Ensure dependabot doesn't break over time

The automated GitHub workflow updates were broken for some time due to dependabot's images fetched at runtime went out of sync with the binary. While updating dependabot fixed it for now, a more permanent fix is to use the version of dependabot that pins the images at build time, introduced in NixOS/nixpkgs#352866 and NixOS/nixpkgs#354085
NixOS · Nov 25, 2024 · b7c7099 · b7c7099
1 parent 54a1aec
commit b7c7099
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/default.nix b/default.nix
@@ -132,7 +132,7 @@ let
           githubActions = pkgs.writeShellApplication {
             name = "update-github-actions";
             runtimeInputs = with pkgs; [
-              dependabot-cli
+              dependabot-cli.withDockerImages
               jq
               github-cli
               coreutils
@@ -144,8 +144,8 @@ let
       pkgs.writeShellApplication {
         name = "auto-pr-update";
         text = ''
-          # Prevent impurities
-          unset PATH
+          # Prevent impurities, but we need docker
+          PATH=$(dirname "$(which docker)")
           ${lib.concatMapStringsSep "\n" (script: ''
             echo >&2 "Running ${script}"
             ${lib.getExe script} "$1"