workflows/periodic-merges: use nix-backport app's token when merging#372041
workflows/periodic-merges: use nix-backport app's token when merging#372041JohnRTitor wants to merge 1 commit intoNixOS:masterfrom
Conversation
github-actions
bot
added
6.topic: policy discussion
github-actions
bot
added
10.rebuild-darwin: 0
wolfgangwalther
left a comment
wolfgangwalther
left a comment
There was a problem hiding this comment.
This should be tested in @infinisil's test organization.
JohnRTitor
force-pushed
the
periodic-merge-bot-change
branch
from
20835f7 to
7415599
Compare
…branches This will allow GitHub to run actions on those commits, specifically Eval action. Currently as these merges are commited by `github-actions`, Eval doesn't run on the commits. ie, https://github.com/NixOS/nixpkgs/actions/runs/12646467735/job/35237397411?pr=371701 failed due to NixOS@fa2d66f commit was done by github-actions. With this every periodic merge will be authored and commited by the nix-backports bot. We can reuse the bot here as they have similar perms (NixOS/org#38) Signed-off-by: John Titor <50095635+JohnRTitor@users.noreply.github.com>
JohnRTitor
force-pushed
the
periodic-merge-bot-change
branch
from
7415599 to
e89759d
Compare
| - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1 | ||
| id: app-token | ||
| with: | ||
| app-id: ${{ vars.BACKPORT_APP_ID }} |
There was a problem hiding this comment.
Looks ok from a security perspective. We may want to add variable with a new name for BACKPORT_APP_ID and BACKPORT_PRIVATE_KEY.
There was a problem hiding this comment.
I think you are asking because of https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable ?
These (BACKPORT_APP_ID, BACKPORT_PRIVATE_KEY) are set by NixOS org admins I think? So I don't think we have to worry about untrusted inputs.
There was a problem hiding this comment.
Yes. I am not worried about security here. I think the name should just reflect where it's being used and this key is after this change no longer limited to just backport actions.
There was a problem hiding this comment.
Agreed. Let's set it to something generic and I will update the variable here.
Instead of nix-backports, can we use nixpkgs-ci?
|
I've opened NixOS/org#54 to rename the App to "Nixpkgs CI", which when implemented should give us variables It would be great to start a little docs section in perhaps |
I guess they could go to .github/workflows/README.md after #371216 is merged, since the "permissions" topic is touched there already. |
|
Done in #373935 |
4 participants
This will allow GitHub to run actions on those commits, specifically Eval action. Currently as these merges are commited by
github-actions, Eval doesn't run on the commits.ie, https://github.com/NixOS/nixpkgs/actions/runs/12646467735/job/35237397411?pr=371701 Processing failed due to fa2d66f commit was done by github-actions.
With this every periodic merge will be authored and commited by the nix-backports bot. We can reuse the bot here as it has the perms (NixOS/org#38) required here.