Fix flake-update pipeline and update ringtail flake inputs

The `--exclude` flag added in #321 never existed in nix — it was introduced broken and never tested. Replace with dynamic input discovery: query `nix flake metadata --json` for all input names, filter out skip_inputs (default: nixpkgs-services), pass the rest as positional args. Also bump NIX_IMAGE 2.33.3 → 2.34.4. Updated inputs: nixpkgs, home-manager, disko. nixpkgs-services stays pinned. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 08:24:48 -07:00 · 2026-04-06 08:24:48 -07:00 · 54213ab810
commit 54213ab810
parent 370a3574b2
3 changed files with 46 additions and 22 deletions
--- a/.dagger/src/blumeops_ci/main.py
+++ b/.dagger/src/blumeops_ci/main.py
@ -1,7 +1,7 @@
 import dagger
 from dagger import dag, function, object_type

-NIX_IMAGE = "nixos/nix:2.33.3"
+NIX_IMAGE = "nixos/nix:2.34.4"


@object_type
@ -256,29 +256,52 @@ class BlumeopsCi:

    @function
    async def flake_update(
-        self, src: dagger.Directory, flake_path: str = "nixos/ringtail"
+        self,
+        src: dagger.Directory,
+        flake_path: str = "nixos/ringtail",
+        skip_inputs: str = "nixpkgs-services",
    ) -> dagger.File:
        """Update rolling flake inputs to latest and return updated flake.lock.

-        Skips nixpkgs-services, which is pinned to a specific commit and should
-        only be updated deliberately during service reviews.
+        Dynamically discovers all flake inputs, filters out skip_inputs
+        (comma-separated), and passes the rest as positional args to
+        `nix flake update`. This avoids hardcoding input names.
+
+        Args:
+            src: Source directory containing the flake.
+            flake_path: Path to the flake within src.
+            skip_inputs: Comma-separated input names to exclude from update.
        """
+        # nix has no --exclude flag; instead we enumerate inputs via
+        # `nix flake metadata --json` and pass the ones we want as
+        # positional args.
+        update_script = (
+            "set -e; "
+            "SKIP='$SKIP_INPUTS'; "
+            "ALL=$(nix --extra-experimental-features 'nix-command flakes' "
+            "flake metadata --json 2>/dev/null "
+            "| nix-instantiate --eval -E "
+            '"builtins.concatStringsSep \\" \\" '
+            "(builtins.attrNames "
+            "(builtins.fromJSON (builtins.readFile /dev/stdin))"
+            '.locks.nodes.root.inputs)" '
+            "| tr -d '\"'); "
+            "INPUTS=''; "
+            "for i in $ALL; do "
+            '  case ",$SKIP," in *",$i,"*) continue ;; esac; '
+            '  INPUTS="$INPUTS $i"; '
+            "done; "
+            'echo "Updating inputs:$INPUTS"; '
+            'echo "Skipping: $SKIP"; '
+            "nix --extra-experimental-features 'nix-command flakes' "
+            "flake update $INPUTS --accept-flake-config"
+        )
        return await (
            dag.container()
            .from_(NIX_IMAGE)
            .with_directory("/workspace", src)
            .with_workdir(f"/workspace/{flake_path}")
-            .with_exec(
-                [
-                    "nix",
-                    "--extra-experimental-features",
-                    "nix-command flakes",
-                    "flake",
-                    "update",
-                    "--exclude",
-                    "nixpkgs-services",
-                    "--accept-flake-config",
-                ]
-            )
+            .with_env_variable("SKIP_INPUTS", skip_inputs)
+            .with_exec(["sh", "-c", update_script])
            .file(f"/workspace/{flake_path}/flake.lock")
        )
--- a/docs/changelog.d/+fix-flake-update-pipeline.bugfix.md
+++ b/docs/changelog.d/+fix-flake-update-pipeline.bugfix.md
@ -0,0 +1 @@
+Fix dagger flake-update pipeline: replace nonexistent `--exclude` flag with dynamic input discovery
--- a/nixos/ringtail/flake.lock
+++ b/nixos/ringtail/flake.lock
@ -27,11 +27,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1774559029,
-        "narHash": "sha256-deix7yg3j6AhjMPnFDCmWB3f83LsajaaULP5HH2j34k=",
+        "lastModified": 1775425411,
+        "narHash": "sha256-KY6HsebJHEe5nHOWP7ur09mb0drGxYSzE3rQxy62rJo=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "a0bb0d11514f92b639514220114ac8063c72d0a3",
+        "rev": "0d02ec1d0a05f88ef9e74b516842900c41f0f2fe",
        "type": "github"
      },
      "original": {
@ -43,11 +43,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1774388614,
-        "narHash": "sha256-tFwzTI0DdDzovdE9+Ras6CUss0yn8P9XV4Ja6RjA+nU=",
+        "lastModified": 1775305101,
+        "narHash": "sha256-/74n1oQPtKG52Yw41cbToxspxHbYz6O3vi+XEw16Qe8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "1073dad219cb244572b74da2b20c7fe39cb3fa9e",
+        "rev": "36a601196c4ebf49e035270e10b2d103fe39076b",
        "type": "github"
      },
      "original": {
				`@ -0,0 +1 @@`
				Fix dagger flake-update pipeline: replace nonexistent `--exclude` flag with dynamic input discovery