ci: reusable Nix format Nixpkgs pin

This is needed such that in the next commit, we can re-use the same
version from a shell.nix, allowing people to have a guaranteed matching
nixfmt version.

1 files changed, 8 insertions, 3 deletions

diff --git a/.github/workflows/check-nix-format.yml b/.github/workflows/check-nix-format.yml
index 131803213cb57..5a3b7fe40cb92 100644
--- a/.github/workflows/check-nix-format.yml
+++ b/.github/workflows/check-nix-format.yml
@@ -19,13 +19,18 @@ jobs:
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      - name: Get Nixpkgs revision for nixfmt
+        run: |
+          # pin to a commit from nixpkgs-unstable to avoid e.g. building nixfmt
+          # from staging
+          # This should not be a URL, because it would allow PRs to run arbitrary code in CI!
+          rev=$(jq -r .rev ci/pinned-nixpkgs.json)
+          echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
       - uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
-          # fix a commit from nixpkgs-unstable to avoid e.g. building nixfmt
-          # from staging
-          nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/4b455dc2048f73a79eb3713f342369ff58f93e0b.tar.gz
+          nix_path: nixpkgs=${{ env.url }}
       - name: Install nixfmt
         run: "nix-env -f '<nixpkgs>' -iAP nixfmt-rfc-style"
       - name: Check that Nix files are formatted according to the RFC style