.github/workflows/nix-parse-v2: also check parseability with Nix 2.3

[sternenseemann]

90% of eval issues affecting Nix < 2.4 (which is supported as per lib/minver.nix) are actually already detected at parse time since they involve use of path interpolation / path antiquotations added in Nix 2.4 (https://nix.dev/manual/nix/2.28/release-notes/rl-2.4).

This means that we can cheaply (compared to a full eval) prevent a lot of eval issues with the minimum supported version of Nix from ever reaching channels.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[sternenseemann]

See https://github.com/sternenseemann/nixpkgs/actions/runs/14419515028?pr=2 for an example run.

[wolfgangwalther]

See https://github.com/sternenseemann/nixpkgs/actions/runs/14419515028?pr=2 for an example run.

Since this only runs on changed files, but the test PR didn't have any, I think this only tested the install.

Are we sure that currently all files on master parse with nix 2.3, so that CI doesn't start failing for unrelated changes?

[sternenseemann]

Are we sure that currently all files on master parse with nix 2.3, so that CI doesn't start failing for unrelated changes?

since #398119 yes.

[sternenseemann]

Since this only runs on changed files, but the test PR didn't have any, I think this only tested the install.

It had one changed file at the time of the run.

[SuperSandro2000]

Can we easily give feedback to contributers why eval is failing in the CI but not for them locally?

[sternenseemann]

Can we easily give feedback to contributers why eval is failing in the CI but not for them locally?

I think it's good enough, i.e. it'll tell users about the Nix version that is failing. In any case a slightly confusing error message is better than silently breaking channels. It's unnecessary imo to block this on investing a ton of time into making this a little clearer by parsing the error output or whatever. (As a side note, if someone is looking for a “fun” project, they could try adding github actions annotations so that eval errors from CI show up in the diff viewer in the PR view.)

[Mic92]

Feels a bit uneasy to have a Nix version that not longer receives security updates running in

on:
  pull_request_target:

[wolfgangwalther]

Feels a bit uneasy to have a Nix version that not longer receives security updates running in

Agreed.

We could maybe rewrite the job in a way that uses latest nix on the outside, and then runs nix 2.3 in the nix sandbox itself. This would also be a tiny step towards a future, where I could just do something like nix-build ci locally and have all the checks run there.

[wolfgangwalther]

Superseded by #404466, where I implemented the parse check inside the nix sandbox, thus allowing to run nix 2.3 (and lix) securely.