From c254ccf21786619ce1f4bc3e99688b797d84c4a7 Mon Sep 17 00:00:00 2001
From: Sam Rose <samuel@supabase.io>
Date: Wed, 8 Apr 2026 15:40:24 -0400
Subject: [PATCH 1/5] fix: update nix for
 https://github.com/NixOS/nix/security/advisories/GHSA-g3g9-5vj6-r3gj

---
 .github/actions/nix-install-ephemeral/action.yml            | 2 +-
 Dockerfile-15                                               | 2 +-
 Dockerfile-17                                               | 2 +-
 Dockerfile-multigres                                        | 2 +-
 Dockerfile-orioledb-17                                      | 2 +-
 .../files/admin_api_scripts/pg_upgrade_scripts/initiate.sh  | 2 +-
 ansible/vars.yml                                            | 6 +++---
 docs/multigres-image.md                                     | 2 +-
 ebssurrogate/scripts/qemu-bootstrap-nix.sh                  | 2 +-
 nix/docs/start-here.md                                      | 2 +-
 scripts/nix-provision.sh                                    | 2 +-
 11 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/actions/nix-install-ephemeral/action.yml b/.github/actions/nix-install-ephemeral/action.yml
index 77da36a70..ea6d26a41 100644
--- a/.github/actions/nix-install-ephemeral/action.yml
+++ b/.github/actions/nix-install-ephemeral/action.yml
@@ -43,7 +43,7 @@ runs:
         NIX_SIGN_SECRET_KEY: ${{ env.NIX_SIGN_SECRET_KEY }}
     - uses: NixOS/nix-installer-action@d6ef7ecd8f685af89869e5aca0580a33e3e3150c
       with:
-        installer-version: 2.33.2
+        installer-version: 2.33.4
         extra-conf: |
           substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
           trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
diff --git a/Dockerfile-15 b/Dockerfile-15
index aec6e8364..5abb2532c 100644
--- a/Dockerfile-15
+++ b/Dockerfile-15
@@ -27,7 +27,7 @@ extra-experimental-features = nix-command flakes
 extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
 extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
 EOF
-RUN curl -L https://releases.nixos.org/nix/nix-2.33.2/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
+RUN curl -L https://releases.nixos.org/nix/nix-2.33.4/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
 ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
 
 WORKDIR /nixpg
diff --git a/Dockerfile-17 b/Dockerfile-17
index 121d0557a..965411cc0 100644
--- a/Dockerfile-17
+++ b/Dockerfile-17
@@ -27,7 +27,7 @@ extra-experimental-features = nix-command flakes
 extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
 extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
 EOF
-RUN curl -L https://releases.nixos.org/nix/nix-2.33.2/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
+RUN curl -L https://releases.nixos.org/nix/nix-2.33.4/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
 
 ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
 
diff --git a/Dockerfile-multigres b/Dockerfile-multigres
index 2549d727a..744f0ab8e 100644
--- a/Dockerfile-multigres
+++ b/Dockerfile-multigres
@@ -28,7 +28,7 @@ extra-experimental-features = nix-command flakes
 extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
 extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
 EOF
-RUN curl -L https://releases.nixos.org/nix/nix-2.33.2/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
+RUN curl -L https://releases.nixos.org/nix/nix-2.33.4/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
 
 ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
 
diff --git a/Dockerfile-orioledb-17 b/Dockerfile-orioledb-17
index 3cf7a533b..862b67d49 100644
--- a/Dockerfile-orioledb-17
+++ b/Dockerfile-orioledb-17
@@ -27,7 +27,7 @@ extra-experimental-features = nix-command flakes
 extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
 extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
 EOF
-RUN curl -L https://releases.nixos.org/nix/nix-2.33.2/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
+RUN curl -L https://releases.nixos.org/nix/nix-2.33.4/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
 
 ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
 
diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh
index 6998376a5..95d13d500 100755
--- a/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh
+++ b/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh
@@ -297,7 +297,7 @@ function initiate_upgrade {
                         --extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
                     else
                         echo "1.1.1. Installing Nix using the official installer"
-                        sh <(curl -L https://releases.nixos.org/nix/nix-2.33.2/install) --yes --daemon --nix-extra-conf-file /dev/stdin <<EXTRA_NIX_CONF
+                        sh <(curl -L https://releases.nixos.org/nix/nix-2.33.4/install) --yes --daemon --nix-extra-conf-file /dev/stdin <<EXTRA_NIX_CONF
 extra-experimental-features = nix-command flakes
 extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
 extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
diff --git a/ansible/vars.yml b/ansible/vars.yml
index a706b52ad..1b2f62a4e 100644
--- a/ansible/vars.yml
+++ b/ansible/vars.yml
@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.6.0.063-orioledb"
-  postgres17: "17.6.1.106"
-  postgres15: "15.14.1.106"
+  postgresorioledb-17: "17.6.0.064-orioledb"
+  postgres17: "17.6.1.107"
+  postgres15: "15.14.1.107"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.25.1
diff --git a/docs/multigres-image.md b/docs/multigres-image.md
index 31341163c..b4c094f42 100644
--- a/docs/multigres-image.md
+++ b/docs/multigres-image.md
@@ -113,7 +113,7 @@ extra-substituters =
 Run the following command to install Nix 2.33.1 (the version used in CI) with the custom configuration:
 
 ```bash
-curl -L https://releases.nixos.org/nix/nix-2.33.2/install | sh -s -- --daemon --yes --nix-extra-conf-file ./nix.conf
+curl -L https://releases.nixos.org/nix/nix-2.33.4/install | sh -s -- --daemon --yes --nix-extra-conf-file ./nix.conf
 ```
 
 This will install Nix with our build caches pre-configured, which should eliminate substituter-related errors.
diff --git a/ebssurrogate/scripts/qemu-bootstrap-nix.sh b/ebssurrogate/scripts/qemu-bootstrap-nix.sh
index 7017040bb..051433a7e 100755
--- a/ebssurrogate/scripts/qemu-bootstrap-nix.sh
+++ b/ebssurrogate/scripts/qemu-bootstrap-nix.sh
@@ -82,7 +82,7 @@ execute_playbook
 ####################
 
 function install_nix() {
-    sudo su -c "sh <(curl -L https://releases.nixos.org/nix/nix-2.33.2/install) --yes --daemon --nix-extra-conf-file /dev/stdin <<EXTRA_NIX_CONF
+    sudo su -c "sh <(curl -L https://releases.nixos.org/nix/nix-2.33.4/install) --yes --daemon --nix-extra-conf-file /dev/stdin <<EXTRA_NIX_CONF
 extra-experimental-features = nix-command flakes
 extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
 extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
diff --git a/nix/docs/start-here.md b/nix/docs/start-here.md
index 199066d92..ebfd18076 100644
--- a/nix/docs/start-here.md
+++ b/nix/docs/start-here.md
@@ -88,7 +88,7 @@ extra-substituters =
 Run the following command to install Nix 2.33.1 (the version used in CI) with the custom configuration:
 
 ```bash
-curl -L https://releases.nixos.org/nix/nix-2.33.2/install | sh -s -- --daemon --yes --nix-extra-conf-file ./nix.conf
+curl -L https://releases.nixos.org/nix/nix-2.33.4/install | sh -s -- --daemon --yes --nix-extra-conf-file ./nix.conf
 ```
 
 This will install Nix with our build caches pre-configured, which should eliminate substituter-related errors.
diff --git a/scripts/nix-provision.sh b/scripts/nix-provision.sh
index 7eb1ae472..e9696de7c 100644
--- a/scripts/nix-provision.sh
+++ b/scripts/nix-provision.sh
@@ -28,7 +28,7 @@ function install_packages {
 
 
 function install_nix() {
-    sudo su -c "sh <(curl -L https://releases.nixos.org/nix/nix-2.33.2/install) --yes --daemon --nix-extra-conf-file /dev/stdin <<EXTRA_NIX_CONF
+    sudo su -c "sh <(curl -L https://releases.nixos.org/nix/nix-2.33.4/install) --yes --daemon --nix-extra-conf-file /dev/stdin <<EXTRA_NIX_CONF
 extra-experimental-features = nix-command flakes
 extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
 extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=

From 868e46701679946ec09eca522e982c519cf3797c Mon Sep 17 00:00:00 2001
From: Sam Rose <samuel@supabase.io>
Date: Wed, 8 Apr 2026 16:05:04 -0400
Subject: [PATCH 2/5] fix: make sure we install right version

---
 .github/actions/nix-install-ephemeral/action.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/actions/nix-install-ephemeral/action.yml b/.github/actions/nix-install-ephemeral/action.yml
index ea6d26a41..35a4101c5 100644
--- a/.github/actions/nix-install-ephemeral/action.yml
+++ b/.github/actions/nix-install-ephemeral/action.yml
@@ -41,9 +41,15 @@ runs:
         sudo chmod +x /etc/nix/upload-to-cache.sh
       env:
         NIX_SIGN_SECRET_KEY: ${{ env.NIX_SIGN_SECRET_KEY }}
+    - name: Set Nix package URL
+      shell: bash
+      run: |
+        ARCH="$(uname -m)"
+        OS="$(uname -s | tr '[:upper:]' '[:lower:]')"
+        echo "NIX_INSTALLER_NIX_PACKAGE_URL=https://releases.nixos.org/nix/nix-2.33.4/nix-2.33.4-${ARCH}-${OS}.tar.xz" >> "$GITHUB_ENV"
     - uses: NixOS/nix-installer-action@d6ef7ecd8f685af89869e5aca0580a33e3e3150c
       with:
-        installer-version: 2.33.4
+        installer-version: 2.33.3
         extra-conf: |
           substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
           trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=

From f4b59d124d6945f8ebdb0ca766bdbf6e3768dcbb Mon Sep 17 00:00:00 2001
From: Sam Rose <samuel@supabase.io>
Date: Thu, 9 Apr 2026 13:52:21 -0400
Subject: [PATCH 3/5] fix: print nix version on build

---
 .github/actions/nix-install-ephemeral/action.yml               | 3 +++
 .github/actions/nix-install-self-hosted/action.yml             | 3 +++
 Dockerfile-15                                                  | 1 +
 Dockerfile-17                                                  | 2 +-
 Dockerfile-multigres                                           | 2 +-
 Dockerfile-orioledb-17                                         | 2 +-
 ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh | 1 +
 ebssurrogate/scripts/qemu-bootstrap-nix.sh                     | 1 +
 scripts/nix-provision.sh                                       | 1 +
 9 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/.github/actions/nix-install-ephemeral/action.yml b/.github/actions/nix-install-ephemeral/action.yml
index 35a4101c5..7b94f6d44 100644
--- a/.github/actions/nix-install-ephemeral/action.yml
+++ b/.github/actions/nix-install-ephemeral/action.yml
@@ -56,6 +56,9 @@ runs:
           ${{ inputs.push-to-cache == 'true' && 'post-build-hook = /etc/nix/upload-to-cache.sh' || '' }}
           max-jobs = 4
           extra-system-features = kvm
+    - name: Print Nix version
+      shell: bash
+      run: nix --version
     - name: Setup KVM permissions
       shell: bash
       run: |
diff --git a/.github/actions/nix-install-self-hosted/action.yml b/.github/actions/nix-install-self-hosted/action.yml
index 755d36696..005ec1479 100644
--- a/.github/actions/nix-install-self-hosted/action.yml
+++ b/.github/actions/nix-install-self-hosted/action.yml
@@ -18,6 +18,9 @@ runs:
         role-session-name: gha-oidc-${{ github.run_id }}
         role-duration-seconds: ${{ inputs.aws-role-duration }}
 
+    - name: Print Nix version
+      shell: bash
+      run: nix --version
     - name: Write creds files
       shell: bash
       run: |
diff --git a/Dockerfile-15 b/Dockerfile-15
index 5abb2532c..2d5212da2 100644
--- a/Dockerfile-15
+++ b/Dockerfile-15
@@ -29,6 +29,7 @@ extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7V
 EOF
 RUN curl -L https://releases.nixos.org/nix/nix-2.33.4/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
 ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
+RUN nix --version
 
 WORKDIR /nixpg
 COPY . .
diff --git a/Dockerfile-17 b/Dockerfile-17
index 965411cc0..d81728bf8 100644
--- a/Dockerfile-17
+++ b/Dockerfile-17
@@ -28,8 +28,8 @@ extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
 extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
 EOF
 RUN curl -L https://releases.nixos.org/nix/nix-2.33.4/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
-
 ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
+RUN nix --version
 
 WORKDIR /nixpg
 COPY . .
diff --git a/Dockerfile-multigres b/Dockerfile-multigres
index 744f0ab8e..48a5e6de0 100644
--- a/Dockerfile-multigres
+++ b/Dockerfile-multigres
@@ -29,8 +29,8 @@ extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
 extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
 EOF
 RUN curl -L https://releases.nixos.org/nix/nix-2.33.4/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
-
 ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
+RUN nix --version
 
 WORKDIR /nixpg
 COPY . .
diff --git a/Dockerfile-orioledb-17 b/Dockerfile-orioledb-17
index 862b67d49..c0d539ae2 100644
--- a/Dockerfile-orioledb-17
+++ b/Dockerfile-orioledb-17
@@ -28,8 +28,8 @@ extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
 extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
 EOF
 RUN curl -L https://releases.nixos.org/nix/nix-2.33.4/install | sh -s -- --daemon --no-channel-add --yes --nix-extra-conf-file /tmp/extra-nix.conf
-
 ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
+RUN nix --version
 
 WORKDIR /nixpg
 COPY . .
diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh
index 95d13d500..72968fbec 100755
--- a/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh
+++ b/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh
@@ -312,6 +312,7 @@ EXTRA_NIX_CONF
         echo "1.2. Fetching store path for flake revision: $NIX_FLAKE_VERSION"
         # shellcheck disable=SC1091
         source /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+        nix --version
         nix-collect-garbage -d > /tmp/pg_upgrade-nix-gc.log 2>&1 || true
 
         # Determine system architecture
diff --git a/ebssurrogate/scripts/qemu-bootstrap-nix.sh b/ebssurrogate/scripts/qemu-bootstrap-nix.sh
index 051433a7e..68ef696c6 100755
--- a/ebssurrogate/scripts/qemu-bootstrap-nix.sh
+++ b/ebssurrogate/scripts/qemu-bootstrap-nix.sh
@@ -89,6 +89,7 @@ extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7V
 EXTRA_NIX_CONF" -s /bin/bash root
     #shellcheck disable=SC1091
     . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+    nix --version
 }
 
 function execute_stage2_playbook {
diff --git a/scripts/nix-provision.sh b/scripts/nix-provision.sh
index e9696de7c..0d1725588 100644
--- a/scripts/nix-provision.sh
+++ b/scripts/nix-provision.sh
@@ -35,6 +35,7 @@ extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7V
 EXTRA_NIX_CONF" -s /bin/bash root
     #shellcheck disable=SC1091
     . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+    nix --version
 }
 
 

From 033e51b497e73ccb5d9ec5856d84f4d1066fa26d Mon Sep 17 00:00:00 2001
From: Sam Rose <samuel@supabase.io>
Date: Thu, 9 Apr 2026 14:31:21 -0400
Subject: [PATCH 4/5] fix: use same method everywhere to control version

---
 .../actions/nix-install-ephemeral/action.yml  | 27 ++++++++++---------
 docs/multigres-image.md                       |  4 +--
 nix/docs/start-here.md                        |  4 +--
 3 files changed, 18 insertions(+), 17 deletions(-)

diff --git a/.github/actions/nix-install-ephemeral/action.yml b/.github/actions/nix-install-ephemeral/action.yml
index 7b94f6d44..f2896f9b1 100644
--- a/.github/actions/nix-install-ephemeral/action.yml
+++ b/.github/actions/nix-install-ephemeral/action.yml
@@ -41,21 +41,22 @@ runs:
         sudo chmod +x /etc/nix/upload-to-cache.sh
       env:
         NIX_SIGN_SECRET_KEY: ${{ env.NIX_SIGN_SECRET_KEY }}
-    - name: Set Nix package URL
+    - name: Install Nix
       shell: bash
       run: |
-        ARCH="$(uname -m)"
-        OS="$(uname -s | tr '[:upper:]' '[:lower:]')"
-        echo "NIX_INSTALLER_NIX_PACKAGE_URL=https://releases.nixos.org/nix/nix-2.33.4/nix-2.33.4-${ARCH}-${OS}.tar.xz" >> "$GITHUB_ENV"
-    - uses: NixOS/nix-installer-action@d6ef7ecd8f685af89869e5aca0580a33e3e3150c
-      with:
-        installer-version: 2.33.3
-        extra-conf: |
-          substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
-          trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
-          ${{ inputs.push-to-cache == 'true' && 'post-build-hook = /etc/nix/upload-to-cache.sh' || '' }}
-          max-jobs = 4
-          extra-system-features = kvm
+        sudo tee /tmp/nix-extra.conf > /dev/null <<'NIXCONF'
+        extra-experimental-features = nix-command flakes
+        substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
+        trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+        max-jobs = 4
+        extra-system-features = kvm
+        NIXCONF
+
+        if [ "${{ inputs.push-to-cache }}" = "true" ]; then
+          echo "post-build-hook = /etc/nix/upload-to-cache.sh" | sudo tee -a /tmp/nix-extra.conf > /dev/null
+        fi
+
+        curl -L https://releases.nixos.org/nix/nix-2.33.4/install | sh -s -- --daemon --yes --nix-extra-conf-file /tmp/nix-extra.conf
     - name: Print Nix version
       shell: bash
       run: nix --version
diff --git a/docs/multigres-image.md b/docs/multigres-image.md
index b4c094f42..6f78e5b57 100644
--- a/docs/multigres-image.md
+++ b/docs/multigres-image.md
@@ -108,9 +108,9 @@ extra-substituters =
 
 **Important**: Replace `YOUR_USERNAME` with your actual username in the `trusted-users` line.
 
-### Step 2: Install Nix 2.33.1
+### Step 2: Install Nix 2.33.4
 
-Run the following command to install Nix 2.33.1 (the version used in CI) with the custom configuration:
+Run the following command to install Nix 2.33.4 (the version used in CI) with the custom configuration:
 
 ```bash
 curl -L https://releases.nixos.org/nix/nix-2.33.4/install | sh -s -- --daemon --yes --nix-extra-conf-file ./nix.conf
diff --git a/nix/docs/start-here.md b/nix/docs/start-here.md
index ebfd18076..cee361b66 100644
--- a/nix/docs/start-here.md
+++ b/nix/docs/start-here.md
@@ -83,9 +83,9 @@ extra-substituters =
 
 **Important**: Replace `YOUR_USERNAME` with your actual username in the `trusted-users` line.
 
-### Step 2: Install Nix 2.33.1
+### Step 2: Install Nix 2.33.4
 
-Run the following command to install Nix 2.33.1 (the version used in CI) with the custom configuration:
+Run the following command to install Nix 2.33.4 (the version used in CI) with the custom configuration:
 
 ```bash
 curl -L https://releases.nixos.org/nix/nix-2.33.4/install | sh -s -- --daemon --yes --nix-extra-conf-file ./nix.conf

From b4b05095afaafcfcd16779f9172e97cff6d08d72 Mon Sep 17 00:00:00 2001
From: Sam Rose <samuel@supabase.io>
Date: Thu, 9 Apr 2026 14:50:17 -0400
Subject: [PATCH 5/5] fix: handle adding nix to path for gh action

---
 .github/actions/nix-install-ephemeral/action.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/actions/nix-install-ephemeral/action.yml b/.github/actions/nix-install-ephemeral/action.yml
index f2896f9b1..8984a7300 100644
--- a/.github/actions/nix-install-ephemeral/action.yml
+++ b/.github/actions/nix-install-ephemeral/action.yml
@@ -57,6 +57,11 @@ runs:
         fi
 
         curl -L https://releases.nixos.org/nix/nix-2.33.4/install | sh -s -- --daemon --yes --nix-extra-conf-file /tmp/nix-extra.conf
+
+        # Add nix to PATH for subsequent steps
+        echo "/nix/var/nix/profiles/default/bin" >> "$GITHUB_PATH"
+        # Source the daemon profile so nix works in this step too
+        . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
     - name: Print Nix version
       shell: bash
       run: nix --version