From 19ce28ccec9479118af3f7b7934d64c778390246 Mon Sep 17 00:00:00 2001
From: Jamie Magee <jamie.magee@gmail.com>
Date: Wed, 3 May 2023 09:08:57 -0700
Subject: [PATCH] fix(managers/nix): pass github token to nix (#21568)

---
 lib/modules/manager/nix/artifacts.spec.ts | 46 +++++++++++++++++++++--
 lib/modules/manager/nix/artifacts.ts      | 24 +++++++-----
 2 files changed, 58 insertions(+), 12 deletions(-)

diff --git a/lib/modules/manager/nix/artifacts.spec.ts b/lib/modules/manager/nix/artifacts.spec.ts
index 7b4808aed1bb70..35509270490ec9 100644
--- a/lib/modules/manager/nix/artifacts.spec.ts
+++ b/lib/modules/manager/nix/artifacts.spec.ts
@@ -5,16 +5,18 @@ import {
   mockExecAll,
   mockExecSequence,
 } from '../../../../test/exec-util';
-import { env, fs, git, partial } from '../../../../test/util';
+import { env, fs, git, mocked, partial } from '../../../../test/util';
 import { GlobalConfig } from '../../../config/global';
 import type { RepoGlobalConfig } from '../../../config/types';
 import * as docker from '../../../util/exec/docker';
+import * as _hostRules from '../../../util/host-rules';
 import type { UpdateArtifactsConfig } from '../types';
 import { updateArtifacts } from '.';
 
 jest.mock('../../../util/exec/env');
 jest.mock('../../../util/fs');
 jest.mock('../../../util/git');
+jest.mock('../../../util/host-rules');
 
 const adminConfig: RepoGlobalConfig = {
   // `join` fixes Windows CI
@@ -31,13 +33,20 @@ const lockMaintenanceConfig = { ...config, isLockFileMaintenance: true };
 const updateInputCmd = `nix \
     --extra-experimental-features nix-command \
     --extra-experimental-features flakes \
-    flake lock --update-input nixpkgs`;
+flake lock --update-input nixpkgs`;
+const updateInputTokenCmd = `nix \
+    --extra-experimental-features nix-command \
+    --extra-experimental-features flakes \
+--extra-access-tokens github.com=token \
+flake lock --update-input nixpkgs`;
 const lockfileMaintenanceCmd = `nix \
     --extra-experimental-features nix-command \
     --extra-experimental-features flakes \
-    flake update`;
+flake update`;
 
 describe('modules/manager/nix/artifacts', () => {
+  const hostRules = mocked(_hostRules);
+
   beforeEach(() => {
     jest.resetAllMocks();
     env.getChildProcessEnv.mockReturnValue({
@@ -47,6 +56,7 @@ describe('modules/manager/nix/artifacts', () => {
     });
     GlobalConfig.set(adminConfig);
     docker.resetPrefetchedImages();
+    hostRules.find.mockReturnValue({ token: undefined });
   });
 
   it('returns if no flake.lock found', async () => {
@@ -111,6 +121,36 @@ describe('modules/manager/nix/artifacts', () => {
     expect(execSnapshots).toMatchObject([{ cmd: updateInputCmd }]);
   });
 
+  it('adds GitHub token', async () => {
+    fs.readLocalFile.mockResolvedValueOnce('current flake.lock');
+    const execSnapshots = mockExecAll();
+    git.getRepoStatus.mockResolvedValue(
+      partial<StatusResult>({
+        modified: ['flake.lock'],
+      })
+    );
+    fs.readLocalFile.mockResolvedValueOnce('new flake.lock');
+    hostRules.find.mockReturnValueOnce({ token: 'token' });
+
+    const res = await updateArtifacts({
+      packageFileName: 'flake.nix',
+      updatedDeps: [{ depName: 'nixpkgs' }],
+      newPackageFileContent: 'some new content',
+      config: { ...config, constraints: { python: '3.7' } },
+    });
+
+    expect(res).toEqual([
+      {
+        file: {
+          contents: 'new flake.lock',
+          path: 'flake.lock',
+          type: 'addition',
+        },
+      },
+    ]);
+    expect(execSnapshots).toMatchObject([{ cmd: updateInputTokenCmd }]);
+  });
+
   it('supports docker mode', async () => {
     GlobalConfig.set(dockerAdminConfig);
     const execSnapshots = mockExecAll();
diff --git a/lib/modules/manager/nix/artifacts.ts b/lib/modules/manager/nix/artifacts.ts
index d65c1bad3890ca..a563b84efb6c8f 100644
--- a/lib/modules/manager/nix/artifacts.ts
+++ b/lib/modules/manager/nix/artifacts.ts
@@ -5,6 +5,7 @@ import { exec } from '../../../util/exec';
 import type { ExecOptions } from '../../../util/exec/types';
 import { readLocalFile } from '../../../util/fs';
 import { getRepoStatus } from '../../../util/git';
+import * as hostRules from '../../../util/host-rules';
 import { regEx } from '../../../util/regex';
 import type { UpdateArtifact, UpdateArtifactsResult } from '../types';
 
@@ -20,23 +21,28 @@ export async function updateArtifacts({
     return null;
   }
 
-  let cmd: string;
+  let cmd = `nix \
+    --extra-experimental-features nix-command \
+    --extra-experimental-features flakes `;
+
+  const { token } = hostRules.find({
+    hostType: 'github',
+    url: 'https://api.github.com/',
+  });
+
+  if (token) {
+    cmd += `--extra-access-tokens github.com=${token} `;
+  }
 
   if (config.isLockFileMaintenance) {
-    cmd = `nix \
-    --extra-experimental-features nix-command \
-    --extra-experimental-features flakes \
-    flake update`;
+    cmd += 'flake update';
   } else {
     const inputs = updatedDeps
       .map(({ depName }) => depName)
       .filter(is.nonEmptyStringAndNotWhitespace)
       .map((depName) => `--update-input ${quote(depName)}`)
       .join(' ');
-    cmd = `nix \
-    --extra-experimental-features nix-command \
-    --extra-experimental-features flakes \
-    flake lock ${inputs}`;
+    cmd += `flake lock ${inputs}`;
   }
   const execOptions: ExecOptions = {
     cwdFile: packageFileName,