ci: Refine permissions#393
Conversation
MattSturgeon
left a comment
MattSturgeon
left a comment
There was a problem hiding this comment.
Thanks. LMK what you think of the optional feedback; whether you agree or disagree and whether you want to address any of it in this PR or not.
| - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17 | ||
| with: | ||
| name: nixos-nixfmt | ||
| authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | ||
|
|
There was a problem hiding this comment.
It'd be nice to keep this on push events, or even have it without the authToken on pull_request_target events.
Something like
authToken: ${{ github.event_name == 'push' && secrets.CACHIX_AUTH_TOKEN || '' }}There was a problem hiding this comment.
Non-blocking thoughts:
- How does magic-nix-cache handle this?
- Does Cachix have a recommendation about how to do this safely? It doesn't seem crazy to want evolving PRs to avoid rebuilds.
There was a problem hiding this comment.
- It uses similar semantics than the GitHub Actions cache see https://docs.github.com/en/actions/reference/workflows-and-actions/dependency-caching#restrictions-for-accessing-a-cache
- Not sure there is a great way to handle it, maybe you can have a dedicated untrusted cache for PRs with the trusted cache configured as the upstream cache. But even with something like that it's bit weird as you need to maintain a long lived write token that most likely is going to leak at some point.
There was a problem hiding this comment.
My preference is still to keep cachix-action here, but only providing authToken in trusted contexts (like push events).
IIRC, cachix-action will continue to function read-only when configured without a token.
If debate will delay this PR unnecessarily, then I'm happy to deal with that in a dedicated "restore cachix" PR.
There was a problem hiding this comment.
If debate will delay this PR unnecessarily, then I'm happy to deal with that in a dedicated "restore cachix" PR.
It will not! Let's discuss in #394
There was a problem hiding this comment.
I'm going to merge this as is. @MattSturgeon, feel free to tweak the logic so we (safely) push more things to the cache.
LeSuisse
force-pushed
the
ci-adjust-permissions
branch
from
e32aded to
d77a5e6
Compare
|
Made some adjustments to the comment, tell me if it looks OK. @mdaniels5757 I added myself as co-author to take responsibility if someone needs to be yelled at in the future if the comments are wrong 😅 |
jfly
left a comment
jfly
left a comment
There was a problem hiding this comment.
LGTM, but will wait for @MattSturgeon to take another look before merging.
Co-Authored-by: Thomas Gerbet <thomas@gerbet.me>
jfly
force-pushed
the
ci-adjust-permissions
branch
from
4d731d9 to
903898a
Compare
4 participants
No need to request credentials/permissions that are not absolutely needed.