gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

workflows: invalidate cachix cache

Browse Source 
Since it was previously possible, in theory, to extract the
CACHIX_AUTH_TOKEN via Nix eval on untrusted inputs, this rotates the
token and clears the cache - and while on it moves to a new cache, that
is owned by a newly created nixpkgs-ci org instead of an individual.
This commit is contained in:
Wolfgang Walther
2025-11-10 14:55:03 +01:00
parent 5d6dd23117
commit 3bc31e0474
5 changed files with 28 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.github/workflows/build.yml vendored
View File

@@ -18,7 +18,7 @@ on:
secrets:
# Should only be provided in the merge queue, not in pull requests,
# where we're evaluating untrusted code.
CACHIX_AUTH_TOKEN:
CACHIX_AUTH_TOKEN_GHA:
required: false
permissions: {}
@@ -69,10 +69,10 @@ jobs:
- uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
with:
# The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
extraPullNames: nixpkgs-ci
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
# The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
extraPullNames: nixpkgs-gha
authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
pushFilter: '(-source$|-nixpkgs-tarball-)'
- run: nix-env --install -f nixpkgs/trusted-pinned -A nix-build-uncached

10
.github/workflows/check.yml vendored
View File

@@ -18,7 +18,7 @@ on:
secrets:
# Should only be provided in the merge queue, not in pull requests,
# where we're evaluating untrusted code.
CACHIX_AUTH_TOKEN:
CACHIX_AUTH_TOKEN_GHA:
required: false
permissions: {}
@@ -89,10 +89,10 @@ jobs:
- uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
with:
# The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
extraPullNames: nixpkgs-ci
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
# The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
extraPullNames: nixpkgs-gha
authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
pushFilter: -source$
- name: Build codeowners validator

10
.github/workflows/eval.yml vendored
View File

@@ -21,7 +21,7 @@ on:
secrets:
# Should only be provided in the merge queue, not in pull requests,
# where we're evaluating untrusted code.
CACHIX_AUTH_TOKEN:
CACHIX_AUTH_TOKEN_GHA:
required: false
permissions: {}
@@ -104,10 +104,10 @@ jobs:
- uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
with:
# The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
extraPullNames: nixpkgs-ci
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
# The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
extraPullNames: nixpkgs-gha
authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
pushFilter: '(-source|-single-chunk)$'
- name: Evaluate the ${{ matrix.system }} output paths at the merge commit

18
.github/workflows/lint.yml vendored
View File

@@ -12,7 +12,7 @@ on:
secrets:
# Should only be provided in the merge queue, not in pull requests,
# where we're evaluating untrusted code.
CACHIX_AUTH_TOKEN:
CACHIX_AUTH_TOKEN_GHA:
required: false
permissions: {}
@@ -74,10 +74,10 @@ jobs:
- uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
with:
# The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
extraPullNames: nixpkgs-ci
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
# The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
extraPullNames: nixpkgs-gha
authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
pushFilter: -source$
- name: Parse all nix files
@@ -103,10 +103,10 @@ jobs:
- uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
with:
# The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
extraPullNames: nixpkgs-ci
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
# The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
extraPullNames: nixpkgs-gha
authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
pushFilter: -source$
- name: Running nixpkgs-vet

8
.github/workflows/merge-group.yml vendored
View File

@@ -61,7 +61,7 @@ jobs:
# cherry-picks; formality right now, but unused
pull-requests: write
secrets:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
with:
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ needs.prepare.outputs.targetSha }}
@@ -71,7 +71,7 @@ jobs:
needs: [prepare]
uses: ./.github/workflows/lint.yml
secrets:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
with:
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ needs.prepare.outputs.targetSha }}
@@ -86,7 +86,7 @@ jobs:
# compare
statuses: write
secrets:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
with:
artifact-prefix: ${{ inputs.artifact-prefix }}
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
@@ -98,7 +98,7 @@ jobs:
needs: [prepare]
uses: ./.github/workflows/build.yml
secrets:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
with:
artifact-prefix: ${{ inputs.artifact-prefix }}
baseBranch: ${{ needs.prepare.outputs.baseBranch }}