workflows/pull-request-target: never write to cachix from PRs

Evaluating untrusted code in the presence of secrets is unsafe in
general, thus we only provide the cachix auth token when these jobs run
in the merge queue. This is enough for all practical purposes, PRs will
be able to pull stuff from cachix that was built in the Merge Queue
previously.

.github/workflows/build.yml

@@ -16,8 +16,10 @@ on:
         required: true
         type: string
     secrets:
+      # Should only be provided in the merge queue, not in pull requests,
+      # where we're evaluating untrusted code.
       CACHIX_AUTH_TOKEN:
-        required: true
+        required: false
 
 permissions: {}
 

.github/workflows/check.yml

@@ -16,8 +16,10 @@ on:
         required: true
         type: string
     secrets:
+      # Should only be provided in the merge queue, not in pull requests,
+      # where we're evaluating untrusted code.
       CACHIX_AUTH_TOKEN:
-        required: true
+        required: false
 
 permissions: {}
 

.github/workflows/eval.yml

@@ -19,8 +19,10 @@ on:
         default: false
         type: boolean
     secrets:
+      # Should only be provided in the merge queue, not in pull requests,
+      # where we're evaluating untrusted code.
       CACHIX_AUTH_TOKEN:
-        required: true
+        required: false
 
 permissions: {}
 

.github/workflows/lint.yml

@@ -10,8 +10,10 @@ on:
         required: true
         type: string
     secrets:
+      # Should only be provided in the merge queue, not in pull requests,
+      # where we're evaluating untrusted code.
       CACHIX_AUTH_TOKEN:
-        required: true
+        required: false
 
 permissions: {}
 

.github/workflows/merge-group.yml

@@ -13,9 +13,6 @@ on:
       targetSha:
         required: true
         type: string
-    secrets:
-      CACHIX_AUTH_TOKEN:
-        required: true
 
 permissions: {}
 

.github/workflows/pull-request-target.yml

@@ -8,8 +8,6 @@ on:
         required: true
         type: string
     secrets:
-      CACHIX_AUTH_TOKEN:
-        required: true
       NIXPKGS_CI_APP_PRIVATE_KEY:
         required: true
 
@@ -63,8 +61,6 @@ jobs:
     permissions:
       # cherry-picks
       pull-requests: write
-    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
     with:
       baseBranch: ${{ needs.prepare.outputs.baseBranch }}
       headBranch: ${{ needs.prepare.outputs.headBranch }}
@@ -75,8 +71,6 @@ jobs:
     name: Lint
     needs: [prepare]
     uses: ./.github/workflows/lint.yml
-    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
     with:
       mergedSha: ${{ needs.prepare.outputs.mergedSha }}
       targetSha: ${{ needs.prepare.outputs.targetSha }}
@@ -88,8 +82,6 @@ jobs:
     permissions:
       # compare
       statuses: write
-    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
     with:
       artifact-prefix: ${{ inputs.artifact-prefix }}
       mergedSha: ${{ needs.prepare.outputs.mergedSha }}
@@ -113,8 +105,6 @@ jobs:
     name: Build
     needs: [prepare]
     uses: ./.github/workflows/build.yml
-    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
     with:
       artifact-prefix: ${{ inputs.artifact-prefix }}
       baseBranch: ${{ needs.prepare.outputs.baseBranch }}

.github/workflows/test.yml

@@ -84,8 +84,6 @@ jobs:
     permissions:
       pull-requests: write
       statuses: write
-    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
     with:
       artifact-prefix: mg-
       mergedSha: ${{ needs.prepare.outputs.mergedSha }}
@@ -102,7 +100,6 @@ jobs:
       pull-requests: write
       statuses: write
     secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
       NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
     with:
       artifact-prefix: pr-