Unverified Commit c2cb4e91 authored by Wolfgang Walther's avatar Wolfgang Walther
Browse files

workflows/build: run trusted nix-build-uncached 

This was previously run from the untrusted checkout, which would allow
extracting the cachix secret easily.
parent e18eeeb4

.github/workflows/build.yml

+5 −1
Original line number Diff line number Diff line
@@ -12,6 +12,9 @@ on: 
      mergedSha:

        required: true

        type: string

      targetSha:

        required: true

        type: string

    secrets:

      CACHIX_AUTH_TOKEN:

        required: true
@@ -55,6 +58,7 @@ jobs: 
        uses: ./.github/actions/checkout

        with:

          merged-as-untrusted-at: ${{ inputs.mergedSha }}

          target-as-trusted-at: ${{ inputs.targetSha }}



      - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31

        with:
@@ -69,7 +73,7 @@ jobs: 
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}

          pushFilter: '(-source$|-nixpkgs-tarball-)'



      - run: nix-env --install -f nixpkgs/untrusted-pinned -A nix-build-uncached

      - run: nix-env --install -f nixpkgs/trusted-pinned -A nix-build-uncached



      - name: Build shell

        if: contains(matrix.builds, 'shell')

.github/workflows/pull-request-target.yml

+1 −0
Original line number Diff line number Diff line
@@ -119,6 +119,7 @@ jobs: 
      artifact-prefix: ${{ inputs.artifact-prefix }}

      baseBranch: ${{ needs.prepare.outputs.baseBranch }}

      mergedSha: ${{ needs.prepare.outputs.mergedSha }}

      targetSha: ${{ needs.prepare.outputs.targetSha }}



  # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.

  # It "needs" all the jobs that should block merging a PR.