Pin Renovate Earthly download

[phisco]

Description of your changes

This PR makes the Earthly binary used by self-hosted Renovate come from the repository's pinned Nix flake instead of downloading it from GitHub releases at workflow runtime.

The Renovate workflow runs a custom entrypoint that installs Earthly before running Renovate. Previously that entrypoint downloaded Earthly from the mutable latest release URL. This PR exposes pkgs.earthly as a flake package and installs it with nix profile install .#earthly, so the Earthly package is selected from the nixpkgs revision pinned in flake.lock.

earthly does not appear by name in flake.lock; flake.lock pins the nixpkgs input, and .#earthly resolves pkgs.earthly from that pinned input. Future Earthly updates will therefore happen through the normal Renovate-managed flake lock update path.

Validation run:

bash -n .github/renovate-entrypoint.sh
nix eval --raw .#earthly.version
npm exec --yes --package "renovate@42.99.0" -- renovate-config-validator .github/renovate.json5

Fixes #

I have:

• Read and followed Crossplane's contribution process.
• Run ./nix.sh flake check to ensure this PR is ready for review.
• Added or updated unit tests.
• Added or updated e2e tests.
• Linked a PR or a docs tracking issue to document this change.
• Added backport release-x.y labels to auto-backport this PR.
• Followed the API promotion workflow if this PR introduces, removes, or promotes an API.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 431c16a3-a399-4665-9248-2259a9261edc

📥 Commits

Reviewing files that changed from the base of the PR and between 242e617 and 6d7a428.

📒 Files selected for processing (2)

• .github/renovate-entrypoint.sh
• flake.nix

---

📝 Walkthrough

Walkthrough

The flake now exposes an earthly package, and the Renovate entrypoint script now installs Nix, installs Earthly from the repository flake via nix profile install .#earthly, and runs earthly bootstrap instead of downloading Earthly from GitHub releases.

Changes

Earthly via Nix profile installation

Layer / File(s)	Summary
Expose earthly in flake packages flake.nix	Add earthly = pkgs.earthly; to the per-system packages attribute set so the flake provides a pinned .#earthly package.
Use Nix to install Earthly and run bootstrap .github/renovate-entrypoint.sh	Replace the earlier inline Earthly download section with an “Install Nix” placement change and add nix profile install .#earthly followed by earthly bootstrap.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• crossplane/crossplane#7058: Related changes to .github/renovate-entrypoint.sh and Nix/flake configuration to enable Nix-based commands and flake usage.

Suggested reviewers

• jbw976

Thank you for the change — would you like me to check for any CI config that ensures Nix flakes and nix-command are enabled on the runners?

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and descriptively summarizes the main change: pinning Earthly to use the flake's pinned version instead of downloading it at runtime.
Description check	✅ Passed	The description is directly related to the changeset, providing detailed context about why Earthly installation is moving to the Nix flake and how the change works.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Breaking Changes	✅ Passed	The check applies only to 'apis/' and 'cmd/'. This PR modifies '.github/renovate-entrypoint.sh' and 'flake.nix'—neither falls within scope.
Feature Gate Requirement	✅ Passed	Infrastructure/CI changes only. Modifies renovate-entrypoint.sh and flake.nix to pin Earthly via Nix. No new experimental features, no APIs/** changes, no new application behavior.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/renovate-entrypoint.sh:
- Around line 10-12: Download is written directly to /usr/local/bin/earthly
without retries or atomic replace; change the flow to: use mktemp to create a
temporary file, use curl with retry and timeout flags (--retry, --retry-delay,
--retry-all-errors, --connect-timeout, --max-time) to download into that temp
file, run the existing sha256sum validation against EARTHLY_LINUX_AMD64_SHA256
on the temp file, and only on success use install (or mv with appropriate
permissions) to atomically move the validated temp file to
/usr/local/bin/earthly (and set executable bit). Update the script around the
EARTHLY_VERSION download block and the curl invocation to reference the temp
file and include retries/timeouts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: dfa06bc6-7731-48b8-9a09-e991d6d3e413

📥 Commits

Reviewing files that changed from the base of the PR and between f6cf02b and 668c0f5.

📒 Files selected for processing (1)

• .github/renovate-entrypoint.sh

[jbw976]

thanks for this @phisco - happy to take any PRs like this that pin to specific versions. just a few questions, but approving now too.

do we remove this eventually when we no longer have a supported release branch that uses earthly? (v2.2 is oldest release using Nix, all older ones use Earthly)

is this something we can make renovate update over time too? or not so important because earthly won't be getting any updates...🤔

[phisco]

@jbw976 reworked, turns out the best way to pin it is to use nix itself. so the change got smaller 🎉 as always with these things, we need to see it run before actually being sure it's running, so I'll keep an eye on ci once it gets merged