From 4147f97f9eca433ce94fe464d8f3902226ce2bd2 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Thu, 23 Oct 2025 17:34:32 +0200 Subject: [PATCH 1/6] workflows/merge-group: refactor prepare step to github-script Less Bash, more JavaScript - it's policy! --- .github/workflows/merge-group.yml | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/.github/workflows/merge-group.yml b/.github/workflows/merge-group.yml index fe3d8fcc27d0..0d18cbc4732b 100644 --- a/.github/workflows/merge-group.yml +++ b/.github/workflows/merge-group.yml @@ -23,7 +23,9 @@ jobs: prepare: runs-on: ubuntu-24.04-arm outputs: - systems: ${{ steps.systems.outputs.systems }} + mergedSha: ${{ steps.prepare.outputs.mergedSha }} + targetSha: ${{ steps.prepare.outputs.targetSha }} + systems: ${{ steps.prepare.outputs.systems }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: @@ -31,19 +33,28 @@ jobs: sparse-checkout: | ci/supportedSystems.json - - name: Load supported systems - id: systems - run: | - echo "systems=$(jq -c > "$GITHUB_OUTPUT" + - id: prepare + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + MERGED_SHA: ${{ inputs.mergedSha }} + TARGET_SHA: ${{ inputs.targetSha }} + with: + script: | + core.setOutput('mergedSha', context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA) + core.info(`mergedSha: ${context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA}`) + core.setOutput('targetSha', context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA) + core.info(`targetSha: ${context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA}`) + core.setOutput('systems', require('./ci/supportedSystems.json')) lint: name: Lint + needs: [prepare] uses: ./.github/workflows/lint.yml secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: - mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} - targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} + mergedSha: ${{ needs.prepare.outputs.mergedSha }} + targetSha: ${{ needs.prepare.outputs.targetSha }} eval: name: Eval @@ -58,8 +69,8 @@ jobs: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: artifact-prefix: ${{ inputs.artifact-prefix }} - mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} - targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} + mergedSha: ${{ needs.prepare.outputs.mergedSha }} + targetSha: ${{ needs.prepare.outputs.targetSha }} systems: ${{ needs.prepare.outputs.systems }} # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. From ec50d453b6acb14ee9cb2f68bcbf5c4c038d0394 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Tue, 11 Nov 2025 18:45:26 +0100 Subject: [PATCH 2/6] workflows/merge-queue: run build jobs --- .github/workflows/merge-group.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/.github/workflows/merge-group.yml b/.github/workflows/merge-group.yml index 0d18cbc4732b..05fde3617c15 100644 --- a/.github/workflows/merge-group.yml +++ b/.github/workflows/merge-group.yml @@ -23,6 +23,7 @@ jobs: prepare: runs-on: ubuntu-24.04-arm outputs: + baseBranch: ${{ steps.prepare.outputs.base }} mergedSha: ${{ steps.prepare.outputs.mergedSha }} targetSha: ${{ steps.prepare.outputs.targetSha }} systems: ${{ steps.prepare.outputs.systems }} @@ -40,6 +41,15 @@ jobs: TARGET_SHA: ${{ inputs.targetSha }} with: script: | + const { classify } = require('./ci/supportedBranches.js') + const baseBranch = ( + context.payload.merge_group?.base_ref ?? + context.payload.pull_request.base.ref + ).replace(/^refs\/heads\//, '') + const baseClassification = classify(baseBranch) + core.setOutput('base', baseClassification) + core.info('base classification:', baseClassification) + core.setOutput('mergedSha', context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA) core.info(`mergedSha: ${context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA}`) core.setOutput('targetSha', context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA) @@ -73,6 +83,18 @@ jobs: targetSha: ${{ needs.prepare.outputs.targetSha }} systems: ${{ needs.prepare.outputs.systems }} + build: + name: Build + needs: [prepare] + uses: ./.github/workflows/build.yml + secrets: + CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + with: + artifact-prefix: ${{ inputs.artifact-prefix }} + baseBranch: ${{ needs.prepare.outputs.baseBranch }} + mergedSha: ${{ needs.prepare.outputs.mergedSha }} + targetSha: ${{ needs.prepare.outputs.targetSha }} + # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block the Merge Queue. unlock: From e18eeeb4418b47ee628bc22567cf9830a1af9b61 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Tue, 11 Nov 2025 18:47:35 +0100 Subject: [PATCH 3/6] workflows/merge-queue: run owners check job --- .github/workflows/check.yml | 5 +++-- .github/workflows/merge-group.yml | 13 +++++++++++++ .github/workflows/test.yml | 1 + 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index e317903c2f8d..54360b2dd6f8 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -4,10 +4,10 @@ on: workflow_call: inputs: baseBranch: - required: true + required: false type: string headBranch: - required: true + required: false type: string mergedSha: required: true @@ -27,6 +27,7 @@ defaults: jobs: commits: + if: inputs.baseBranch && inputs.headBranch permissions: pull-requests: write runs-on: ubuntu-24.04-arm diff --git a/.github/workflows/merge-group.yml b/.github/workflows/merge-group.yml index 05fde3617c15..3661f4c32429 100644 --- a/.github/workflows/merge-group.yml +++ b/.github/workflows/merge-group.yml @@ -56,6 +56,19 @@ jobs: core.info(`targetSha: ${context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA}`) core.setOutput('systems', require('./ci/supportedSystems.json')) + check: + name: Check + needs: [prepare] + uses: ./.github/workflows/check.yml + permissions: + # cherry-picks; formality right now, but unused + pull-requests: write + secrets: + CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + with: + mergedSha: ${{ needs.prepare.outputs.mergedSha }} + targetSha: ${{ needs.prepare.outputs.targetSha }} + lint: name: Lint needs: [prepare] diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 727a9f965845..a48cc57b44e0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -82,6 +82,7 @@ jobs: uses: ./.github/workflows/merge-group.yml # Those are actually only used on the merge_group event, but will throw an error if not set. permissions: + pull-requests: write statuses: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} From c2cb4e916be5de480b0175f7117588482432e059 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Mon, 10 Nov 2025 14:14:53 +0100 Subject: [PATCH 4/6] workflows/build: run trusted nix-build-uncached This was previously run from the untrusted checkout, which would allow extracting the cachix secret easily. --- .github/workflows/build.yml | 6 +++++- .github/workflows/pull-request-target.yml | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 701ac0b80b92..0e416dc2b64a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,6 +12,9 @@ on: mergedSha: required: true type: string + targetSha: + required: true + type: string secrets: CACHIX_AUTH_TOKEN: required: true @@ -55,6 +58,7 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} + target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 with: @@ -69,7 +73,7 @@ jobs: authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} pushFilter: '(-source$|-nixpkgs-tarball-)' - - run: nix-env --install -f nixpkgs/untrusted-pinned -A nix-build-uncached + - run: nix-env --install -f nixpkgs/trusted-pinned -A nix-build-uncached - name: Build shell if: contains(matrix.builds, 'shell') diff --git a/.github/workflows/pull-request-target.yml b/.github/workflows/pull-request-target.yml index f74ce93de354..2ae4d47925a9 100644 --- a/.github/workflows/pull-request-target.yml +++ b/.github/workflows/pull-request-target.yml @@ -119,6 +119,7 @@ jobs: artifact-prefix: ${{ inputs.artifact-prefix }} baseBranch: ${{ needs.prepare.outputs.baseBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} + targetSha: ${{ needs.prepare.outputs.targetSha }} # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block merging a PR. From 5d6dd23117f8873675cef55166ca2e2f8b2c00ac Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Tue, 11 Nov 2025 18:00:50 +0100 Subject: [PATCH 5/6] workflows/pull-request-target: never write to cachix from PRs Evaluating untrusted code in the presence of secrets is unsafe in general, thus we only provide the cachix auth token when these jobs run in the merge queue. This is enough for all practical purposes, PRs will be able to pull stuff from cachix that was built in the Merge Queue previously. --- .github/workflows/build.yml | 4 +++- .github/workflows/check.yml | 4 +++- .github/workflows/eval.yml | 4 +++- .github/workflows/lint.yml | 4 +++- .github/workflows/merge-group.yml | 3 --- .github/workflows/pull-request-target.yml | 10 ---------- .github/workflows/test.yml | 3 --- 7 files changed, 12 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0e416dc2b64a..39be81b616c0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -16,8 +16,10 @@ on: required: true type: string secrets: + # Should only be provided in the merge queue, not in pull requests, + # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN: - required: true + required: false permissions: {} diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 54360b2dd6f8..432f6e837f3e 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -16,8 +16,10 @@ on: required: true type: string secrets: + # Should only be provided in the merge queue, not in pull requests, + # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN: - required: true + required: false permissions: {} diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index ccd58fe1e9a9..74e69a7fde3e 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -19,8 +19,10 @@ on: default: false type: boolean secrets: + # Should only be provided in the merge queue, not in pull requests, + # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN: - required: true + required: false permissions: {} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 486dac20207c..2f8f2357c972 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -10,8 +10,10 @@ on: required: true type: string secrets: + # Should only be provided in the merge queue, not in pull requests, + # where we're evaluating untrusted code. CACHIX_AUTH_TOKEN: - required: true + required: false permissions: {} diff --git a/.github/workflows/merge-group.yml b/.github/workflows/merge-group.yml index 3661f4c32429..e8705aaaba1c 100644 --- a/.github/workflows/merge-group.yml +++ b/.github/workflows/merge-group.yml @@ -13,9 +13,6 @@ on: targetSha: required: true type: string - secrets: - CACHIX_AUTH_TOKEN: - required: true permissions: {} diff --git a/.github/workflows/pull-request-target.yml b/.github/workflows/pull-request-target.yml index 2ae4d47925a9..1f6424cbc527 100644 --- a/.github/workflows/pull-request-target.yml +++ b/.github/workflows/pull-request-target.yml @@ -8,8 +8,6 @@ on: required: true type: string secrets: - CACHIX_AUTH_TOKEN: - required: true NIXPKGS_CI_APP_PRIVATE_KEY: required: true @@ -63,8 +61,6 @@ jobs: permissions: # cherry-picks pull-requests: write - secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: baseBranch: ${{ needs.prepare.outputs.baseBranch }} headBranch: ${{ needs.prepare.outputs.headBranch }} @@ -75,8 +71,6 @@ jobs: name: Lint needs: [prepare] uses: ./.github/workflows/lint.yml - secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} @@ -88,8 +82,6 @@ jobs: permissions: # compare statuses: write - secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: artifact-prefix: ${{ inputs.artifact-prefix }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} @@ -113,8 +105,6 @@ jobs: name: Build needs: [prepare] uses: ./.github/workflows/build.yml - secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: artifact-prefix: ${{ inputs.artifact-prefix }} baseBranch: ${{ needs.prepare.outputs.baseBranch }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a48cc57b44e0..cb8956ae71dc 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -84,8 +84,6 @@ jobs: permissions: pull-requests: write statuses: write - secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: artifact-prefix: mg- mergedSha: ${{ needs.prepare.outputs.mergedSha }} @@ -102,7 +100,6 @@ jobs: pull-requests: write statuses: write secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }} with: artifact-prefix: pr- From 3bc31e04740224e3fb5c7805f9d71aaa38c23943 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Mon, 10 Nov 2025 14:55:03 +0100 Subject: [PATCH 6/6] workflows: invalidate cachix cache Since it was previously possible, in theory, to extract the CACHIX_AUTH_TOKEN via Nix eval on untrusted inputs, this rotates the token and clears the cache - and while on it moves to a new cache, that is owned by a newly created nixpkgs-ci org instead of an individual. --- .github/workflows/build.yml | 10 +++++----- .github/workflows/check.yml | 10 +++++----- .github/workflows/eval.yml | 10 +++++----- .github/workflows/lint.yml | 18 +++++++++--------- .github/workflows/merge-group.yml | 8 ++++---- 5 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 39be81b616c0..01b2f4a7b1d5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,7 +18,7 @@ on: secrets: # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. - CACHIX_AUTH_TOKEN: + CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} @@ -69,10 +69,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: - # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. - name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} - extraPullNames: nixpkgs-ci - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. + name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} + extraPullNames: nixpkgs-gha + authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: '(-source$|-nixpkgs-tarball-)' - run: nix-env --install -f nixpkgs/trusted-pinned -A nix-build-uncached diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 432f6e837f3e..dfcbbd8b45c1 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -18,7 +18,7 @@ on: secrets: # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. - CACHIX_AUTH_TOKEN: + CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} @@ -89,10 +89,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: - # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. - name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} - extraPullNames: nixpkgs-ci - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. + name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} + extraPullNames: nixpkgs-gha + authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Build codeowners validator diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index 74e69a7fde3e..fcacd60da6a2 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -21,7 +21,7 @@ on: secrets: # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. - CACHIX_AUTH_TOKEN: + CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} @@ -104,10 +104,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: - # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. - name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} - extraPullNames: nixpkgs-ci - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. + name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} + extraPullNames: nixpkgs-gha + authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: '(-source|-single-chunk)$' - name: Evaluate the ${{ matrix.system }} output paths at the merge commit diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 2f8f2357c972..8b900a8261f2 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -12,7 +12,7 @@ on: secrets: # Should only be provided in the merge queue, not in pull requests, # where we're evaluating untrusted code. - CACHIX_AUTH_TOKEN: + CACHIX_AUTH_TOKEN_GHA: required: false permissions: {} @@ -74,10 +74,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: - # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. - name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} - extraPullNames: nixpkgs-ci - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. + name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} + extraPullNames: nixpkgs-gha + authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Parse all nix files @@ -103,10 +103,10 @@ jobs: - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: - # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI. - name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }} - extraPullNames: nixpkgs-ci - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI. + name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }} + extraPullNames: nixpkgs-gha + authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} pushFilter: -source$ - name: Running nixpkgs-vet diff --git a/.github/workflows/merge-group.yml b/.github/workflows/merge-group.yml index e8705aaaba1c..d84cb3318423 100644 --- a/.github/workflows/merge-group.yml +++ b/.github/workflows/merge-group.yml @@ -61,7 +61,7 @@ jobs: # cherry-picks; formality right now, but unused pull-requests: write secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} @@ -71,7 +71,7 @@ jobs: needs: [prepare] uses: ./.github/workflows/lint.yml secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} @@ -86,7 +86,7 @@ jobs: # compare statuses: write secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: artifact-prefix: ${{ inputs.artifact-prefix }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} @@ -98,7 +98,7 @@ jobs: needs: [prepare] uses: ./.github/workflows/build.yml secrets: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }} with: artifact-prefix: ${{ inputs.artifact-prefix }} baseBranch: ${{ needs.prepare.outputs.baseBranch }}