diff --git a/.github/workflows/basic-eval.yml b/.github/workflows/basic-eval.yml
index fc7df3a1aa8d..b07daabad5d4 100644
--- a/.github/workflows/basic-eval.yml
+++ b/.github/workflows/basic-eval.yml
@@ -20,7 +20,7 @@ jobs:
     # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
     steps:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-    - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+    - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
     - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
       with:
         # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
diff --git a/.github/workflows/check-maintainers-sorted.yaml b/.github/workflows/check-maintainers-sorted.yaml
index f9e744a6a0c5..284cee5330d7 100644
--- a/.github/workflows/check-maintainers-sorted.yaml
+++ b/.github/workflows/check-maintainers-sorted.yaml
@@ -21,7 +21,7 @@ jobs:
           sparse-checkout: |
             lib
             maintainers
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
diff --git a/.github/workflows/check-nix-format.yml b/.github/workflows/check-nix-format.yml
index bcf0627ee22c..a0a081caaca6 100644
--- a/.github/workflows/check-nix-format.yml
+++ b/.github/workflows/check-nix-format.yml
@@ -38,7 +38,7 @@ jobs:
           # This should not be a URL, because it would allow PRs to run arbitrary code in CI!
           rev=$(jq -r .rev ci/pinned-nixpkgs.json)
           echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
diff --git a/.github/workflows/check-nixf-tidy.yml b/.github/workflows/check-nixf-tidy.yml
index a3f37d8131c8..da6917282705 100644
--- a/.github/workflows/check-nixf-tidy.yml
+++ b/.github/workflows/check-nixf-tidy.yml
@@ -32,7 +32,7 @@ jobs:
           # This should not be a URL, because it would allow PRs to run arbitrary code in CI!
           rev=$(jq -r .rev ci/pinned-nixpkgs.json)
           echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
diff --git a/.github/workflows/check-shell.yml b/.github/workflows/check-shell.yml
index 0ecc3b0c7baf..0959184fe45f 100644
--- a/.github/workflows/check-shell.yml
+++ b/.github/workflows/check-shell.yml
@@ -14,7 +14,7 @@ jobs:
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
       - name: Build shell
         run: nix-build shell.nix
 
@@ -26,6 +26,6 @@ jobs:
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
       - name: Build shell
         run: nix-build shell.nix
diff --git a/.github/workflows/editorconfig.yml b/.github/workflows/editorconfig.yml
index 26530f30f468..2fc83feff77a 100644
--- a/.github/workflows/editorconfig.yml
+++ b/.github/workflows/editorconfig.yml
@@ -29,7 +29,7 @@ jobs:
       with:
         # pull_request_target checks out the base branch by default
         ref: refs/pull/${{ github.event.pull_request.number }}/merge
-    - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+    - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
       with:
         # nixpkgs commit is pinned so that it doesn't break
         # editorconfig-checker 2.4.0
diff --git a/.github/workflows/manual-nixos.yml b/.github/workflows/manual-nixos.yml
index 002d44c8797d..c8be2404eb55 100644
--- a/.github/workflows/manual-nixos.yml
+++ b/.github/workflows/manual-nixos.yml
@@ -19,7 +19,7 @@ jobs:
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
diff --git a/.github/workflows/manual-nixpkgs.yml b/.github/workflows/manual-nixpkgs.yml
index 00e84854495a..d2a4888f0363 100644
--- a/.github/workflows/manual-nixpkgs.yml
+++ b/.github/workflows/manual-nixpkgs.yml
@@ -21,7 +21,7 @@ jobs:
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
diff --git a/.github/workflows/nix-parse.yml b/.github/workflows/nix-parse.yml
index 7f55322d85e6..e0793231c73c 100644
--- a/.github/workflows/nix-parse.yml
+++ b/.github/workflows/nix-parse.yml
@@ -30,7 +30,7 @@ jobs:
         # pull_request_target checks out the base branch by default
         ref: refs/pull/${{ github.event.pull_request.number }}/merge
       if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}
-    - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+    - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
       with:
         nix_path: nixpkgs=channel:nixpkgs-unstable
     - name: Parse all changed or added nix files
diff --git a/.github/workflows/nixpkgs-vet.yml b/.github/workflows/nixpkgs-vet.yml
index 4f244b94feff..badfa851103d 100644
--- a/.github/workflows/nixpkgs-vet.yml
+++ b/.github/workflows/nixpkgs-vet.yml
@@ -85,7 +85,7 @@ jobs:
           base=$(mktemp -d)
           git worktree add "$base" "$(git rev-parse HEAD^1)"
           echo "base=$base" >> "$GITHUB_ENV"
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
         if: env.mergedSha
       - name: Fetching the pinned tool
         if: env.mergedSha
diff --git a/.github/workflows/update-terraform-providers.yml b/.github/workflows/update-terraform-providers.yml
index 99762a2269e2..4accaf24a6a2 100644
--- a/.github/workflows/update-terraform-providers.yml
+++ b/.github/workflows/update-terraform-providers.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
         with:
           nix_path: nixpkgs=channel:nixpkgs-unstable
       - name: setup