diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 39be81b616c0..01b2f4a7b1d5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,7 +18,7 @@ on: secrets: # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. - CACHIX_AUTH_TOKEN: + CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} @@ -69,10 +69,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: - # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. - name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} - extraPullNames: nixpkgs-ci - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. + name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} + extraPullNames: nixpkgs-gha + authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: '(-source$|-nixpkgs-tarball-)' - run: nix-env --install -f nixpkgs/trusted-pinned -A nix-build-uncached diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 432f6e837f3e..dfcbbd8b45c1 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -18,7 +18,7 @@ on: secrets: # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. - CACHIX_AUTH_TOKEN: + CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} @@ -89,10 +89,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: - # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. - name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} - extraPullNames: nixpkgs-ci - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. + name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} + extraPullNames: nixpkgs-gha + authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Build codeowners validator diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index 74e69a7fde3e..fcacd60da6a2 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -21,7 +21,7 @@ on: secrets: # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. - CACHIX_AUTH_TOKEN: + CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} @@ -104,10 +104,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: - # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. - name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} - extraPullNames: nixpkgs-ci - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. + name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} + extraPullNames: nixpkgs-gha + authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: '(-source|-single-chunk)$' - name: Evaluate the ${{ matrix.system }} output paths at the merge commit diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 2f8f2357c972..8b900a8261f2 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -12,7 +12,7 @@ on: secrets: # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. - CACHIX_AUTH_TOKEN: + CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} @@ -74,10 +74,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: - # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. - name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} - extraPullNames: nixpkgs-ci - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. + name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} + extraPullNames: nixpkgs-gha + authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Parse all nix files @@ -103,10 +103,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: - # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. - name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} - extraPullNames: nixpkgs-ci - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. + name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} + extraPullNames: nixpkgs-gha + authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Running nixpkgs-vet diff --git a/.github/workflows/merge-group.yml b/.github/workflows/merge-group.yml index e8705aaaba1c..d84cb3318423 100644 --- a/.github/workflows/merge-group.yml +++ b/.github/workflows/merge-group.yml @@ -61,7 +61,7 @@ jobs: # cherry-picks; formality right now, but unused pull-requests: write secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} @@ -71,7 +71,7 @@ jobs: needs: [prepare] uses: ./.github/workflows/lint.yml secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} @@ -86,7 +86,7 @@ jobs: # compare statuses: write secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: artifact-prefix: ${{ inputs.artifact-prefix }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} @@ -98,7 +98,7 @@ jobs: needs: [prepare] uses: ./.github/workflows/build.yml secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: artifact-prefix: ${{ inputs.artifact-prefix }} baseBranch: ${{ needs.prepare.outputs.baseBranch }}