From c250688244f4209ae90a267fc5ad6e17435a2eea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= <dw@edgeless.systems>
Date: Thu, 4 Sep 2025 12:46:05 +0200
Subject: [PATCH] deps: keep install-nix-action at v31.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
---
 .github/actions/setup_bazel_nix/action.yml      | 2 +-
 .github/workflows/aws-snp-launchmeasurement.yml | 2 +-
 renovate.json5                                  | 2 ++
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/actions/setup_bazel_nix/action.yml b/.github/actions/setup_bazel_nix/action.yml
index 81b236d18..ed06255e5 100644
--- a/.github/actions/setup_bazel_nix/action.yml
+++ b/.github/actions/setup_bazel_nix/action.yml
@@ -114,7 +114,7 @@ runs:
 
     - name: Install nix
       if: steps.check_inputs.outputs.nixPreinstalled == 'false'
-      uses: cachix/install-nix-action@c134e4c9e34bac6cab09cf239815f9339aaaf84e # v31
+      uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31.4.0
       with:
         install_url: "https://releases.nixos.org/nix/nix-${{ steps.check_inputs.outputs.nixVersion }}/install"
 
diff --git a/.github/workflows/aws-snp-launchmeasurement.yml b/.github/workflows/aws-snp-launchmeasurement.yml
index 7a8b1b4cc..5159ac504 100644
--- a/.github/workflows/aws-snp-launchmeasurement.yml
+++ b/.github/workflows/aws-snp-launchmeasurement.yml
@@ -17,7 +17,7 @@ jobs:
         path: constellation
 
     - name: Install Nix
-      uses: cachix/install-nix-action@c134e4c9e34bac6cab09cf239815f9339aaaf84e # v31
+      uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31.4.0
 
     - name: Download Firmware release
       id: download-firmware
diff --git a/renovate.json5 b/renovate.json5
index ec4b1f189..c31767e23 100644
--- a/renovate.json5
+++ b/renovate.json5
@@ -28,6 +28,8 @@
     'operators/constellation-node-operator/config/manager/kustomization.yaml',
   ],
   ignoreDeps: [
+    // Newer version install different versions of nix, breaking reproducibility
+    'cachix/install-nix-action',
     'github.com/edgelesssys/constellation/v2',
     // Only update once they fixed dependency violations on their side.
     'github.com/google/go-tpm-tools',