Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Store Path Signing #1

Open
zhaofengli opened this issue May 8, 2023 · 0 comments
Open

Store Path Signing #1

zhaofengli opened this issue May 8, 2023 · 0 comments

Comments

@zhaofengli
Copy link
Contributor

Right now, nix-actions-cache does not handle signing and leaves everything to Nix. In the bundled GitHub Action, it may be beneficial to provide an option to perform nix store sign with a secret.

We should investigate whether this is necessary/helpful. To quote GitHub's documentations on cache restrictions:

Workflow runs cannot restore caches created for child branches or sibling branches. For example, a cache created for the child feature-b branch would not be accessible to a workflow run triggered on the parent main branch. Similarly, a cache created for the feature-a branch with the base main would not be accessible to its sibling feature-c branch with the base main. Workflow runs also cannot restore caches created for different tag names. For example, a cache created for the tag release-a with the base main would not be accessible to a workflow run triggered for the tag release-b with the base main.

When a cache is created by a workflow run triggered on a pull request, the cache is created for the merge ref (refs/pull/.../merge). Because of this, the cache will have a limited scope and can only be restored by re-runs of the pull request. It cannot be restored by the base branch or other pull requests targeting that base branch.

If I understand correctly, workflows on untrusted PR branches will not be able to pollute the cache view from other branches.
edolstra added a commit that referenced this issue Feb 12, 2024
@edolstra
Add support for pushing to Attic (#1)
fd1420f 
* Add support for pushing to Attic

* fmt/clippy

* Fix attic dependency

* Pass ssh private key

* Try to inherit secrets

* Fix static build

* Fix default package

* Fix daemonizing

* Fix clippy

* Update nix.conf

* Add --use-attic flag

* --use-attic -> --use-flakehub

* Handle project not existing

* Handle Attic init failure

* Skip .chroot paths

* Update netrc

* Downgrade to Nixpkgs 23.05 to fix static builds

* Use rust 1.70

We need 1.70, but 1.69 is the default in Nixpkgs 23.05.

* Rename stuff

* Use magic-nix-cache-priv

* Hack
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zhaofengli