workflows/main: re-enable read-only cachix for untrusted builds#398
workflows/main: re-enable read-only cachix for untrusted builds#398MattSturgeon wants to merge 1 commit into
Conversation
This partially reverts commit 903898a.
| name: nixos-nixfmt | ||
| authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | ||
| authToken: ${{ github.event_name == 'push' && secrets.CACHIX_AUTH_TOKEN || '' }} | ||
| skipPush: ${{ github.event_name != 'push' }} |
There was a problem hiding this comment.
The fact that this boolean expression is not exactly the opposite of the expression for authToken makes my brain itch.
Do we need this here because an empty authToken means something different than no auth token at all? My reading of the relevant code is that setting authToken to empty string will cause us to skip pushes (https://github.com/cachix/cachix-action/blob/5f2d7c5294214f71b873db4b969586b980625e71/src/main.ts#L113).
Or is this just here to be explicit? If so, that seems fine to me, but I'd consider making the expression the boolean opposite of theauthToken one just to reduce this "brain itch" it's giving me.
There was a problem hiding this comment.
Or is this just here to be explicit?
Yes. An empty/missing authToken does mean we can't write to cachix. But I wasn't sure if not setting skipPush explicitly would fail to push instead of gracefully skipping the push.
2 participants
This partially reverts 903898a from #393.
Cachix is configured on all runs, but the
authTokenis only configured onpushevents to avoid exposing it to untrusted PR code.cc @mdaniels5757