chore: update terraform to 1.11.1 in nix image

ThomasK33 · ThomasK33 · commit 975083dbd82f · 2025-03-11T15:23:05.000+01:00
Change-Id: I05d6dfd3f3cf1af48cf8a2d9e61b396bcd2b7191
Signed-off-by: Thomas Kosiewski &lt;tk@coder.com&gt;
diff --git a/.github/workflows/dogfood.yaml b/.github/workflows/dogfood.yaml
@@ -35,7 +35,26 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Nix
-        uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d # v16
+        uses: nixbuild/nix-quick-install-action@5bb6a3b3abe66fd09bbf250dce8ada94f856a703 # v30
+
+      - uses: nix-community/cache-nix-action@aee88ae5efbbeb38ac5d9862ecbebdb404a19e69 # v6.1.1
+        with:
+          # restore and save a cache using this key
+          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
+          # if there's no cache hit, restore a cache by this prefix
+          restore-prefixes-first-match: nix-${{ runner.os }}-
+          # collect garbage until Nix store size (in bytes) is at most this number
+          # before trying to save a new cache
+          # 1G = 1073741824
+          gc-max-store-size-linux: 2G
+          # do purge caches
+          purge: true
+          # purge all versions of the cache
+          purge-prefixes: nix-${{ runner.os }}-
+          # created more than this number of seconds ago relative to the start of the `Post Restore` phase
+          purge-created: 0
+          # except the version with the `primary-key`, if it exists
+          purge-primary-key: never
 
       - name: Get branch name
         id: branch-name
@@ -68,7 +87,7 @@ jobs:
           project: b4q6ltmpzh
           token: ${{ secrets.DEPOT_TOKEN }}
           buildx-fallback: true
-          context: "{{defaultContext}}:dogfood/coder"
+          context: "{{defaultContext}}:dogfood/contents"
           pull: true
           save: true
           push: ${{ github.ref == 'refs/heads/main' }}
@@ -113,18 +132,12 @@ jobs:
 
       - name: Terraform init and validate
         run: |
-          pushd dogfood/
-          terraform init
-          terraform validate
-          popd
-          pushd dogfood/coder
-          terraform init
+          cd dogfood
+          terraform init -upgrade
           terraform validate
-          popd
-          pushd dogfood/coder-envbuilder
-          terraform init
+          cd contents
+          terraform init -upgrade
           terraform validate
-          popd
 
       - name: Get short commit SHA
         if: github.ref == 'refs/heads/main'
@@ -148,6 +161,6 @@ jobs:
           # Template source & details
           TF_VAR_CODER_TEMPLATE_NAME: ${{ secrets.CODER_TEMPLATE_NAME }}
           TF_VAR_CODER_TEMPLATE_VERSION: ${{ steps.vars.outputs.sha_short }}
-          TF_VAR_CODER_TEMPLATE_DIR: ./coder
+          TF_VAR_CODER_TEMPLATE_DIR: ./contents
           TF_VAR_CODER_TEMPLATE_MESSAGE: ${{ steps.message.outputs.pr_title }}
           TF_LOG: info
diff --git a/dogfood/coder/nix.hash b/dogfood/coder/nix.hash
@@ -1,2 +1,2 @@
-f41c80bd08bfef063a9cfe907d0ea1f377974ebe011751f64008a3a07a6b152a  flake.nix
-32c441011f1f3054a688c036a85eac5e4c3dbef0f8cfa4ab85acd82da577dc35  flake.lock
+f09cd2cbbcdf00f5e855c6ddecab6008d11d871dc4ca5e1bc90aa14d4e3a2cfd  flake.nix
+0d2489a26d149dade9c57ba33acfdb309b38100ac253ed0c67a2eca04a187e37  flake.lock
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -3,6 +3,7 @@
 
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
     nixpkgs-pinned.url = "github:nixos/nixpkgs/5deee6281831847857720668867729617629ef1f";
     flake-utils.url = "github:numtide/flake-utils";
     pnpm2nix = {
@@ -22,6 +23,7 @@
       self,
       nixpkgs,
       nixpkgs-pinned,
+      nixpkgs-unstable,
       flake-utils,
       drpc,
       pnpm2nix,
@@ -31,7 +33,7 @@
       let
         pkgs = import nixpkgs {
           inherit system;
-          # Workaround for: terraform has an unfree license (‘bsl11’), refusing to evaluate.
+          # Workaround for: google-chrome has an unfree license (‘unfree’), refusing to evaluate.
           config.allowUnfree = true;
         };
 
@@ -41,6 +43,17 @@
           inherit system;
         };
 
+        unstablePkgs = import nixpkgs-unstable {
+          inherit system;
+
+          # Workaround for: terraform has an unfree license (‘bsl11’), refusing to evaluate.
+          config.allowUnfreePredicate =
+            pkg:
+            builtins.elem (pkgs.lib.getName pkg) [
+              "terraform"
+            ];
+        };
+
         formatter = pkgs.nixfmt-rfc-style;
 
         nodejs = pkgs.nodejs_20;
@@ -148,7 +161,7 @@
             shellcheck
             (pinnedPkgs.shfmt)
             sqlc
-            terraform
+            unstablePkgs.terraform
             typos
             which
             # Needed for many LD system libs!
@@ -185,7 +198,7 @@
             name = "coder-${osArch}";
             # Updated with ./scripts/update-flake.sh`.
             # This should be updated whenever go.mod changes!
-            vendorHash = "sha256-QjqF+QZ5JKMnqkpNh6ZjrJU2QcSqiT4Dip1KoicwLYc=";
+            vendorHash = "sha256-6sdvX0Wglj0CZiig2VD45JzuTcxwg7yrGoPPQUYvuqU=";
             proxyVendor = true;
             src = ./.;
             nativeBuildInputs = with pkgs; [
