DeterminateSystems · edolstra · Feb 27, 2026 · Feb 27, 2026 · Mar 11, 2026 · Mar 11, 2026
diff --git a/src/libcmd/builtin-flake-schemas.nix b/src/libcmd/builtin-flake-schemas.nix
@@ -82,12 +82,12 @@
         inventory = self.lib.derivationsInventory "package" false;
       };
 
-      dockerImagesSchema = {
+      ociImagesSchema = {
         version = 1;
         doc = ''
-          The `dockerImages` flake output contains derivations that build valid Docker images.
+          The `ociImages` flake output contains derivations that build valid Open Container Initiative images.
         '';
-        inventory = self.lib.derivationsInventory "Docker image" false;
+        inventory = self.lib.derivationsInventory "OCI image" false;
       };
 
       legacyPackagesSchema = {
@@ -432,7 +432,7 @@
       schemas.homeModules = homeModulesSchema;
       schemas.darwinConfigurations = darwinConfigurationsSchema;
       schemas.darwinModules = darwinModulesSchema;
-      schemas.dockerImages = dockerImagesSchema;
+      schemas.ociImages = ociImagesSchema;
       schemas.bundlers = bundlersSchema;
     };
 }
diff --git a/src/libcmd/flake-schemas.cc b/src/libcmd/flake-schemas.cc
@@ -3,6 +3,7 @@
 #include "nix/fetchers/fetch-to-store.hh"
 #include "nix/util/memory-source-accessor.hh"
 #include "nix/util/mounted-source-accessor.hh"
+#include "nix/flake/provenance.hh"
 
 namespace nix::flake_schemas {
 
@@ -162,12 +163,18 @@ void forEachOutput(
 void visit(
     std::optional<std::string> system,
     ref<AttrCursor> node,
+    std::shared_ptr<const Provenance> provenance,
     std::function<void(const Leaf & leaf)> visitLeaf,
     std::function<void(std::function<void(ForEachChild)>)> visitNonLeaf,
     std::function<void(ref<AttrCursor> node, const std::vector<std::string> & systems)> visitFiltered)
 {
     Activity act(*logger, lvlInfo, actUnknown, fmt("evaluating '%s'", node->getAttrPathStr()));
 
+    PushProvenance pushedProvenance(
+        node->root->state,
+        provenance ? std::make_shared<const FlakeProvenance>(provenance, node->getAttrPathStr(), evalSettings.pureEval)
+                   : nullptr);
+
     /* Apply the system type filter. */
     if (system) {
         if (auto forSystems = Node(node).forSystems()) {

diff --git a/src/libcmd/include/nix/cmd/flake-schemas.hh b/src/libcmd/include/nix/cmd/flake-schemas.hh
@@ -65,6 +65,7 @@ typedef std::function<void(Symbol attrName, ref<AttrCursor> attr, bool isLast)>
 void visit(
     std::optional<std::string> system,
     ref<AttrCursor> node,
+    std::shared_ptr<const Provenance> provenance,
     std::function<void(const Leaf & leaf)> visitLeaf,
     std::function<void(std::function<void(ForEachChild)>)> visitNonLeaf,
     std::function<void(ref<AttrCursor> node, const std::vector<std::string> & systems)> visitFiltered);

diff --git a/src/libcmd/include/nix/cmd/installable-attr-path.hh b/src/libcmd/include/nix/cmd/installable-attr-path.hh
@@ -21,8 +21,6 @@
 #include <regex>
 #include <queue>
 
-#include <nlohmann/json.hpp>
-
 namespace nix {
 
 class InstallableAttrPath : public InstallableValue

diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
@@ -422,6 +422,22 @@ std::string BaseSetting<Settings::ExternalBuilders>::to_string() const
     return nlohmann::json(value).dump();
 }
 
+template<>
+std::map<std::string, std::string> BaseSetting<std::map<std::string, std::string>>::parse(const std::string & str) const
+{
+    try {
+        return nlohmann::json::parse(str).template get<std::map<std::string, std::string>>();
+    } catch (std::exception & e) {
+        throw UsageError("parsing setting '%s': %s", name, e.what());
+    }
+}
+
+template<>
+std::string BaseSetting<std::map<std::string, std::string>>::to_string() const
+{
+    return nlohmann::json(value).dump();
+}
+
 template<>
 void BaseSetting<PathsInChroot>::appendOrSet(PathsInChroot newValue, bool append)
 {

diff --git a/src/libstore/include/nix/store/globals.hh b/src/libstore/include/nix/store/globals.hh
@@ -1462,6 +1462,15 @@ public:
         )"};
 
     std::optional<std::string> getHostName();
+
+    Setting<std::map<std::string, std::string>> buildProvenanceTags{
+        this,
+        {},
+        "build-provenance-tags",
+        R"(
+          Arbitrary name/value pairs that are recorded in the build provenance of store paths built by this machine.
+          This can be used to tag builds with metadata such as the CI job URL, build cluster name, etc.
+        )"};
 };
 
 // FIXME: don't use a global variable.

diff --git a/src/libstore/include/nix/store/provenance.hh b/src/libstore/include/nix/store/provenance.hh
@@ -23,6 +23,11 @@ struct BuildProvenance : Provenance
      */
     std::optional<std::string> buildHost;
 
+    /**
+     * User-defined tags from the build host.
+     */
+    std::map<std::string, std::string> tags;
+
     /**
      * The system type of the derivation.
      */
@@ -39,15 +44,9 @@ struct BuildProvenance : Provenance
         const StorePath & drvPath,
         const OutputName & output,
         std::optional<std::string> buildHost,
+        std::map<std::string, std::string> tags,
         std::string system,
-        std::shared_ptr<const Provenance> next)
-        : drvPath(drvPath)
-        , output(output)
-        , buildHost(std::move(buildHost))
-        , system(std::move(system))
-        , next(std::move(next))
-    {
-    }
+        std::shared_ptr<const Provenance> next);
 
     nlohmann::json to_json() const override;
 };

diff --git a/src/libstore/provenance.cc b/src/libstore/provenance.cc
@@ -1,8 +1,35 @@
 #include "nix/store/provenance.hh"
 #include "nix/util/json-utils.hh"
 
+#include <regex>
+
 namespace nix {
 
+static void checkProvenanceTagName(std::string_view name)
+{
+    static const std::regex tagNameRegex("^[A-Za-z_][A-Za-z0-9_+\\-]*$");
+    if (!std::regex_match(name.begin(), name.end(), tagNameRegex))
+        throw Error("tag name '%s' is invalid", name);
+}
+
+BuildProvenance::BuildProvenance(
+    const StorePath & drvPath,
+    const OutputName & output,
+    std::optional<std::string> buildHost,
+    std::map<std::string, std::string> tags,
+    std::string system,
+    std::shared_ptr<const Provenance> next)
+    : drvPath(drvPath)
+    , output(output)
+    , buildHost(std::move(buildHost))
+    , tags(std::move(tags))
+    , system(std::move(system))
+    , next(std::move(next))
+{
+    for (const auto & [name, value] : this->tags)
+        checkProvenanceTagName(name);
+}
+
 nlohmann::json BuildProvenance::to_json() const
 {
     return {
@@ -12,6 +39,7 @@ nlohmann::json BuildProvenance::to_json() const
         {"buildHost", buildHost},
         {"system", system},
         {"next", next ? next->to_json() : nlohmann::json(nullptr)},
+        {"tags", tags},
     };
 }
 
@@ -23,10 +51,14 @@ Provenance::Register registerBuildProvenance("build", [](nlohmann::json json) {
     std::optional<std::string> buildHost;
     if (auto p = optionalValueAt(obj, "buildHost"))
         buildHost = p->get<std::optional<std::string>>();
+    std::map<std::string, std::string> tags;
+    if (auto p = optionalValueAt(obj, "tags"); p && !p->is_null())
+        tags = p->get<std::map<std::string, std::string>>();
     auto buildProv = make_ref<BuildProvenance>(
         StorePath(getString(valueAt(obj, "drv"))),
         getString(valueAt(obj, "output")),
-        buildHost,
+        std::move(buildHost),
+        std::move(tags),
         getString(valueAt(obj, "system")),
         next);
     return buildProv;

diff --git a/src/libstore/unix/build/derivation-builder.cc b/src/libstore/unix/build/derivation-builder.cc
@@ -1873,7 +1873,12 @@ SingleDrvOutputs DerivationBuilderImpl::registerOutputs()
             newInfo.ultimate = true;
             if (experimentalFeatureSettings.isEnabled(Xp::Provenance))
                 newInfo.provenance = std::make_shared<const BuildProvenance>(
-                    drvPath, outputName, settings.getHostName(), drv.platform, drvProvenance);
+                    drvPath,
+                    outputName,
+                    settings.getHostName(),
+                    settings.buildProvenanceTags.get(),
+                    drv.platform,
+                    drvProvenance);
             store.signPathInfo(newInfo);
 
             finish(newInfo.path);

diff --git a/src/nix/flake.cc b/src/nix/flake.cc
@@ -383,6 +383,7 @@ struct CmdFlakeCheck : FlakeCommand, MixFlakeSchemas
             flake_schemas::visit(
                 checkAllSystems ? std::optional<std::string>() : localSystem,
                 node,
+                flake->flake.provenance,
 
                 [&](const flake_schemas::Leaf & leaf) {
                     try {
@@ -899,6 +900,7 @@ struct CmdFlakeShow : FlakeCommand, MixJSON, MixFlakeSchemas
             flake_schemas::visit(
                 showAllSystems ? std::optional<std::string>() : localSystem,
                 node,
+                flake->flake.provenance,
 
                 [&](const flake_schemas::Leaf & leaf) {
                     if (auto what = leaf.what())

diff --git a/src/nix/provenance.cc b/src/nix/provenance.cc
@@ -79,6 +79,8 @@ struct CmdProvenanceShow : StorePathsCommand
                     build->output,
                     build->buildHost.value_or("unknown host").c_str(),
                     build->system);
+                for (auto & [tagName, tagValue] : build->tags)
+                    logger->cout("  tag " ANSI_BOLD "%s" ANSI_NORMAL ": %s", tagName, tagValue);
                 provenance = build->next;
             }
 

diff --git a/tests/functional/common/init.sh b/tests/functional/common/init.sh
@@ -53,6 +53,7 @@ substituters =
 flake-registry = $TEST_ROOT/registry.json
 show-trace = true
 host-name = test-host
+build-provenance-tags = {"pr": "1234", "branch": "main"}
 include nix.conf.extra
 trusted-users = $(whoami)
 ${_NIX_TEST_EXTRA_CONFIG:-}

diff --git a/tests/functional/flakes/provenance.sh b/tests/functional/flakes/provenance.sh
@@ -58,6 +58,10 @@ builder=$(nix eval --raw "$flake1Dir#packages.$system.default._builder")
   },
   "output": "out",
   "system": "$system",
+  "tags": {
+    "branch": "main",
+    "pr": "1234"
+  },
   "type": "build"
 }
 EOF
@@ -172,6 +176,10 @@ nix copy --from "file://$binaryCache" "$outPath" --no-check-sigs
     },
     "output": "out",
     "system": "$system",
+    "tags": {
+      "branch": "main",
+      "pr": "1234"
+    },
     "type": "build"
   },
   "type": "copied"
@@ -186,6 +194,8 @@ unset _NIX_FORCE_HTTP
 [1m$outPath[0m
 ← copied from [1mfile://$binaryCache[0m
 ← built from derivation [1m$drvPath[0m (output [1mout[0m) on [1mtest-host[0m for [1m$system[0m
+  tag [1mbranch[0m: main
+  tag [1mpr[0m: 1234
 ← with derivation metadata
   {
     "license": [
@@ -258,6 +268,8 @@ nix build --impure --print-out-paths --no-link "$flake1Dir#packages.$system.defa
 [[ "$(nix provenance show "$outPath")" = "$(cat <<EOF
 [1m$outPath[0m
 ← built from derivation [1m$drvPath[0m (output [1mout[0m) on [1mtest-host[0m for [1m$system[0m
+  tag [1mbranch[0m: main
+  tag [1mpr[0m: 1234
 ← with derivation metadata
   {
     "license": [
@@ -353,3 +365,8 @@ nix provenance verify "$path"
 echo barf > "$TEST_ROOT/hello.txt"
 
 expectStderr 1 nix provenance verify "$path" | grepQuiet "hash mismatch for URL"
+
+# Test invalid tag names
+for name in "123-invalid" "invalid tag" "invalid@tag" "-invalid" " foo"; do
+    expectStderr 1 nix build --build-provenance-tags "{\"$name\": \"value\"}" --no-link "$flake1Dir#packages.$system.default" 2>&1 | grepQuiet "tag name '$name' is invalid"
+done