From a0a94b9027bc205317231e0238e2613604f6b67f Mon Sep 17 00:00:00 2001
From: Sergei Zimmerman <xokdvium@proton.me>
Date: Sun, 13 Jul 2025 15:21:01 +0300
Subject: [PATCH 1/3] ci: Dogfood Nix from master

(cherry picked from commit 04f6974d2c47ae3cc44733adb707107a675e2c92)
---
 .../actions/install-nix-action/action.yaml    | 50 +++++++++++++++++++
 .github/workflows/ci.yml                      | 13 +++--
 2 files changed, 60 insertions(+), 3 deletions(-)
 create mode 100644 .github/actions/install-nix-action/action.yaml

diff --git a/.github/actions/install-nix-action/action.yaml b/.github/actions/install-nix-action/action.yaml
new file mode 100644
index 000000000..28103f589
--- /dev/null
+++ b/.github/actions/install-nix-action/action.yaml
@@ -0,0 +1,50 @@
+name: "Install Nix"
+description: "Helper action for installing Nix with support for dogfooding from master"
+inputs:
+  dogfood:
+    description: "Whether to use Nix installed from the latest artifact from master branch"
+    required: true # Be explicit about the fact that we are using unreleased artifacts
+  extra_nix_config:
+    description: "Gets appended to `/etc/nix/nix.conf` if passed."
+  install_url:
+    description: "URL of the Nix installer"
+    required: false
+    default: "https://releases.nixos.org/nix/nix-2.30.1/install"
+  github_token:
+    description: "Github token"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: "Download nix install artifact from master"
+      shell: bash
+      id: download-nix-installer
+      if: ${{ inputs.dogfood }}
+      run: |
+        RUN_ID=$(gh run list --repo "$DOGFOOD_REPO" --workflow ci.yml --branch master --status success --json databaseId --jq ".[0].databaseId")
+
+        if [ "$RUNNER_OS" == "Linux" ]; then
+          INSTALLER_ARTIFACT="installer-linux"
+        elif [ "$RUNNER_OS" == "macOS" ]; then
+          INSTALLER_ARTIFACT="installer-darwin"
+        else
+          echo "::error ::Unsupported RUNNER_OS: $RUNNER_OS"
+          exit 1
+        fi
+
+        INSTALLER_DOWNLOAD_DIR="$GITHUB_WORKSPACE/$INSTALLER_ARTIFACT"
+        mkdir -p "$INSTALLER_DOWNLOAD_DIR"
+
+        gh run download "$RUN_ID" --repo "$DOGFOOD_REPO" -n "$INSTALLER_ARTIFACT" -D "$INSTALLER_DOWNLOAD_DIR"
+        echo "installer-path=file://$INSTALLER_DOWNLOAD_DIR" >> "$GITHUB_OUTPUT"
+
+        echo "::notice ::Dogfooding Nix installer from master (https://github.com/$DOGFOOD_REPO/actions/runs/$RUN_ID)"
+      env:
+        GH_TOKEN: ${{ inputs.github_token }}
+        DOGFOOD_REPO: "NixOS/nix"
+    - uses: cachix/install-nix-action@c134e4c9e34bac6cab09cf239815f9339aaaf84e # v31.5.1
+      with:
+        # Ternary operator in GHA: https://www.github.com/actions/runner/issues/409#issuecomment-752775072
+        install_url: ${{ inputs.dogfood && format('{0}/install', steps.download-nix-installer.outputs.installer-path) || inputs.install_url }}
+        install_options: ${{ inputs.dogfood && format('--tarball-url-prefix {0}', steps.download-nix-installer.outputs.installer-path) || '' }}
+        extra_nix_config: ${{ inputs.extra_nix_config }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6169c0924..a9619fa0a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,8 +13,13 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - uses: cachix/install-nix-action@v30
-    - run: nix --experimental-features 'nix-command flakes' flake show --all-systems --json
+    - uses: ./.github/actions/install-nix-action
+      with:
+        dogfood: true
+        extra_nix_config:
+          experimental-features = nix-command flakes
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+    - run: nix flake show --all-systems --json
 
   tests:
     strategy:
@@ -34,8 +39,10 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - uses: cachix/install-nix-action@v30
+    - uses: ./.github/actions/install-nix-action
       with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        dogfood: true
         # The sandbox would otherwise be disabled by default on Darwin
         extra_nix_config: |
           sandbox = true

From 13a8fe7580f690d7c451ce3cf0db45afd741ea69 Mon Sep 17 00:00:00 2001
From: Sergei Zimmerman <xokdvium@proton.me>
Date: Sun, 13 Jul 2025 16:05:05 +0300
Subject: [PATCH 2/3] ci: Dogfood nix from master for `vm_tests` and
 `flake_regressions`

This should provide more coverage for the build from master that
is being dogfooded.

(cherry picked from commit 3b3c02160dce1110ed9856aa6234fd37fa5c9347)
---
 .github/workflows/ci.yml | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a9619fa0a..e450641dc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -182,7 +182,12 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: ./.github/actions/install-nix-action
+        with:
+          dogfood: true
+          extra_nix_config:
+            experimental-features = nix-command flakes
+          github_token: ${{ secrets.GITHUB_TOKEN }}
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - run: |
           nix build -L \
@@ -208,6 +213,11 @@ jobs:
         with:
           repository: NixOS/flake-regressions-data
           path: flake-regressions/tests
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: ./.github/actions/install-nix-action
+        with:
+          dogfood: true
+          extra_nix_config:
+            experimental-features = nix-command flakes
+          github_token: ${{ secrets.GITHUB_TOKEN }}
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - run: nix build -L --out-link ./new-nix && PATH=$(pwd)/new-nix/bin:$PATH MAX_FLAKES=25 flake-regressions/eval-all.sh

From c56833e941b4bc628fc6dbd16529b9a36c9625f1 Mon Sep 17 00:00:00 2001
From: Sergei Zimmerman <sergei@zimmerman.foo>
Date: Thu, 24 Jul 2025 23:14:36 +0300
Subject: [PATCH 3/3] ci: Don't dogfood installer from master

CI on release branches should be stable, otherwise backporting
might become flaky and unreliable. Dogfooding only really makes
sense for CI on master branch, where failures are not as tedious
to work around.
---
 .github/workflows/ci.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e450641dc..2951ad4cf 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,7 +15,7 @@ jobs:
         fetch-depth: 0
     - uses: ./.github/actions/install-nix-action
       with:
-        dogfood: true
+        dogfood: false
         extra_nix_config:
           experimental-features = nix-command flakes
         github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -42,7 +42,7 @@ jobs:
     - uses: ./.github/actions/install-nix-action
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        dogfood: true
+        dogfood: false
         # The sandbox would otherwise be disabled by default on Darwin
         extra_nix_config: |
           sandbox = true
@@ -184,7 +184,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/install-nix-action
         with:
-          dogfood: true
+          dogfood: false
           extra_nix_config:
             experimental-features = nix-command flakes
           github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -215,7 +215,7 @@ jobs:
           path: flake-regressions/tests
       - uses: ./.github/actions/install-nix-action
         with:
-          dogfood: true
+          dogfood: false
           extra_nix_config:
             experimental-features = nix-command flakes
           github_token: ${{ secrets.GITHUB_TOKEN }}