Morph MORPH
SIGN IN SIGN UP
dhruvhead / devbox UNCLAIMED
0 0 0 Go

Fix GitHub API rate limiting in cli-tests (#2731)

## Problem

The cli-tests on the `main` branch have been failing intermittently in
GitHub Actions since at least October 7, 2025, due to GitHub API rate
limiting when Nix attempts to fetch nixpkgs metadata.

### Error Message
```
unable to download 'https://api.github.com/repos/NixOS/nixpkgs/commits/nixpkgs-unstable': HTTP error 403
API rate limit exceeded for 13.105.49.133.
```

Despite having `GITHUB_TOKEN` configured in both `NIX_CONFIG`
environment variable and `~/.config/nix/nix.conf`, the tests were still
hitting unauthenticated rate limits.

## Root Cause

On macOS runners, the Nix daemon:
- Runs as a different user (not the runner user)
- Reads `/etc/nix/nix.conf` instead of the user's
`~/.config/nix/nix.conf`
- Doesn't inherit environment variables from the runner

This meant that while `nix show-config` showed the access token was
configured, the daemon wasn't actually using it when making GitHub API
requests.

## Solution

This PR implements a two-pronged approach:

### 1. Configure Nix Daemon Properly (Primary Fix)
- On macOS runners, configure `/etc/nix/nix.conf` with the GitHub token
- Ensure the directory and file exist before writing
- Restart the Nix daemon to pick up the new configuration
- In `auto-nix-install` job, configure AFTER Nix is installed (not
before)

### 2. Pass Token via Command-Line Options (Backup)
- Modify `internal/nix/command.go` to pass `--option access-tokens
github.com=$GITHUB_TOKEN` in all nix commands
- This ensures the token is used even if config files aren't picked up
properly

## Changes

- `.github/workflows/cli-tests.yaml`: 
- Update "Setup Nix GitHub authentication" step to ensure
`/etc/nix/nix.conf` exists before writing
- Reorder `auto-nix-install` job to configure Nix AFTER installation
completes
- `internal/nix/command.go`: Add GITHUB_TOKEN to nix command args as
--option access-tokens

## Detailed Analysis

For a comprehensive diagnostic report with evidence, timeline, and
alternative solutions considered, see:
**[CLI Tests Failure
Report](https://gist.github.com/savil/e8a527aa70e38ab588a1bd46103123bd)**

## Note on Reproduction

The issue is specific to GitHub Actions environment and cannot be easily
reproduced locally:
- Requires GitHub Actions runner IP pool hitting rate limits
- Intermittent based on shared quota across GitHub Actions
- Depends on macOS Nix daemon configuration

This PR validates the fix directly in CI/CD where the issue occurs.

Fixes the intermittent test failures that have been occurring since
October 7, 2025.

---------

Co-authored-by: Claude <noreply@anthropic.com>
S
savil committed
dd94878699e9bd2fe17bf5b4cbf6f1a88e7171e1
Parent: 75f7e56
Committed by GitHub <noreply@github.com> on 10/23/2025, 2:35:49 AM