Use nix flakes with private github deps


I was actually in need of this, so thank you so much! I guess the biggest clue for me here is NIX_CONFIG and what exactly to put there.

I went to try it out and have some questions already.

What is the recommended way to wire it in the CI - let’s say Github Actions, the .envrc is not going to get automatically applied there anyway, right? So I guess the workflows need to set the NIX_CONFIG directly, as in .envrc? Also - note that Github will not let one create secrets starting by GITHUB_, so I went with NIX_GITHUB_TOKEN, but I guess it doesn’t matter much if NIX_CONFIG needs to be set manually anyway.

echo 'NIX_CONFIG=\"access-tokens =$NIX_GITHUB_TOKEN\"" > $GITHUB_ENV somewhere early should do that job, I guess?

Yes you’ll need to create a PAT or GitHub App that has the permissions to clone the other repos at the moment. I’ll see if I can hook up an example for GitHub actions next

1 Like

It seems this could be very helpful in allowing GitHub actions access to other repos without long lived PATs:

1 Like

Should also be able to do <flake>.url = "git+ssh://";. Similar to builtins.fetchGit, it will use your user’s ssh credentials.

1 Like