From c2cb4e916be5de480b0175f7117588482432e059 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Mon, 10 Nov 2025 14:14:53 +0100 Subject: [PATCH] workflows/build: run trusted nix-build-uncached This was previously run from the untrusted checkout, which would allow extracting the cachix secret easily. --- .github/workflows/build.yml | 6 +++++- .github/workflows/pull-request-target.yml | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 701ac0b80b92..0e416dc2b64a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,6 +12,9 @@ on: mergedSha: required: true type: string + targetSha: + required: true + type: string secrets: CACHIX_AUTH_TOKEN: required: true @@ -55,6 +58,7 @@ jobs: uses: ./.github/actions/checkout with: merged-as-untrusted-at: ${{ inputs.mergedSha }} + target-as-trusted-at: ${{ inputs.targetSha }} - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31 with: @@ -69,7 +73,7 @@ jobs: authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} pushFilter: '(-source$|-nixpkgs-tarball-)' - - run: nix-env --install -f nixpkgs/untrusted-pinned -A nix-build-uncached + - run: nix-env --install -f nixpkgs/trusted-pinned -A nix-build-uncached - name: Build shell if: contains(matrix.builds, 'shell') diff --git a/.github/workflows/pull-request-target.yml b/.github/workflows/pull-request-target.yml index f74ce93de354..2ae4d47925a9 100644 --- a/.github/workflows/pull-request-target.yml +++ b/.github/workflows/pull-request-target.yml @@ -119,6 +119,7 @@ jobs: artifact-prefix: ${{ inputs.artifact-prefix }} baseBranch: ${{ needs.prepare.outputs.baseBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} + targetSha: ${{ needs.prepare.outputs.targetSha }} # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block merging a PR.