Switch to secure packages

.github/workflows/build.yaml

@@ -8,8 +8,8 @@ jobs:
   build-artifacts:
     runs-on: ${{ matrix.systems.runner }}
     permissions:
-      id-token: "write"
-      contents: "read"
+      id-token: write
+      contents: read
     env:
       ARTIFACT_KEY: flake-checker-${{ matrix.systems.system }}
     strategy:
@@ -18,9 +18,6 @@ jobs:
           - nix-system: aarch64-darwin
             runner: macos-15
             system: ARM64-macOS
-          - nix-system: x86_64-darwin
-            runner: macos-13
-            system: X64-macOS
           - nix-system: aarch64-linux
             runner: ubuntu-24.04-arm
             system: ARM64-Linux
@@ -38,9 +35,6 @@ jobs:
         uses: DeterminateSystems/flakehub-cache-action@main
 
       - name: Build and cache dev shell for ${{ matrix.systems.nix-system }} on ${{ matrix.systems.runner }}
-        # We still support this system but caching the dev shell fails due to system support mismatch,
-        # and we don't really need this cached anyway
-        if: ${{ matrix.systems.nix-system != 'x86_64-darwin' }}
         run: |
           nix build -L ".#devShells.${{ matrix.systems.nix-system }}.default"
 

.github/workflows/ci.yaml

@@ -9,6 +9,9 @@ jobs:
   checks:
     name: Nix and Rust checks
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/determinate-nix-action@main
@@ -18,15 +21,18 @@ jobs:
         with:
           fail-mode: true
       - name: Check Nix formatting
-        run: nix develop -c check-nixpkgs-fmt
+        run: nix develop -c check-nix-fmt
       - name: Check Rust formatting
-        run: nix develop -c check-rustfmt
+        run: nix develop -c check-rust-fmt
       - name: Clippy
         run: nix develop -c cargo clippy
 
   rust-tests:
     name: Test Rust
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/determinate-nix-action@main
@@ -37,6 +43,9 @@ jobs:
   check-flake-cel-condition:
     name: Check flake.lock test (CEL condition)
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/determinate-nix-action@main
@@ -51,6 +60,9 @@ jobs:
   check-flake-dirty:
     name: Check flake.lock test (dirty 😈)
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/determinate-nix-action@main
@@ -62,6 +74,9 @@ jobs:
   check-flake-clean:
     name: Check flake.lock test (clean 👼)
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/determinate-nix-action@main
@@ -74,6 +89,9 @@ jobs:
     name: Check flake.lock test (dirty 😈 plus fail mode activated)
     runs-on: ubuntu-24.04
     if: false
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/determinate-nix-action@main

.github/workflows/ref-statuses.yaml

@@ -7,6 +7,9 @@ on:
 jobs:
   check-ref-statuses:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
 

.github/workflows/update-flake-lock.yaml

@@ -8,6 +8,9 @@ on:
 jobs:
   lockfile:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/determinate-nix-action@main

flake.nix

@@ -1,6 +1,6 @@
 {
   inputs = {
-    nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0";
+    nixpkgs.url = "https://flakehub.com/f/DeterminateSystems/secure/0";
 
     fenix = {
       url = "https://flakehub.com/f/nix-community/fenix/0";
@@ -27,7 +27,6 @@
       supportedSystems = [
         "x86_64-linux"
         "aarch64-linux"
-        "x86_64-darwin"
         "aarch64-darwin"
       ];
 
@@ -87,7 +86,10 @@
           flake-checker = pkgs.naerskLib.buildPackage (
             {
               name = "flake-checker";
-              src = self;
+              src = builtins.path {
+                name = "flake-checker-src";
+                path = self;
+              };
               doCheck = true;
               nativeBuildInputs = with pkgs; [ ] ++ lib.optionals stdenv.isDarwin [ libiconv ];
             }
@@ -110,18 +112,18 @@
         {
           default =
             let
-              check-nixpkgs-fmt = pkgs.writeShellApplication {
-                name = "check-nixpkgs-fmt";
+              check-nix-fmt = pkgs.writeShellApplication {
+                name = "check-nix-fmt";
                 runtimeInputs = with pkgs; [
                   git
-                  nixpkgs-fmt
+                  nixfmt-rfc-style
                 ];
                 text = ''
-                  nixpkgs-fmt --check "$(git ls-files '*.nix')"
+                  git ls-files '*.nix' | xargs nixfmt --check
                 '';
               };
-              check-rustfmt = pkgs.writeShellApplication {
-                name = "check-rustfmt";
+              check-rust-fmt = pkgs.writeShellApplication {
+                name = "check-rust-fmt";
                 runtimeInputs = with pkgs; [ rustToolchain ];
                 text = "cargo fmt --check";
               };
@@ -159,16 +161,15 @@
                 cargo-watch
                 rust-analyzer
 
-                # Nix
-                nixpkgs-fmt
-
                 # CI checks
-                check-nixpkgs-fmt
-                check-rustfmt
+                check-nix-fmt
+                check-rust-fmt
 
                 # Scripts
                 get-ref-statuses
                 update-readme
+
+                self.formatter.${system}
               ];
 
               env = {
@@ -178,5 +179,7 @@
             };
         }
       );
+
+      formatter = forAllSystems ({ pkgs, ... }: pkgs.nixfmt-rfc-style);
     };
 }