Use GitHub Repo Activity API to fetch Nix branch tips by JamieMagee · Pull Request #14840 · dependabot/dependabot-core

JamieMagee · 2026-04-27T23:15:53Z

What are you trying to accomplish?

For Nix flake inputs that track a branch on GitHub, fetch update candidates from the Repo Activity API instead of paginating /commits. Each activity entry's after SHA was once the actual branch tip. For nixpkgs channels that means it was Hydra-evaluated and is cache-backed. The current /commits walker returns mostly intermediate master commits that were never branch tips and aren't covered by the binary cache, which means any code that picks from the candidate set (cooldown fallbacks, "pick an older commit" heuristics) risks handing users a flake.lock that builds the world from source.

Fixes #14836. Came up while reviewing #14829.

Anything you want to highlight for special attention from reviewers?

The existing /commits walker is kept as a fallback for non-GitHub URLs, SHA-pinned refs, empty results, and HTTP errors. No regression for any case that already worked.
Auth and retries are handled by Dependabot::Clients::GithubWithRetries.for_github_dot_com(credentials:), matching the pattern in pre_commit/ and bazel/.
T.unsafe(github_client).get(...) is needed because GithubWithRetries proxies via method_missing. Same pattern as bazel/lib/dependabot/bazel/update_checker/registry_client.rb, including the Sorbet/ForbidTUnsafe exclude in nix/.rubocop.yml.

How will you know you've accomplished your goal?

New spec at nix/spec/dependabot/nix/package/package_details_fetcher_spec.rb covers the happy path, pseudo-version ordering, auth header injection, 403 fallback, empty-response fallback, SHA-pinned skip, non-GitHub skip, and credentials-absent path.
For a nixpkgs nixos-unstable input with cooldown enabled, the proposed update SHA appears in the first page of /repos/NixOS/nixpkgs/activity?ref=refs/heads/nixos-unstable&activity_type=push,force_push.

Checklist

I have run the complete test suite to ensure all tests and linters pass.
I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
I have written clear and descriptive commit messages.
I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
I have ensured that the code is well-documented and easy to understand.

Copilot

Copilot's findings

Files reviewed: 2/2 changed files
Comments generated: 1

Copilot

Copilot's findings

Files reviewed: 2/2 changed files
Comments generated: 0 new

For Nix flake inputs that track a branch on GitHub, fetch update candidates from the Repo Activity API instead of paginating /commits. Each activity entry's after SHA was once the actual branch tip, which for nixpkgs channels means it's Hydra-evaluated and cache-backed. The existing /commits walker stays as a fallback for non-GitHub URLs, SHA-pinned refs, and HTTP errors. Fixes #14836

…t fallback

…indent

- Scope Sorbet/ForbidTUnsafe disable to the single T.unsafe call - Keep locked SHA in trim_entries_to_locked_sha when it appears as 'before' - Read the documented 'timestamp' field from the Repo Activity API

…-api Use GitHub Repo Activity API to fetch Nix branch tips

Copilot AI review requested due to automatic review settings April 27, 2026 23:15

JamieMagee requested a review from a team as a code owner April 27, 2026 23:15

JamieMagee added the L: nix label Apr 27, 2026

Copilot started reviewing on behalf of JamieMagee April 27, 2026 23:16 View session