Fix GitHub API rate limiting in cli-tests (#2731)

## Problem

The cli-tests on the `main` branch have been failing intermittently in
GitHub Actions since at least October 7, 2025, due to GitHub API rate
limiting when Nix attempts to fetch nixpkgs metadata.

### Error Message
```
unable to download 'https://api.github.com/repos/NixOS/nixpkgs/commits/nixpkgs-unstable': HTTP error 403
API rate limit exceeded for 13.105.49.133.
```

Despite having `GITHUB_TOKEN` configured in both `NIX_CONFIG`
environment variable and `~/.config/nix/nix.conf`, the tests were still
hitting unauthenticated rate limits.

## Root Cause

On macOS runners, the Nix daemon:
- Runs as a different user (not the runner user)
- Reads `/etc/nix/nix.conf` instead of the user's
`~/.config/nix/nix.conf`
- Doesn't inherit environment variables from the runner

This meant that while `nix show-config` showed the access token was
configured, the daemon wasn't actually using it when making GitHub API
requests.

## Solution

This PR implements a two-pronged approach:

### 1. Configure Nix Daemon Properly (Primary Fix)
- On macOS runners, configure `/etc/nix/nix.conf` with the GitHub token
- Ensure the directory and file exist before writing
- Restart the Nix daemon to pick up the new configuration
- In `auto-nix-install` job, configure AFTER Nix is installed (not
before)

### 2. Pass Token via Command-Line Options (Backup)
- Modify `internal/nix/command.go` to pass `--option access-tokens
github.com=$GITHUB_TOKEN` in all nix commands
- This ensures the token is used even if config files aren't picked up
properly

## Changes

- `.github/workflows/cli-tests.yaml`: 
- Update "Setup Nix GitHub authentication" step to ensure
`/etc/nix/nix.conf` exists before writing
- Reorder `auto-nix-install` job to configure Nix AFTER installation
completes
- `internal/nix/command.go`: Add GITHUB_TOKEN to nix command args as
--option access-tokens

## Detailed Analysis

For a comprehensive diagnostic report with evidence, timeline, and
alternative solutions considered, see:
**[CLI Tests Failure
Report](https://gist.github.com/savil/e8a527aa70e38ab588a1bd46103123bd)**

## Note on Reproduction

The issue is specific to GitHub Actions environment and cannot be easily
reproduced locally:
- Requires GitHub Actions runner IP pool hitting rate limits
- Intermittent based on shared quota across GitHub Actions
- Depends on macOS Nix daemon configuration

This PR validates the fix directly in CI/CD where the issue occurs.

Fixes the intermittent test failures that have been occurring since
October 7, 2025.

---------

Co-authored-by: Claude <[email protected]>

Author: savil

.github/workflows/cli-tests.yaml

@@ -181,6 +181,25 @@ jobs:
       - name: Setup Nix GitHub authentication
         run: |
           # Setup github authentication to ensure Github's rate limits are not hit
+          # For macOS, we need to configure the system-wide nix.conf because the Nix daemon
+          # runs as a different user and doesn't read the user's ~/.config/nix/nix.conf
+          if [ "$RUNNER_OS" == "macOS" ]; then
+            echo "Configuring system-wide Nix config for macOS daemon"
+            # Ensure /etc/nix directory exists
+            if [ ! -d /etc/nix ]; then
+              sudo mkdir -p /etc/nix
+            fi
+            # Check if file exists, create it if not
+            if [ ! -f /etc/nix/nix.conf ]; then
+              echo "# Nix configuration" | sudo tee /etc/nix/nix.conf > /dev/null
+            fi
+            echo "access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}" | sudo tee -a /etc/nix/nix.conf
+            # Restart nix daemon to pick up the new configuration
+            sudo launchctl stop org.nixos.nix-daemon || true
+            sudo launchctl start org.nixos.nix-daemon || true
+            sleep 2  # Give daemon time to restart
+          fi
+          # For Linux and as a backup for macOS, also configure user config
           mkdir -p ~/.config/nix
           echo "access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}" > ~/.config/nix/nix.conf
       - name: Run fast tests
@@ -222,12 +241,28 @@ jobs:
           export NIX_INSTALLER_NO_CHANNEL_ADD=1
           export DEVBOX_FEATURE_DETSYS_INSTALLER=${{ matrix.use-detsys }}
 
-          # Setup github authentication to ensure Github's rate limits are not hit.
-          # If this works, we can consider refactoring this into a reusable github action helper.
+          # Setup github authentication BEFORE running devbox to ensure Github's rate limits are not hit.
+          # Configure user config first (Nix installer will respect this)
           mkdir -p ~/.config/nix
           echo "access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}" > ~/.config/nix/nix.conf
 
+          # Run devbox which will auto-install Nix if needed
           devbox run echo "Installing packages..."
+
+          # After Nix is installed, configure system-wide config for the daemon on macOS
+          if [ "$RUNNER_OS" == "macOS" ]; then
+            echo "Configuring system-wide Nix config for macOS daemon"
+            # Check if file exists, create directory if needed
+            if [ ! -f /etc/nix/nix.conf ]; then
+              sudo mkdir -p /etc/nix
+              echo "# Nix configuration" | sudo tee /etc/nix/nix.conf > /dev/null
+            fi
+            echo "access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}" | sudo tee -a /etc/nix/nix.conf
+            # Restart nix daemon to pick up the new configuration
+            sudo launchctl stop org.nixos.nix-daemon || true
+            sudo launchctl start org.nixos.nix-daemon || true
+            sleep 2  # Give daemon time to restart
+          fi
       - name: Test removing package
         run: devbox rm go
 

internal/nix/command.go

@@ -1,10 +1,19 @@
 package nix
 
+import "os"
+
 func init() {
 	Default.ExtraArgs = Args{
 		"--extra-experimental-features", "ca-derivations",
 		"--option", "experimental-features", "nix-command flakes fetch-closure",
 	}
+
+	// Add GitHub access token if available to avoid rate limiting
+	// This is a backup in case the config file isn't picked up properly
+	if token := os.Getenv("GITHUB_TOKEN"); token != "" {
+		Default.ExtraArgs = append(Default.ExtraArgs,
+			"--option", "access-tokens", "github.com="+token)
+	}
 }
 
 func appendArgs[E any](args Args, new []E) Args {