chore: update terraform to 1.11.1 in nix image (coder#16880)

ThomasK33 · web-flow · commit 5285c12b9ecd · 2025-03-11T16:23:33.000+01:00
Followup PR to coder#16781, update the terraform version in our Nix devshell. Additionally: 1. Switches from DeterminateSystems/nix-installer-action to nixbuild/nix-quick-install-action -- quicker installer, reduces actions time from ~60 seconds to ~1 seconds. 2. Adds nix-community/cache-nix-action for better caching with garbage collection -- avoids unnecessary rebuilding on subsequent runs, reduces nix image build time from ~6 minutes to <4 minutes. 3. Adds nixpkgs-unstable input to use Terraform 1.11.1 Change-Id: I05d6dfd3f3cf1af48cf8a2d9e61b396bcd2b7191 Signed-off-by: Thomas Kosiewski <tk@coder.com>
diff --git a/.github/workflows/dogfood.yaml b/.github/workflows/dogfood.yaml
@@ -35,7 +35,26 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Nix
-        uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d # v16
+        uses: nixbuild/nix-quick-install-action@5bb6a3b3abe66fd09bbf250dce8ada94f856a703 # v30
+
+      - uses: nix-community/cache-nix-action@aee88ae5efbbeb38ac5d9862ecbebdb404a19e69 # v6.1.1
+        with:
+          # restore and save a cache using this key
+          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
+          # if there's no cache hit, restore a cache by this prefix
+          restore-prefixes-first-match: nix-${{ runner.os }}-
+          # collect garbage until Nix store size (in bytes) is at most this number
+          # before trying to save a new cache
+          # 1G = 1073741824
+          gc-max-store-size-linux: 5G
+          # do purge caches
+          purge: true
+          # purge all versions of the cache
+          purge-prefixes: nix-${{ runner.os }}-
+          # created more than this number of seconds ago relative to the start of the `Post Restore` phase
+          purge-created: 0
+          # except the version with the `primary-key`, if it exists
+          purge-primary-key: never
 
       - name: Get branch name
         id: branch-name
diff --git a/dogfood/coder/nix.hash b/dogfood/coder/nix.hash
@@ -1,2 +1,2 @@
-f41c80bd08bfef063a9cfe907d0ea1f377974ebe011751f64008a3a07a6b152a  flake.nix
-32c441011f1f3054a688c036a85eac5e4c3dbef0f8cfa4ab85acd82da577dc35  flake.lock
+f09cd2cbbcdf00f5e855c6ddecab6008d11d871dc4ca5e1bc90aa14d4e3a2cfd  flake.nix
+0d2489a26d149dade9c57ba33acfdb309b38100ac253ed0c67a2eca04a187e37  flake.lock
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -3,6 +3,7 @@
 
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
     nixpkgs-pinned.url = "github:nixos/nixpkgs/5deee6281831847857720668867729617629ef1f";
     flake-utils.url = "github:numtide/flake-utils";
     pnpm2nix = {
@@ -22,6 +23,7 @@
       self,
       nixpkgs,
       nixpkgs-pinned,
+      nixpkgs-unstable,
       flake-utils,
       drpc,
       pnpm2nix,
@@ -31,7 +33,7 @@
       let
         pkgs = import nixpkgs {
           inherit system;
-          # Workaround for: terraform has an unfree license (‘bsl11’), refusing to evaluate.
+          # Workaround for: google-chrome has an unfree license (‘unfree’), refusing to evaluate.
           config.allowUnfree = true;
         };
 
@@ -41,6 +43,17 @@
           inherit system;
         };
 
+        unstablePkgs = import nixpkgs-unstable {
+          inherit system;
+
+          # Workaround for: terraform has an unfree license (‘bsl11’), refusing to evaluate.
+          config.allowUnfreePredicate =
+            pkg:
+            builtins.elem (pkgs.lib.getName pkg) [
+              "terraform"
+            ];
+        };
+
         formatter = pkgs.nixfmt-rfc-style;
 
         nodejs = pkgs.nodejs_20;
@@ -148,7 +161,7 @@
             shellcheck
             (pinnedPkgs.shfmt)
             sqlc
-            terraform
+            unstablePkgs.terraform
             typos
             which
             # Needed for many LD system libs!
@@ -185,7 +198,7 @@
             name = "coder-${osArch}";
             # Updated with ./scripts/update-flake.sh`.
             # This should be updated whenever go.mod changes!
-            vendorHash = "sha256-QjqF+QZ5JKMnqkpNh6ZjrJU2QcSqiT4Dip1KoicwLYc=";
+            vendorHash = "sha256-6sdvX0Wglj0CZiig2VD45JzuTcxwg7yrGoPPQUYvuqU=";
             proxyVendor = true;
             src = ./.;
             nativeBuildInputs = with pkgs; [
