Attach build provenance

[grahamc]

Description

ref DeterminateSystems/nix-src#374

Checklist

• Tested changes against a test repository
• Added or updated relevant documentation (leave unchecked if not applicable)
• (If this PR is for a release) Updated README to point to the new tag (leave unchecked if not applicable)

Summary by CodeRabbit

• New Features
  • Build metadata from the CI environment is captured, normalized into provenance tags, and embedded in the installer configuration.
  • Empty or undefined values are omitted, and a builder identifier ("github-actions") is included among the provenance tags.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2afac8c2-1712-437d-beb9-90e4cf539f98

📥 Commits

Reviewing files that changed from the base of the PR and between ef3ad55 and cf897c4.

⛔ Files ignored due to path filters (1)

• dist/index.js is excluded by !**/dist/**

📒 Files selected for processing (1)

• src/index.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• src/index.ts

---

📝 Walkthrough

Walkthrough

Adds getBuildProvenanceTags() to NixInstallerAction; it maps GitHub Actions environment variables to normalized provenance keys, filters undefined values, adds builder: "github-actions", and appends the serialized result to executionEnvironment.extraConf as build-provenance-tags.

Changes

Cohort / File(s)	Summary
Nix installer action src/index.ts	Added public method getBuildProvenanceTags(): Record<string,string> that maps specific GITHUB_* env vars to normalized keys, inserts builder: "github-actions", filters out undefined entries, and serializes the tags into executionEnvironment.extraConf as build-provenance-tags.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐇 I hopped through envs with a curious grin,
Collected tags from where builds begin,
Wrapped them in JSON, snug and bright,
Pushed them to Nix for provenance light. ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Attach build provenance' directly reflects the main change—adding build provenance functionality via the getBuildProvenanceTags() method and build-provenance-tags configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch push-ytslqpsuuxpk

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/index.ts (1)

399-403: ⚠️ Potential issue | 🟠 Major

Missing newline after build-provenance-tags will corrupt configuration.

The pattern in this method appends "\n" after each configuration entry (lines 388, 397). Line 399 omits this, so when this.extraConf has content, the first user-provided config line gets concatenated directly to the build-provenance-tags line:

build-provenance-tags = {"builder":"github-actions",...}first-extra-conf-line

🐛 Proposed fix: add newline after build-provenance-tags

     extraConf += `build-provenance-tags = ${JSON.stringify(this.getBuildProvenanceTags())}`;
+    extraConf += "\n";
     if (this.extraConf !== null && this.extraConf.length !== 0) {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/index.ts` around lines 399 - 403, The code appends build-provenance-tags
without a trailing newline which can join it to the next config line; update the
block that builds extraConf (around the use of extraConf and
this.getBuildProvenanceTags()) to append a "\n" after the build-provenance-tags
entry (i.e., ensure extraConf += `build-provenance-tags =
${JSON.stringify(this.getBuildProvenanceTags())}` is followed by adding "\n") so
that when this.extraConf is non-empty the first user-provided line does not get
concatenated.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@src/index.ts`:
- Around line 399-403: The code appends build-provenance-tags without a trailing
newline which can join it to the next config line; update the block that builds
extraConf (around the use of extraConf and this.getBuildProvenanceTags()) to
append a "\n" after the build-provenance-tags entry (i.e., ensure extraConf +=
`build-provenance-tags = ${JSON.stringify(this.getBuildProvenanceTags())}` is
followed by adding "\n") so that when this.extraConf is non-empty the first
user-provided line does not get concatenated.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2ffeea08-436c-443a-8d90-c0ee44ebdbc2

📥 Commits

Reviewing files that changed from the base of the PR and between d96bc96 and af51492.

⛔ Files ignored due to path filters (1)

• dist/index.js is excluded by !**/dist/**

📒 Files selected for processing (1)

• src/index.ts