build(deps-dev): bump rollup from 4.18.0 to 4.22.4

Bumps [rollup](https://github.com/rollup/rollup) from 4.18.0 to 4.22.4.
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rollup/rollup/compare/v4.18.0...v4.22.4)

---
updated-dependencies:
- dependency-name: rollup
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

README.md

@@ -185,7 +185,7 @@ git push origin update_flake_lock_action --force
 ### With a Personal Authentication Token
 
 By providing a Personal Authentication Token, the PR will be submitted in a way that bypasses this limitation (GitHub will essentially think it is the owner of the PAT submitting the PR, and not an Action).
-You can create a token by visiting https://github.com/settings/tokens and select at least the `repo` scope. Then, store this token in your repository secrets (i.e. `https://github.com/<USER>/<REPO>/settings/secrets/actions`) as `GH_TOKEN_FOR_UPDATES` and set up your workflow file like the following:
+You can create a token by visiting https://github.com/settings/tokens and select at least the `repo` scope. For the new fine-grained tokens, you need to enable read and write access for "Contents" and "Pull Requests" permissions. Then, store this token in your repository secrets (i.e. `https://github.com/<USER>/<REPO>/settings/secrets/actions`) as `GH_TOKEN_FOR_UPDATES` and set up your workflow file like the following:
 
 ```yaml
 name: update-flake-lock

action.yml

@@ -115,7 +115,7 @@ runs:
     - name: Import bot's GPG key for signing commits
       if: ${{ inputs.sign-commits == 'true' }}
       id: import-gpg
-      uses: crazy-max/ghaction-import-gpg@v6
+      uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
       with:
         gpg_private_key: ${{ inputs.gpg-private-key }}
         fingerprint: ${{ inputs.gpg-fingerprint }}
@@ -190,7 +190,7 @@ runs:
         echo "$DELIMITER" >> $GITHUB_ENV
         echo "GIT_COMMIT_MESSAGE is: ${COMMIT_MESSAGE}"
     - name: Interpolate PR Body
-      uses: pedrolamas/handlebars-action@v2.4.0
+      uses: pedrolamas/handlebars-action@2995d7eadacbc8f2f6ab8431a01d84a5fa3b8bb4 # v2.4.0
       with:
         files: "pr_body.template"
         output-filename: "pr_body.txt"
@@ -207,7 +207,7 @@ runs:
       run: rm -f pr_body.txt pr_body.template
     - name: Create PR
       id: create-pr
-      uses: peter-evans/create-pull-request@v6
+      uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
       with:
         base: ${{ inputs.base }}
         branch: ${{ inputs.branch }}

dist/index.js

@@ -43671,7 +43671,7 @@ module.exports = self => {
 const tls = __nccwpck_require__(4404);
 const http = __nccwpck_require__(3685);
 const https = __nccwpck_require__(5687);
-const JSStreamSocket = __nccwpck_require__(8679);
+const JSStreamSocket = __nccwpck_require__(3595);
 const {globalAgent} = __nccwpck_require__(1840);
 const UnexpectedStatusCodeError = __nccwpck_require__(8859);
 const initialize = __nccwpck_require__(4031);
@@ -43860,7 +43860,7 @@ module.exports = Http2OverHttp2;
 
 
 const {Agent} = __nccwpck_require__(1840);
-const JSStreamSocket = __nccwpck_require__(8679);
+const JSStreamSocket = __nccwpck_require__(3595);
 const UnexpectedStatusCodeError = __nccwpck_require__(8859);
 const initialize = __nccwpck_require__(4031);
 
@@ -44129,7 +44129,7 @@ module.exports = header => {
 
 /***/ }),
 
-/***/ 8679:
+/***/ 3595:
 /***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
 
 
@@ -76944,7 +76944,7 @@ module.exports.implForWrapper = function (wrapper) {
   var builder, defaults, escapeCDATA, requiresCDATA, wrapCDATA,
     hasProp = {}.hasOwnProperty;
 
-  builder = __nccwpck_require__(3595);
+  builder = __nccwpck_require__(9399);
 
   defaults = (__nccwpck_require__(4617).defaults);
 
@@ -81851,7 +81851,7 @@ module.exports.implForWrapper = function (wrapper) {
 
 /***/ }),
 
-/***/ 3595:
+/***/ 9399:
 /***/ (function(module, __unused_webpack_exports, __nccwpck_require__) {
 
 // Generated by CoffeeScript 1.12.7
@@ -86333,10 +86333,6 @@ var external_node_util_ = __nccwpck_require__(7261);
 var external_os_ = __nccwpck_require__(2037);
 ;// CONCATENATED MODULE: external "node:crypto"
 const external_node_crypto_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:crypto");
-;// CONCATENATED MODULE: external "node:dns/promises"
-const promises_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:dns/promises");
-// EXTERNAL MODULE: ./node_modules/.pnpm/@actions+cache@3.2.4/node_modules/@actions/cache/lib/cache.js
-var cache = __nccwpck_require__(6878);
 ;// CONCATENATED MODULE: ./node_modules/.pnpm/@sindresorhus+is@6.3.1/node_modules/@sindresorhus/is/dist/index.js
 const typedArrayTypeNames = [
     'Int8Array',
@@ -87768,7 +87764,7 @@ class PCancelable {
 
 Object.setPrototypeOf(PCancelable.prototype, Promise.prototype);
 
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/core/errors.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/core/errors.js
 
 // A hacky check to prevent circular references.
 function isRequest(x) {
@@ -89858,13 +89854,13 @@ getContentLength_fn = function() {
 };
 
 
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/core/utils/is-form-data.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/core/utils/is-form-data.js
 
 function is_form_data_isFormData(body) {
     return dist.nodeStream(body) && dist.function_(body.getBoundary);
 }
 
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/core/utils/get-body-size.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/core/utils/get-body-size.js
 
 
 
@@ -89888,7 +89884,7 @@ async function getBodySize(body, headers) {
     return undefined;
 }
 
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/core/utils/proxy-events.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/core/utils/proxy-events.js
 function proxyEvents(from, to, events) {
     const eventFunctions = {};
     for (const event of events) {
@@ -89907,7 +89903,7 @@ function proxyEvents(from, to, events) {
 
 ;// CONCATENATED MODULE: external "node:net"
 const external_node_net_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:net");
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/core/utils/unhandle.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/core/utils/unhandle.js
 // When attaching listeners, it's very easy to forget about them.
 // Especially if you do error handling and set timeouts.
 // So instead of checking if it's proper to throw an error on every timeout ever,
@@ -89929,7 +89925,7 @@ function unhandle() {
     };
 }
 
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/core/timed-out.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/core/timed-out.js
 
 
 const reentry = Symbol('reentry');
@@ -90060,7 +90056,7 @@ function timedOut(request, delays, options) {
     return cancelTimeouts;
 }
 
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/core/utils/url-to-options.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/core/utils/url-to-options.js
 
 function urlToOptions(url) {
     // Cast to URL
@@ -90084,7 +90080,7 @@ function urlToOptions(url) {
     return options;
 }
 
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/core/utils/weakable-map.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/core/utils/weakable-map.js
 class WeakableMap {
     weakMap;
     map;
@@ -90114,7 +90110,7 @@ class WeakableMap {
     }
 }
 
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/core/calculate-retry-delay.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/core/calculate-retry-delay.js
 const calculateRetryDelay = ({ attemptCount, retryOptions, error, retryAfter, computedValue, }) => {
     if (error.name === 'RetryError') {
         return 1;
@@ -90601,7 +90597,7 @@ class CacheableLookup {
 
 // EXTERNAL MODULE: ./node_modules/.pnpm/http2-wrapper@2.2.1/node_modules/http2-wrapper/source/index.js
 var http2_wrapper_source = __nccwpck_require__(9695);
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/core/parse-link-header.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/core/parse-link-header.js
 function parseLinkHeader(link) {
     const parsed = [];
     const items = link.split(',');
@@ -90636,7 +90632,7 @@ function parseLinkHeader(link) {
     return parsed;
 }
 
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/core/options.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/core/options.js
 
 
 
@@ -92273,7 +92269,7 @@ class Options {
     }
 }
 
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/core/response.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/core/response.js
 
 const isResponseOk = (response) => {
     const { statusCode } = response;
@@ -92316,19 +92312,19 @@ const parseBody = (response, responseType, parseJson, encoding) => {
     }, response);
 };
 
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/core/utils/is-client-request.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/core/utils/is-client-request.js
 function isClientRequest(clientRequest) {
     return clientRequest.writable && !clientRequest.writableEnded;
 }
 /* harmony default export */ const is_client_request = (isClientRequest);
 
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/core/utils/is-unix-socket-url.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/core/utils/is-unix-socket-url.js
 // eslint-disable-next-line @typescript-eslint/naming-convention
 function isUnixSocketURL(url) {
     return url.protocol === 'unix:' || url.hostname === 'unix';
 }
 
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/core/index.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/core/index.js
 
 
 
@@ -93332,7 +93328,7 @@ class Request extends external_node_stream_.Duplex {
     }
 }
 
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/as-promise/types.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/as-promise/types.js
 
 /**
 An error to be thrown when the request is aborted with `.cancel()`.
@@ -93351,7 +93347,7 @@ class types_CancelError extends RequestError {
     }
 }
 
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/as-promise/index.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/as-promise/index.js
 
 
 
@@ -93517,7 +93513,7 @@ function asPromise(firstRequest) {
     return promise;
 }
 
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/create.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/create.js
 
 
 
@@ -93702,7 +93698,7 @@ const create = (defaults) => {
 };
 /* harmony default export */ const source_create = (create);
 
-;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.3.0/node_modules/got/dist/source/index.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/got@14.4.0/node_modules/got/dist/source/index.js
 
 
 const defaults = {
@@ -93725,6 +93721,10 @@ const got = source_create(defaults);
 
 
 
+;// CONCATENATED MODULE: external "node:dns/promises"
+const promises_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:dns/promises");
+// EXTERNAL MODULE: ./node_modules/.pnpm/@actions+cache@3.2.4/node_modules/@actions/cache/lib/cache.js
+var cache = __nccwpck_require__(6878);
 ;// CONCATENATED MODULE: external "node:child_process"
 const external_node_child_process_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:child_process");
 ;// CONCATENATED MODULE: external "node:fs/promises"
@@ -93735,7 +93735,7 @@ const external_node_path_namespaceObject = __WEBPACK_EXTERNAL_createRequire(impo
 const external_node_stream_promises_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:stream/promises");
 ;// CONCATENATED MODULE: external "node:zlib"
 const external_node_zlib_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:zlib");
-;// CONCATENATED MODULE: ./node_modules/.pnpm/github.com+DeterminateSystems+detsys-ts@fe64ba33b4bdeec0991bb65ae00420bf68b9954c_ler7zqcm5mrt635umsvjcuxcmy/node_modules/detsys-ts/dist/index.js
+;// CONCATENATED MODULE: ./node_modules/.pnpm/github.com+DeterminateSystems+detsys-ts@bc45b6c0a6318ae30192c4bf23a73dc879bdb632_gnkvhsupsr4227wkpq3ncrmpsq/node_modules/detsys-ts/dist/index.js
 var __defProp = Object.defineProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -94053,6 +94053,7 @@ function stringifyError(e) {
 // src/ids-host.ts
 
 
+
 var DEFAULT_LOOKUP = "_detsys_ids._tcp.install.determinate.systems.";
 var ALLOWED_SUFFIXES = [
   ".install.determinate.systems",
@@ -94060,11 +94061,56 @@ var ALLOWED_SUFFIXES = [
 ];
 var DEFAULT_IDS_HOST = "https://install.determinate.systems";
 var LOOKUP = process.env["IDS_LOOKUP"] ?? DEFAULT_LOOKUP;
+var DEFAULT_TIMEOUT = 3e4;
 var IdsHost = class {
   constructor(idsProjectName, diagnosticsSuffix, runtimeDiagnosticsUrl) {
     this.idsProjectName = idsProjectName;
     this.diagnosticsSuffix = diagnosticsSuffix;
     this.runtimeDiagnosticsUrl = runtimeDiagnosticsUrl;
+    this.client = void 0;
+  }
+  async getGot(recordFailoverCallback) {
+    if (this.client === void 0) {
+      this.client = got_dist_source.extend({
+        timeout: {
+          request: DEFAULT_TIMEOUT
+        },
+        retry: {
+          limit: (await this.getUrlsByPreference()).length,
+          methods: ["GET", "HEAD"]
+        },
+        hooks: {
+          beforeRetry: [
+            async (error3, retryCount) => {
+              const prevUrl = await this.getRootUrl();
+              this.markCurrentHostBroken();
+              const nextUrl = await this.getRootUrl();
+              if (recordFailoverCallback !== void 0) {
+                recordFailoverCallback(prevUrl, nextUrl);
+              }
+              core.info(
+                `Retrying after error ${error3.code}, retry #: ${retryCount}`
+              );
+            }
+          ],
+          beforeRequest: [
+            async (options) => {
+              const currentUrl = options.url;
+              if (this.isUrlSubjectToDynamicUrls(currentUrl)) {
+                const newUrl = new URL(currentUrl);
+                const url = await this.getRootUrl();
+                newUrl.host = url.host;
+                options.url = newUrl;
+                core.debug(`Transmuted ${currentUrl} into ${newUrl}`);
+              } else {
+                core.debug(`No transmutations on ${currentUrl}`);
+              }
+            }
+          ]
+        }
+      });
+    }
+    return this.client;
   }
   markCurrentHostBroken() {
     this.prioritizedURLs?.shift();
@@ -94072,6 +94118,17 @@ var IdsHost = class {
   setPrioritizedUrls(urls) {
     this.prioritizedURLs = urls;
   }
+  isUrlSubjectToDynamicUrls(url) {
+    if (url.origin === DEFAULT_IDS_HOST) {
+      return true;
+    }
+    for (const suffix of ALLOWED_SUFFIXES) {
+      if (url.host.endsWith(suffix)) {
+        return true;
+      }
+    }
+    return false;
+  }
   async getDynamicRootUrl() {
     const idsHost = process.env["IDS_HOST"];
     if (idsHost !== void 0) {
@@ -94392,7 +94449,6 @@ function noisilyGetInput(suffix, legacyPrefix) {
 
 
 
-
 var EVENT_EXCEPTION = "exception";
 var EVENT_ARTIFACT_CACHE_HIT = "artifact_cache_hit";
 var EVENT_ARTIFACT_CACHE_MISS = "artifact_cache_miss";
@@ -94438,23 +94494,8 @@ var DetSysAction = class {
     this.nixStoreTrust = "unknown";
     this.strictMode = getBool("_internal-strict-mode");
     this.features = {};
-    this.featureEventMetadata = /* @__PURE__ */ new Map();
+    this.featureEventMetadata = {};
     this.events = [];
-    this.client = got_dist_source.extend({
-      retry: {
-        limit: 3,
-        methods: ["GET", "HEAD"]
-      },
-      hooks: {
-        beforeRetry: [
-          (error3, retryCount) => {
-            core.info(
-              `Retrying after error ${error3.code}, retry #: ${retryCount}`
-            );
-          }
-        ]
-      }
-    });
     this.facts = {
       $lib: "idslib",
       $lib_version: version,
@@ -94638,6 +94679,14 @@ var DetSysAction = class {
       await this.complete();
     }
   }
+  async getClient() {
+    return await this.idsHost.getGot((prevUrl, nextUrl) => {
+      this.recordEvent("ids-failover", {
+        previousUrl: prevUrl.toString(),
+        nextUrl: nextUrl.toString()
+      });
+    });
+  }
   async checkIn() {
     const checkin = await this.requestCheckIn();
     if (checkin === void 0) {
@@ -94645,7 +94694,7 @@ var DetSysAction = class {
     }
     this.features = checkin.options;
     for (const [key, feature] of Object.entries(this.features)) {
-      this.featureEventMetadata.set(key, feature.variant);
+      this.featureEventMetadata[key] = feature.variant;
     }
     const impactSymbol = /* @__PURE__ */ new Map([
       ["none", "\u26AA"],
@@ -94714,7 +94763,7 @@ var DetSysAction = class {
           "correlation",
           JSON.stringify(this.identity)
         );
-        return await this.client.get(checkInUrl, {
+        return (await this.getClient()).get(checkInUrl, {
           timeout: {
             request: CHECK_IN_ENDPOINT_TIMEOUT_MS
           }
@@ -94750,7 +94799,7 @@ var DetSysAction = class {
         "correlation",
         JSON.stringify(this.identity)
       );
-      const versionCheckup = await this.client.head(correlatedUrl);
+      const versionCheckup = await (await this.getClient()).head(correlatedUrl);
       if (versionCheckup.headers.etag) {
         const v = versionCheckup.headers.etag;
         this.addFact(FACT_SOURCE_URL_ETAG, v);
@@ -94769,7 +94818,7 @@ var DetSysAction = class {
         `No match from the cache, re-fetching from the redirect: ${versionCheckup.url}`
       );
       const destFile = this.getTemporaryName();
-      const fetchStream = this.client.stream(versionCheckup.url);
+      const fetchStream = (await this.getClient()).stream(versionCheckup.url);
       await (0,external_node_stream_promises_namespaceObject.pipeline)(
         fetchStream,
         (0,external_node_fs_namespaceObject.createWriteStream)(destFile, {
@@ -94987,32 +95036,16 @@ var DetSysAction = class {
       events: this.events
     };
     try {
-      await this.client.post(diagnosticsUrl, {
+      await (await this.getClient()).post(diagnosticsUrl, {
         json: batch,
         timeout: {
           request: DIAGNOSTIC_ENDPOINT_TIMEOUT_MS
         }
       });
-    } catch (e) {
+    } catch (err) {
       core.debug(
-        `Error submitting diagnostics event: ${stringifyError2(e)}`
+        `Error submitting diagnostics event to ${diagnosticsUrl}: ${stringifyError2(err)}`
       );
-      this.idsHost.markCurrentHostBroken();
-      const secondaryDiagnosticsUrl = await this.idsHost.getDiagnosticsUrl();
-      if (secondaryDiagnosticsUrl !== void 0) {
-        try {
-          await this.client.post(secondaryDiagnosticsUrl, {
-            json: batch,
-            timeout: {
-              request: DIAGNOSTIC_ENDPOINT_TIMEOUT_MS
-            }
-          });
-        } catch (err) {
-          core.debug(
-            `Error submitting diagnostics event to secondary host (${secondaryDiagnosticsUrl}): ${stringifyError2(err)}`
-          );
-        }
-      }
     }
     this.events = [];
   }
@@ -95053,8 +95086,13 @@ function makeNixCommandArgs(nixOptions, flakeInputs, commitMessage) {
     "--update-input",
     input
   ]);
+  const lockfileSummaryFlags = [
+    "--option",
+    "commit-lockfile-summary",
+    commitMessage
+  ];
   const updateLockMechanism = flakeInputFlags.length === 0 ? "update" : "lock";
-  return nixOptions.concat(["flake", updateLockMechanism]).concat(flakeInputFlags).concat(["--commit-lock-file", "--commit-lockfile-summary", commitMessage]);
+  return nixOptions.concat(["flake", updateLockMechanism]).concat(flakeInputFlags).concat(["--commit-lock-file"]).concat(lockfileSummaryFlags);
 }
 
 // src/index.ts

src/nix.test.ts

@@ -24,7 +24,8 @@ test("Nix command arguments", () => {
         "flake",
         "update",
         "--commit-lock-file",
-        "--commit-lockfile-summary",
+        "--option",
+        "commit-lockfile-summary",
         "just testing",
       ],
     },
@@ -42,7 +43,8 @@ test("Nix command arguments", () => {
         "--update-input",
         "rust-overlay",
         "--commit-lock-file",
-        "--commit-lockfile-summary",
+        "--option",
+        "commit-lockfile-summary",
         "just testing",
       ],
     },
@@ -57,7 +59,8 @@ test("Nix command arguments", () => {
         "flake",
         "update",
         "--commit-lock-file",
-        "--commit-lockfile-summary",
+        "--option",
+        "commit-lockfile-summary",
         "just testing",
       ],
     },

src/nix.ts

@@ -9,10 +9,23 @@ export function makeNixCommandArgs(
     input,
   ]);
 
+  // NOTE(cole-h): In Nix versions 2.23.0 and later, `commit-lockfile-summary` became an alias to
+  // the setting `commit-lock-file-summary` (https://github.com/NixOS/nix/pull/10691), and Nix does
+  // not treat aliases the same as their "real" setting by requiring setting aliases to be
+  // configured via `--option <alias name> <option value>`
+  // (https://github.com/NixOS/nix/issues/10989).
+  // So, we go the long way so that we can support versions both before and after Nix 2.23.0.
+  const lockfileSummaryFlags = [
+    "--option",
+    "commit-lockfile-summary",
+    commitMessage,
+  ];
+
   const updateLockMechanism = flakeInputFlags.length === 0 ? "update" : "lock";
 
   return nixOptions
     .concat(["flake", updateLockMechanism])
     .concat(flakeInputFlags)
-    .concat(["--commit-lock-file", "--commit-lockfile-summary", commitMessage]);
+    .concat(["--commit-lock-file"])
+    .concat(lockfileSummaryFlags);
 }