From 8393ede275e6bd43b4f9817796731cc4088cb67f Mon Sep 17 00:00:00 2001
From: Louis Opter <louis@andyl.com>
Date: Fri, 12 Dec 2025 20:52:33 +0000
Subject: [PATCH 1/2] github-runner: fix warnings from `nixd`"

---
 modules/services/github-runner/service.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix
index 51658d6..10fac86 100644
--- a/modules/services/github-runner/service.nix
+++ b/modules/services/github-runner/service.nix
@@ -2,8 +2,8 @@
 
 let
   inherit (lib) any attrValues boolToString concatStringsSep escapeShellArg
-    flatten flip getExe getExe' hasAttr hasPrefix mapAttrsToList mapAttrs' mkBefore
-    mkDefault mkIf mkMerge nameValuePair optionalAttrs optionalString replaceStrings;
+    flatten flip getExe getExe' hasPrefix mapAttrsToList mapAttrs' mkBefore
+    mkDefault mkIf mkMerge nameValuePair optionalString replaceStrings;
 
   mkSvcName = name: "github-runner-${name}";
   mkStateDir = cfg: "/var/lib/github-runners/${cfg.name}";
@@ -54,7 +54,7 @@ in
     in
     {
       launchd = mkIf cfg.enable {
-        text = mkBefore (''
+        text = mkBefore ''
           echo >&2 "setting up GitHub Runner '${cfg.name}'..."
 
           # shellcheck disable=SC2174
@@ -70,7 +70,7 @@ in
             ${getExe' pkgs.coreutils "mkdir"} -p -m u=rwx,g=rx,o= ${escapeShellArg (mkWorkDir cfg)}
             ${getExe' pkgs.coreutils "chown"} ${user}:${group} ${escapeShellArg (mkWorkDir cfg)}
           ''}
-        '');
+        '';
       };
     }));
 

From a58dd30d2be0845295c61fa4ff98ff7fd082f9d1 Mon Sep 17 00:00:00 2001
From: Louis Opter <louis@andyl.com>
Date: Fri, 12 Dec 2025 20:52:37 +0000
Subject: [PATCH 2/2] github-runner: canonicalizes `workDir` to fix
 `actions/checkout@v6`
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We ran into this issue wherein GitHub's `actions/checkout` would fail
because `git-config` would fail to include additional configuration.

The symptom was:

```
Error: fatal: could not read Username for 'https://github.com': terminal prompts disabled
```

And is caused by `git config --local includeIf.gitdir:/var/lib/github-runners/_work/…`.

Wherein `git` apparently resolves (canonicalizes) the current repository
path which then does not match the argument for `includeIf.gitdir` which
then means the configuration that `actions/checkout` is trying to apply
does not get pulled in, which then prevents git from authenticating with
GitHub and fails the build.

Ngl, gemini 3 found that out for me.

We could prefix `/private` everywhere, but changing the user's home
directory is going to [be tricky], not sure what do to about that.

[be tricky]: https://github.com/nix-darwin/nix-darwin/blob/7e22bf538aa3e0937effcb1cee73d5f1bcc26f79/modules/users/default.nix#L208
---
 modules/services/github-runner/service.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/services/github-runner/service.nix b/modules/services/github-runner/service.nix
index 10fac86..9dd9b20 100644
--- a/modules/services/github-runner/service.nix
+++ b/modules/services/github-runner/service.nix
@@ -8,7 +8,7 @@ let
   mkSvcName = name: "github-runner-${name}";
   mkStateDir = cfg: "/var/lib/github-runners/${cfg.name}";
   mkLogDir = cfg: "/var/log/github-runners/${cfg.name}";
-  mkWorkDir = cfg: if (cfg.workDir != null) then cfg.workDir else "/var/lib/github-runners/_work/${cfg.name}";
+  mkWorkDir = cfg: if (cfg.workDir != null) then cfg.workDir else "/private/var/lib/github-runners/_work/${cfg.name}";
 in
 {
   config.assertions = flatten (