Commit 3c71cec05d changed the labeler workflow to use grep -c, but grep -c still exits with status 1 when no lines match.
That made the fallback echo another 0, so COUNT became a multi-line value and the write to GITHUB_OUTPUT failed. Use true as the fallback to preserve grep's single-line count while allowing the no-match case.
The test workflow currently relies on GitHub Actions defaults for both
job lifetime and Nix sandboxing. That is acceptable when everything
behaves, but it makes failures noisier: a hung job can run indefinitely
until the platform kills it, and the macOS leg inherits a weaker sandbox
default than Linux.
Add explicit timeout-minutes values to the lightweight change-detection
job and the main test matrix job, and pass sandbox = true through
install-nix-action. The sandbox setting is primarily about making the
macOS runner match the stricter execution model we already expect on
Linux.
The test workflow only needs to evaluate and build repository code. It
does not write statuses, labels, comments, or pull request metadata, so
keeping GitHub's default token scope is broader than necessary.
The parse workflow currently runs the nix and Lix checks as two separate
steps. If the first parser fails, GitHub Actions stops the job before
the second parser runs, which hides useful failure information and
weakens the signal from the new parse gate.
Collapse the two steps into a single invocation that builds both parse
derivations with --keep-going. This keeps the job surface small,
preserves the dedicated parse trigger, and ensures both parser variants
are attempted on every relevant run.
This change converts redundant attribute assignments of the form `a =
a;` or `a = someSet.a;` into cleaner `inherit` statements. This reduces
verbosity and follows common Nix style for bringing attributes into
scope.
Statix Codes: W03 (manual_inherit), W04 (manual_inherit_from)
Also include statix and the rule in our configuration.
- restructure module from `podman-linux` to platform-agnostic `podman`
- move linux-specific implementation to `modules/services/podman/linux/`
- add darwin module with declarative machine management
- implement launchd-based watchdog for auto-starting machines
- maintains backward compatibility with existing linux functionality
Previously, following these instructions lead to a failure with:
Error: failed to create composite formatter: failed to initialise formatter nixf-diagnose: formatter command not found in PATH: error looking up 'nixf-diagnose'
Root cause: DeterminateSystems/update-flake-lock@v27 uses
peter-evans/create-pull-request@v6.0.5 internally, which is incompatible
with actions/checkout@v6's new credential storage mechanism.
The Problem Chain:
- actions/checkout@v6 moved credentials from .git/config to $RUNNER_TEMP
(security improvement)
- peter-evans/create-pull-request@v6.0.5 cannot access credentials from
the new $RUNNER_TEMP location
- This causes exit code 128 when update-flake-lock tries to create PRs
The Fix:
- create-pull-request@v7.0.9 fixed v6 compatibility
- However, update-flake-lock@v27 (released July 2025) hasn't upgraded yet
- Reverting to v5 restores working credential access
Next Steps:
- Can upgrade to v6 once update-flake-lock uses create-pull-request@v7.0.9+
- https://github.com/DeterminateSystems/update-flake-lock/pull/224
- Dependabot configured to ignore v6 upgrades until compatibility is fixed
Fixes: https://github.com/nix-community/home-manager/actions/runs/19712979574
See: https://github.com/peter-evans/create-pull-request/issues/690
Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
Don't need to encourage triaging git history to bother people who
haven't opted to maintain a module.
Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
