Unverified Commit 5d6dd231 authored Nov 11, 2025 by Wolfgang Walther

workflows/pull-request-target: never write to cachix from PRs

Evaluating untrusted code in the presence of secrets is unsafe in
general, thus we only provide the cachix auth token when these jobs run
in the merge queue. This is enough for all practical purposes, PRs will
be able to pull stuff from cachix that was built in the Merge Queue
previously.

parent c2cb4e91

.github/workflows/build.yml

+3 −1

Original line number	Diff line number	Diff line
		@@ -16,8 +16,10 @@ on:
		required: true
		type: string
		secrets:
		# Should only be provided in the merge queue, not in pull requests,
		# where we're evaluating untrusted code.
		CACHIX_AUTH_TOKEN:
		required: true
		required: false

		permissions: {}

.github/workflows/check.yml

+3 −1

Original line number	Diff line number	Diff line
		@@ -16,8 +16,10 @@ on:
		required: true
		type: string
		secrets:
		# Should only be provided in the merge queue, not in pull requests,
		# where we're evaluating untrusted code.
		CACHIX_AUTH_TOKEN:
		required: true
		required: false

		permissions: {}

.github/workflows/eval.yml

+3 −1

Original line number	Diff line number	Diff line
		@@ -19,8 +19,10 @@ on:
		default: false
		type: boolean
		secrets:
		# Should only be provided in the merge queue, not in pull requests,
		# where we're evaluating untrusted code.
		CACHIX_AUTH_TOKEN:
		required: true
		required: false

		permissions: {}

.github/workflows/lint.yml

+3 −1

Original line number	Diff line number	Diff line
		@@ -10,8 +10,10 @@ on:
		required: true
		type: string
		secrets:
		# Should only be provided in the merge queue, not in pull requests,
		# where we're evaluating untrusted code.
		CACHIX_AUTH_TOKEN:
		required: true
		required: false

		permissions: {}

.github/workflows/merge-group.yml

+0 −3

Original line number	Diff line number	Diff line
		@@ -13,9 +13,6 @@ on:
		targetSha:
		required: true
		type: string
		secrets:
		CACHIX_AUTH_TOKEN:
		required: true

		permissions: {}