Initial nix support

.github/ci-filters.yml

@@ -71,6 +71,9 @@ julia:
 maven:
   - *shared
   - 'maven/**'
+nix:
+  - *shared
+  - 'nix/**'
 npm_and_yarn:
   - *shared
   - 'npm_and_yarn/**'

.github/issue-labeler.yml

@@ -84,3 +84,6 @@
 
 "L: pre:commit":
     - '(pre_commit)'
+
+"L: nix":
+    - '(nix)'

.github/smoke-filters.yml

@@ -47,6 +47,9 @@ hex:
 maven:
   - *common
   - 'maven/**'
+nix:
+  - *common
+  - 'nix/**'
 npm_and_yarn:
   - *common
   - 'npm_and_yarn/**'

.github/smoke-matrix.json

@@ -79,6 +79,11 @@
     "test": "maven",
     "ecosystem": "maven"
   },
+  {
+    "core": "nix",
+    "test": "nix",
+    "ecosystem": "nix"
+  },
   {
     "core": "npm_and_yarn",
     "test": "npm",

.github/workflows/ci.yml

@@ -37,6 +37,7 @@ jobs:
           - { path: hex, name: hex, ecosystem: mix }
           - { path: julia, name: julia, ecosystem: julia }
           - { path: maven, name: maven, ecosystem: maven }
+          - { path: nix, name: nix, ecosystem: nix }
           - { path: npm_and_yarn, name: npm_and_yarn, ecosystem: npm }
           - { path: nuget, name: nuget, ecosystem: nuget }
           - { path: pre_commit, name: pre_commit, ecosystem: pre-commit }

.github/workflows/images-branch.yml

@@ -77,6 +77,7 @@ jobs:
           - { name: hex, ecosystem: mix }
           - { name: julia, ecosystem: julia }
           - { name: maven, ecosystem: maven }
+          - { name: nix, ecosystem: nix }
           - { name: npm_and_yarn, ecosystem: npm }
           - { name: nuget, ecosystem: nuget }
           - { name: pre_commit, ecosystem: pre-commit }

.github/workflows/images-latest.yml

@@ -55,6 +55,7 @@ jobs:
           - { name: hex, ecosystem: mix }
           - { name: julia, ecosystem: julia }
           - { name: maven, ecosystem: maven }
+          - { name: nix, ecosystem: nix }
           - { name: npm_and_yarn, ecosystem: npm }
           - { name: nuget, ecosystem: nuget }
           - { name: pre_commit, ecosystem: pre-commit }

Dockerfile.updater-core

@@ -162,7 +162,7 @@ COPY --chown=dependabot:dependabot updater/Gemfile updater/Gemfile.lock dependab
 COPY --chown=dependabot:dependabot --parents */.bundle */*.gemspec common/lib/dependabot.rb LICENSE omnibus $DEPENDABOT_HOME
 
 # This ARG must be updated when adding/removing ecosystems - it invalidates Docker layer cache
-ARG ECOSYSTEM_LIST="bazel bun bundler cargo composer conda devcontainers docker docker_compose dotnet_sdk elm git_submodules github_actions go_modules gradle helm hex julia maven npm_and_yarn nuget opentofu pre_commit pub python rust_toolchain silent swift terraform uv vcpkg"
+ARG ECOSYSTEM_LIST="bazel bun bundler cargo composer conda devcontainers docker docker_compose dotnet_sdk elm git_submodules github_actions go_modules gradle helm hex julia maven nix npm_and_yarn nuget opentofu pre_commit pub python rust_toolchain silent swift terraform uv vcpkg"
 # prevent having all the source in every ecosystem image
 RUN for ecosystem in $ECOSYSTEM_LIST; do \
     mkdir -p $ecosystem/lib/dependabot; \

bin/dry-run.rb

@@ -79,6 +79,7 @@
 $LOAD_PATH << "./hex/lib"
 $LOAD_PATH << "./julia/lib"
 $LOAD_PATH << "./maven/lib"
+$LOAD_PATH << "./nix/lib"
 $LOAD_PATH << "./npm_and_yarn/lib"
 $LOAD_PATH << "./nuget/lib"
 $LOAD_PATH << "./pre_commit/lib"

common/lib/dependabot/config/file.rb

@@ -79,6 +79,7 @@ def self.parse(config)
           "julia" => "julia",
           "maven" => "maven",
           "mix" => "hex",
+          "nix" => "nix",
           "npm" => "npm_and_yarn",
           "nuget" => "nuget",
           "opentofu" => "opentofu",

nix/.bundle/config

@@ -0,0 +1 @@
+BUNDLE_GEMFILE: "../dependabot-updater/Gemfile"

nix/.gitignore

@@ -0,0 +1,4 @@
+/.bundle/*
+!.bundle/config
+/tmp
+/dependabot-*.gem

nix/.rubocop.yml

@@ -0,0 +1 @@
+inherit_from: ../.rubocop.yml

nix/Dockerfile

@@ -0,0 +1,19 @@
+# syntax=docker.io/docker/dockerfile:1.20
+FROM docker.io/nixos/nix:2.34.1 AS nix
+
+FROM ghcr.io/dependabot/dependabot-updater-core
+
+# Copy Nix from the official image
+COPY --from=nix /nix /nix
+
+# Configure Nix for single-user mode with flakes enabled
+RUN mkdir -p /etc/nix \
+  && echo "experimental-features = nix-command flakes" > /etc/nix/nix.conf \
+  && echo "sandbox = false" >> /etc/nix/nix.conf
+
+ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
+
+USER dependabot
+
+COPY --chown=dependabot:dependabot --parents nix common $DEPENDABOT_HOME/
+COPY --chown=dependabot:dependabot updater $DEPENDABOT_HOME/dependabot-updater

nix/README.md

@@ -0,0 +1,42 @@
+## `dependabot-nix`
+
+Nix support for [`dependabot-core`][core-repo].
+
+### Running locally
+
+1. Start a development shell
+
+  ```sh
+  bin/docker-dev-shell nix
+  ```
+
+1. Run tests
+
+  ```sh
+  [dependabot-core-dev] ~ $ cd nix && rspec
+  ```
+
+[core-repo]: https://github.com/dependabot/dependabot-core
+
+### Implementation Status
+
+This ecosystem is currently under development. See [NEW_ECOSYSTEMS.md](../NEW_ECOSYSTEMS.md) for implementation guidelines.
+
+#### Required Classes
+
+- [x] FileFetcher
+- [x] FileParser
+- [x] UpdateChecker
+- [x] FileUpdater
+
+#### Optional Classes
+
+- [x] MetadataFinder
+- [x] Version
+- [x] Requirement
+
+#### Supporting Infrastructure
+
+- [x] Comprehensive unit tests
+- [x] CI/CD integration
+- [x] Documentation

nix/dependabot-nix.gemspec

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+Gem::Specification.new do |spec|
+  common_gemspec =
+    Bundler.load_gemspec_uncached("../common/dependabot-common.gemspec")
+
+  spec.name         = "dependabot-nix"
+  spec.summary      = "Provides Dependabot support for Nix"
+  spec.description  = "Dependabot-Nix provides support for bumping Nix dependencies via Dependabot. " \
+                      "If you want support for multiple package managers, you probably want the meta-gem " \
+                      "dependabot-omnibus."
+
+  spec.author       = common_gemspec.author
+  spec.email        = common_gemspec.email
+  spec.homepage     = common_gemspec.homepage
+  spec.license      = common_gemspec.license
+
+  spec.metadata = {
+    "bug_tracker_uri" => common_gemspec.metadata["bug_tracker_uri"],
+    "changelog_uri" => common_gemspec.metadata["changelog_uri"]
+  }
+
+  spec.version = common_gemspec.version
+  spec.required_ruby_version = common_gemspec.required_ruby_version
+  spec.required_rubygems_version = common_gemspec.required_ruby_version
+
+  spec.require_path = "lib"
+  spec.files        = Dir["lib/**/*"]
+
+  spec.add_dependency "dependabot-common", Dependabot::VERSION
+
+  common_gemspec.development_dependencies.each do |dep|
+    spec.add_development_dependency dep.name, *dep.requirement.as_list
+  end
+end

nix/lib/dependabot/nix.rb

@@ -0,0 +1,20 @@
+# typed: strong
+# frozen_string_literal: true
+
+# These all need to be required so the various classes can be registered in a
+# lookup table of package manager names to concrete classes.
+require "dependabot/nix/file_fetcher"
+require "dependabot/nix/file_parser"
+require "dependabot/nix/update_checker"
+require "dependabot/nix/file_updater"
+require "dependabot/nix/metadata_finder"
+require "dependabot/nix/version"
+require "dependabot/nix/requirement"
+
+require "dependabot/pull_request_creator/labeler"
+Dependabot::PullRequestCreator::Labeler
+  .register_label_details("nix", name: "nix", colour: "3E6399")
+
+require "dependabot/dependency"
+Dependabot::Dependency
+  .register_production_check("nix", ->(_) { true })

nix/lib/dependabot/nix/file_fetcher.rb

@@ -0,0 +1,66 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+
+module Dependabot
+  module Nix
+    class FileFetcher < Dependabot::FileFetchers::Base
+      extend T::Sig
+
+      sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
+      def self.required_files_in?(filenames)
+        filenames.include?("flake.nix") && filenames.include?("flake.lock")
+      end
+
+      sig { override.returns(String) }
+      def self.required_files_message
+        "Repo must contain a flake.nix and flake.lock file."
+      end
+
+      sig { override.returns(T::Array[DependencyFile]) }
+      def fetch_files
+        unless allow_beta_ecosystems?
+          raise Dependabot::DependencyFileNotFound.new(
+            nil,
+            "Nix support is currently in beta. Set ALLOW_BETA_ECOSYSTEMS=true to enable it."
+          )
+        end
+
+        fetched_files = []
+        fetched_files << flake_nix
+        fetched_files << flake_lock
+        fetched_files
+      end
+
+      sig { override.returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+      def ecosystem_versions
+        nil
+      end
+
+      private
+
+      sig { returns(Dependabot::DependencyFile) }
+      def flake_nix
+        @flake_nix ||=
+          T.let(
+            fetch_file_from_host("flake.nix"),
+            T.nilable(Dependabot::DependencyFile)
+          )
+      end
+
+      sig { returns(Dependabot::DependencyFile) }
+      def flake_lock
+        @flake_lock ||=
+          T.let(
+            fetch_file_from_host("flake.lock"),
+            T.nilable(Dependabot::DependencyFile)
+          )
+      end
+    end
+  end
+end
+
+Dependabot::FileFetchers.register("nix", Dependabot::Nix::FileFetcher)