Devbox automatically updates the lock file during the package installation phase, which breaks caching.

[alezkv]

What happened?

I am trying to use Devbox with GitHub Actions to install the necessary dependencies while utilizing a cache. I have observed that after installing the packages, Devbox updates its lock file. The caching logic generates a key based on the hash of the lock file, which results in different cache keys being used for the restore and save phases.

Steps to reproduce

1. utilize official github action
2. add "any" package to devbox
3. commit all devbox files to repo

Here is the minimum reproducible repository: https://github.com/alezkv/devbox-action-repro
and run: https://github.com/alezkv/devbox-action-repro/actions/runs/13944472596/job/39028390051

Command

run

devbox.json

{
  "$schema":  "https://raw.githubusercontent.com/jetify-com/devbox/0.13.7/.schema/devbox.schema.json",
  "packages": ["[email protected]"],
  "shell": {
    "init_hook": [
      "echo 'Welcome to devbox!' > /dev/null"
    ],
    "scripts": {
      "test": [
        "echo \"Error: no test specified\" && exit 1"
      ]
    }
  }
}

Devbox version

0.14.0

Nix version

2.26.2

What system does this bug occur on?

Other (please include in the description above)

Debug logs

No response