Update docs

.github/workflows/allowed-refs.yaml

@@ -1,36 +0,0 @@
-name: Check that allowed refs are up to date
-
-on:
-  schedule:
-    - cron: "0 0 * * *" # Daily
-
-jobs:
-  check-allowed-refs:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: DeterminateSystems/nix-installer-action@main
-
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-
-      - name: Check allowed refs
-        run: |
-          nix develop --command cargo run --features allowed-refs -- --check-allowed-refs
-
-      - name: Update allowed-refs.json
-        if: failure()
-        run: |
-          allowed_refs_json=$(nix develop --command cargo run --features allowed-refs -- --get-allowed-refs | jq .)
-          echo "${allowed_refs_json}" > allowed-refs.json
-
-      - name: Create pull request
-        if: failure()
-        uses: peter-evans/create-pull-request@v6
-        with:
-          commit-message: Update allowed-refs.json to new valid Git refs list
-          title: Update allowed-refs.json
-          body: |
-            Nixpkgs has changed its list of maintained references. This PR updates `allowed-refs.json` to reflect that change.
-          branch: updated-allowed-refs
-          base: main

.github/workflows/supported-refs.yaml

@@ -0,0 +1,36 @@
+name: Check that supported refs are up to date
+
+on:
+  schedule:
+    - cron: "0 0 * * *" # Daily
+
+jobs:
+  check-supported-refs:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: DeterminateSystems/nix-installer-action@main
+
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Check supported refs
+        run: |
+          nix develop --command cargo run --features supported-refs -- --check-supported-refs
+
+      - name: Update supported-refs.json
+        if: failure()
+        run: |
+          supported_refs_json=$(nix develop --command cargo run --features supported-refs -- --get-supported-refs | jq .)
+          echo "${supported_refs_json}" > supported-refs.json
+
+      - name: Create pull request
+        if: failure()
+        uses: peter-evans/create-pull-request@v6
+        with:
+          commit-message: Update supported-refs.json to new valid Git refs list
+          title: Update supported-refs.json
+          body: |
+            Nixpkgs has changed its list of maintained references. This PR updates `supported-refs.json` to reflect that change.
+          branch: updated-supported-refs
+          base: main

Cargo.toml

@@ -4,26 +4,34 @@ version = "0.1.19"
 edition = "2021"
 
 [workspace]
-members = [
-  ".",
-  "parse-flake-lock"
-]
+members = [".", "parse-flake-lock"]
 
 [dependencies]
 cel-interpreter = { version = "0.7.1", default-features = false }
 cel-parser = { version = "0.6.0", default-features = false }
-chrono = { version = "0.4.25", default-features = false, features = [ "clock" ] }
-clap = { version = "4.3.0", default-features = false, features = [ "derive", "env", "std", "wrap_help" ] }
+chrono = { version = "0.4.25", default-features = false, features = ["clock"] }
+clap = { version = "4.3.0", default-features = false, features = [
+  "derive",
+  "env",
+  "std",
+  "wrap_help",
+] }
 handlebars = { version = "4.3.7", default-features = false }
 is_ci = "1.1.1"
 once_cell = { version = "1.19.0", default-features = false }
 parse-flake-lock = { path = "./parse-flake-lock" }
-reqwest = { version = "0.11.18", default-features = false, features = ["blocking", "json", "rustls-tls-native-roots"] }
-serde = { version = "1.0.163", features = [ "derive" ] }
-serde_json = { version = "1.0.116", default-features = false, features = ["std"] }
+reqwest = { version = "0.11.18", default-features = false, features = [
+  "blocking",
+  "json",
+  "rustls-tls-native-roots",
+] }
+serde = { version = "1.0.163", features = ["derive"] }
+serde_json = { version = "1.0.116", default-features = false, features = [
+  "std",
+] }
 sha2 = { version = "0.10.6", default-features = false }
 thiserror = "1.0.40"
 
 [features]
 default = []
-allowed-refs = []
+supported-refs = []

README.md

@@ -17,18 +17,16 @@ nix run github:DeterminateSystems/flake-checker /path/to/flake.lock
 Nix Flake Checker looks at your `flake.lock`'s root-level [Nixpkgs] inputs.
 There are two ways to express flake policies:
 
-* Via [policy conditions](#policy-conditions) using [Common Expression Language][cel] (CEL)
-* Via [parameters](#parameters)
+* Via [config parameters](#parameters).
+* Via [policy conditions](#policy-conditions) using [Common Expression Language][cel] (CEL).
 
-## Policy conditions
+If you're running it locally, Nix Flake Checker reports any issues via text output in your terminal.
+But you can also use Nix Flake Checker [in CI](#the-flake-checker-action).
 
+## Supported branches
 
-
-## Parameters
-
-and checks that:
-
-- Any explicit Nixpkgs Git refs are in this list:
+At any given time, [Nixpkgs] has a bounded set of branches that are considered *supported*.
+The current list:
 
   * `nixos-23.11`
   * `nixos-23.11-small`
@@ -40,11 +38,46 @@ and checks that:
   * `nixpkgs-24.05-darwin`
   * `nixpkgs-unstable`
 
-- Any Nixpkgs dependencies are less than 30 days old
-- Any Nixpkgs dependencies have the [`NixOS`][nixos-org] org as the GitHub owner (and thus that the dependency isn't a fork or non-upstream variant)
+## Parameters
 
-If you're running it locally, Nix Flake Checker reports any issues via text output in your terminal.
-But you can also use Nix Flake Checker [in CI](#the-flake-checker-action).
+By default, Flake Checker verifies that:
+
+- Any explicit Nixpkgs Git refs are in the [supported list](#supported-branches).
+- Any Nixpkgs dependencies are less than 30 days old.
+- Any Nixpkgs dependencies have the [`NixOS`][nixos-org] org as the GitHub owner (and thus that the dependency isn't a fork or non-upstream variant).
+
+You can adjust this behavior via configuration (all are enabled by default but you can disable them):
+
+Flag | Environment variable | Action | Default
+:----|:---------------------|:-------|:-------
+`--check-outdated` | `NIX_FLAKE_CHECKER_CHECK_OUTDATED` | Check for outdated Nixpkgs inputs | `true`
+`--check-owner` | `NIX_FLAKE_CHECKER_CHECK_OWNER` | Check that Nixpkgs inputs have `NixOS` as the GitHub owner | `true`
+`--check-supported` | `NIX_FLAKE_CHECKER_CHECK_SUPPORTED` | Check that Git refs for Nixpkgs inputs are supported | `true`
+
+## Policy conditions
+
+You can apply a CEL condition to your flake using the `--condition` flag.
+Here's an example:
+
+```shell
+flake-checker --condition "num_days_old < 365"
+```
+
+This would check that each Nixpkgs input in your `flake.lock` is less than 365 days old.
+These variables are available in each condition:
+
+Variable | Description
+:--------|:-----------
+`git_ref` | The Git reference of the input.
+`num_days_old` | The number of days old the input is.
+`owner` | The input's owner (if a GitHub input).
+`supported_refs` | A list of [supported Git refs](#supported-branches) (all are branch names).
+
+Here are some example conditions:
+
+Condition | Description
+:---------|:-----------
+`supported_refs.contains(git_ref)` | The Git ref is in the supported refs.
 
 ## The Nix Flake Checker Action
 

flake.nix

@@ -57,10 +57,10 @@
               runtimeInputs = [ cranePkgs.rustNightly ];
               text = "cargo fmt --check";
             };
-            get-allowed-refs = pkgs.writeShellApplication {
-              name = "get-allowed-refs";
+            get-supported-refs = pkgs.writeShellApplication {
+              name = "get-supported-refs";
               runtimeInputs = [ cranePkgs.rustNightly ];
-              text = "cargo run --features allowed-refs -- --get-allowed-refs";
+              text = "cargo run --features supported-refs -- --get-supported-refs";
             };
           in
           pkgs.mkShell {
@@ -83,7 +83,7 @@
               check-rustfmt
 
               # Scripts
-              get-allowed-refs
+              get-supported-refs
             ]) ++ pkgs.lib.optionals pkgs.stdenv.isDarwin (with pkgs.darwin.apple_sdk.frameworks; [ Security SystemConfiguration ]);
 
             env = {

src/condition.rs

@@ -27,7 +27,7 @@ pub(super) fn evaluate_condition(
                     .collect::<Vec<Value>>(),
             );
 
-            ctx.add_variable_from_value("allowed_refs", allowed_refs);
+            ctx.add_variable_from_value("supported_refs", allowed_refs);
 
             for (k, v) in nixpkgs_cel_values(repo) {
                 ctx.add_variable_from_value(k, v);

src/flake.rs

@@ -152,7 +152,7 @@ mod test {
         // (n, condition, expected)
         let cases: Vec<(usize, &str, bool)> = vec![(
             0,
-            "has(git_ref) && has(days_old) && has(owner) && has(allowed_refs) && allowed_refs.contains(git_ref) && owner == 'NixOS'",
+            "has(git_ref) && has(days_old) && has(owner) && has(supported_refs) && supported_refs.contains(git_ref) && owner == 'NixOS'",
             true,
         )];
 

src/supported_refs.rs

@@ -0,0 +1,43 @@
+use crate::error::FlakeCheckerError;
+
+use serde::Deserialize;
+
+const SUPPORTED_REFS_URL: &str = "https://prometheus.nixos.org/api/v1/query?query=channel_revision";
+
+#[derive(Deserialize)]
+struct Response {
+    data: Data,
+}
+
+#[derive(Deserialize)]
+struct Data {
+    result: Vec<DataResult>,
+}
+
+#[derive(Deserialize)]
+struct DataResult {
+    metric: Metric,
+}
+
+#[derive(Deserialize)]
+struct Metric {
+    channel: String,
+    current: String,
+}
+
+pub(crate) fn check(supported_refs: Vec<String>) -> Result<bool, FlakeCheckerError> {
+    Ok(get()? == supported_refs)
+}
+
+pub(crate) fn get() -> Result<Vec<String>, FlakeCheckerError> {
+    let officially_supported: Vec<String> = reqwest::blocking::get(SUPPORTED_REFS_URL)?
+        .json::<Response>()?
+        .data
+        .result
+        .iter()
+        .filter(|res| res.metric.current == "1")
+        .map(|res| res.metric.channel.clone())
+        .collect();
+
+    Ok(officially_supported)
+}