq2ir5g0shjzjf0jc5la"
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.11pre814815.41da1e3ea8e2/nixexprs.tar.xz",
+      "hash": "1hpd50fg4s7mg7a7rqs7j1a659qnf27f9j5s1fgi0dj7zhac002n"
     },
     "pre-commit-hooks": {
       "type": "Git",
@@ -40,9 +52,9 @@
         "repo": "pre-commit-hooks.nix"
       },
       "branch": "master",
-      "revision": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74",
-      "url": "https://github.com/cachix/pre-commit-hooks.nix/archive/4e743a6920eab45e8ba0fbe49dc459f1423a4b74.tar.gz",
-      "hash": "0fc69dsn5rhv2zb16c2bfgx84ja8cmn7d7j2mrw3n4m8y611x40g"
+      "revision": "623c56286de5a3193aa38891a6991b28f9bab056",
+      "url": "https://github.com/cachix/git-hooks.nix/archive/623c56286de5a3193aa38891a6991b28f9bab056.tar.gz",
+      "hash": "1vlx0gshjlj45inn8w67m8dn43i4jvxfvpnnrzh26bsgx6a8hijr"
     }
   },
   "version": 3

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`		`- sources ? import ../../npins,`
	`2`	`+ sources ? import ../npins,`
`3`	`3`	`system ? builtins.currentSystem,`
`4`	`4`	`pkgs ? import sources.nixpkgs {`
`5`	`5`	`config = { };`