Support for nix updates in Renovate

I recently added support for updating nix flakes to Renovate, a universal dependency update tool. Support currently includes:

  • flake.lock updates
  • nixpkgs updates in flake.nix (e.g. nixpkgs 21.11 to 22.05)

Here’s a minimal configuration if you’d like to try it out:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:base"],
  "lockFileMaintenance": {
    "enabled": true,
    "extends": ["schedule:weekly"]
  },
  "nix": {
    "enabled": true
  }
}

Check out the documentation for more information.

15 Likes

Thanks for your work! Would love to use it. But how exactly is this supposed to work?

I’m using the self-hosted version as a docker container and have a repo with your example as renovate.json. For testing, I’m trying to launch renovate with:

docker run --rm -v "$PWD/renovate-config.js:/usr/src/app/config.js" --env='GITHUB_COM_TOKEN=<redacted>' renovate/renovate --dry-run=true

And proceed to get the following error:

 WARN: Error updating flake.lock (repository=fpletz/test, branch=renovate/lock-file-maintenance)
       "err": {
         "name": "ExecError",
         "cmd": "/bin/sh -c install-tool nix 2.11.1",
         "stderr": "This script must be run as root\n",
         "stdout": "Installing v1 tool nix v2.11.1\n",
         "options": {
           "cwd": "/tmp/renovate/repos/gitea/fpletz/test",
           "encoding": "utf-8",
           "env": {
             "HOME": "/home/ubuntu",
             "PATH": "/home/ubuntu/.local/bin:/go/bin:/home/ubuntu/bin:/opt/buildpack/tools/python/3.11.0/bin:/home/ubuntu/.npm-global/bin:/home/ubuntu/.cargo/bin:/home/ubuntu/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
             "LC_ALL": "C.UTF-8",
             "LANG": "C.UTF-8",
             "BUILDPACK_CACHE_DIR": "/tmp/renovate/cache/containerbase",
             "CONTAINERBASE_CACHE_DIR": "/tmp/renovate/cache/containerbase"
           },
           "maxBuffer": 10485760,
           "timeout": 900000
         },
         "exitCode": 1,
         "message": "Command failed: install-tool nix 2.11.1\nThis script must be run as root\n",
         "stack": "ExecError: Command failed: install-tool nix 2.11.1\nThis script must be run as root\n\n    at ChildProcess.<anonymous> (/usr/src/app/node_modules/renovate/lib/util/exec/common.ts:99:11)\n    at ChildProcess.emit (node:events:525:35)\n    at ChildProcess.emit (node:domain:489:12)\n    at Process.ChildProcess._handle.onexit (node:internal/child_process:293:12)"
       }

It looks like you’ve got an older version of the renovate container image, or one of the older containerbase container images, cached locally. Can you docker image rm any renovate or containerbase images and try again? The feature was released in version 34.23.0.

The first line of stdout should be installing v2 tool nix v2.11. Nix is dynamically installed in the container and in an earlier attempt I wrote required a root install. That’s the v1 from your logs. The v2 installer uses a chroot and doesn’t require root.