Skip to content

Fix GitHub API rate limiting in cli-tests #2731

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
loreto merged 2 commits into from
Oct 23, 2025
Merged

Fix GitHub API rate limiting in cli-tests #2731

loreto merged 2 commits into from
Oct 23, 2025

Conversation

@savil
Copy link
Collaborator

@savil savil commented Oct 22, 2025
edited
Loading

Problem

The cli-tests on the main branch have been failing intermittently in GitHub Actions since at least October 7, 2025, due to GitHub API rate limiting when Nix attempts to fetch nixpkgs metadata.

Error Message

unable to download 'https://api.github.com/repos/NixOS/nixpkgs/commits/nixpkgs-unstable': HTTP error 403
API rate limit exceeded for 13.105.49.133.

Despite having GITHUB_TOKEN configured in both NIX_CONFIG environment variable and ~/.config/nix/nix.conf, the tests were still hitting unauthenticated rate limits.

Root Cause

On macOS runners, the Nix daemon:

  • Runs as a different user (not the runner user)
  • Reads /etc/nix/nix.conf instead of the user's ~/.config/nix/nix.conf
  • Doesn't inherit environment variables from the runner

This meant that while nix show-config showed the access token was configured, the daemon wasn't actually using it when making GitHub API requests.

Solution

This PR implements a two-pronged approach:

1. Configure Nix Daemon Properly (Primary Fix)

  • On macOS runners, configure /etc/nix/nix.conf with the GitHub token
  • Ensure the directory and file exist before writing
  • Restart the Nix daemon to pick up the new configuration
  • In auto-nix-install job, configure AFTER Nix is installed (not before)

2. Pass Token via Command-Line Options (Backup)

  • Modify internal/nix/command.go to pass --option access-tokens github.com=$GITHUB_TOKEN in all nix commands
  • This ensures the token is used even if config files aren't picked up properly

Changes

  • .github/workflows/cli-tests.yaml:
    • Update "Setup Nix GitHub authentication" step to ensure /etc/nix/nix.conf exists before writing
    • Reorder auto-nix-install job to configure Nix AFTER installation completes
  • internal/nix/command.go: Add GITHUB_TOKEN to nix command args as --option access-tokens

Detailed Analysis

For a comprehensive diagnostic report with evidence, timeline, and alternative solutions considered, see:
CLI Tests Failure Report

Note on Reproduction

The issue is specific to GitHub Actions environment and cannot be easily reproduced locally:

  • Requires GitHub Actions runner IP pool hitting rate limits
  • Intermittent based on shared quota across GitHub Actions
  • Depends on macOS Nix daemon configuration

This PR validates the fix directly in CI/CD where the issue occurs.

Fixes the intermittent test failures that have been occurring since October 7, 2025.

savil and others added 2 commits October 22, 2025 13:54
@savil @claude
Fix GitHub API rate limiting in cli-tests
b458afa 
This commit addresses intermittent cli-test failures on main caused by
GitHub API rate limiting when Nix attempts to fetch nixpkgs metadata.

Problem:
- Tests were hitting 403 errors with "API rate limit exceeded" message
- Despite having GITHUB_TOKEN configured in NIX_CONFIG and ~/.config/nix/nix.conf,
  the token wasn't being used properly by the Nix daemon on macOS runners

Root Cause:
- On macOS, the Nix daemon runs as a different user and reads /etc/nix/nix.conf
  instead of the user's ~/.config/nix/nix.conf
- The daemon wasn't picking up the access token configuration

Solution:
1. Configure /etc/nix/nix.conf system-wide on macOS runners and restart the daemon
2. As a backup, pass the access token explicitly via --option access-tokens in nix commands

Changes:
- .github/workflows/cli-tests.yaml: Update "Setup Nix GitHub authentication" step
  to configure /etc/nix/nix.conf on macOS and restart the daemon
- internal/nix/command.go: Add GITHUB_TOKEN to nix command args as --option access-tokens
- cli-tests-failure-report.md: Comprehensive diagnostic report of the issue

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@savil @claude
Fix /etc/nix/nix.conf error in auto-nix-install job
6c78201 
- Ensure /etc/nix directory and nix.conf file exist before appending
- Move configuration to AFTER Nix is installed in auto-nix-install job
- Configure user config before devbox runs (Nix installer respects this)
- Then configure system-wide config after Nix installation completes

This fixes the "No such file or directory" error in the auto-nix-install
job on macOS.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
loreto
loreto approved these changes Oct 23, 2025
View reviewed changes
Copy link
Contributor

@loreto loreto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@loreto loreto merged commit dd94878 into main Oct 23, 2025
59 of 60 checks passed
@loreto loreto deleted the savil/fix-tests-4 branch October 23, 2025 02:35
@savil savil mentioned this pull request Oct 24, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@loreto loreto loreto approved these changes

@gcurtis gcurtis Awaiting requested review from gcurtis

@mikeland73 mikeland73 Awaiting requested review from mikeland73

@ipince ipince Awaiting requested review from ipince

@LucilleH LucilleH Awaiting requested review from LucilleH

@mohsenari mohsenari Awaiting requested review from mohsenari

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@savil @loreto