Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

removing the org wide cachix secrets #532

Open
zowoq opened this issue Apr 18, 2023 · 5 comments
Open

removing the org wide cachix secrets #532

zowoq opened this issue Apr 18, 2023 · 5 comments

Comments

@zowoq
Copy link
Contributor

zowoq commented Apr 18, 2023
edited
Loading

https://github.com/organizations/nix-community/settings/secrets/actions

  • CACHIX_AUTH_TOKEN
  • CACHIX_SIGNING_KEY

I think we had all agreed these needed to be removed, how to we want to do it? 60 days notice seems reasonable to me?

Projects that want to use the nix-community cachix need to move to hercules or hydra, alternatively they can create their own separate cachix.

This will mean that there is no nix-community cache for darwin as we currently don't have a builder for that platform.
@zimbatm
Copy link
Member

zimbatm commented Apr 18, 2023

I deleted the CACHIX_SIGNING_KEY as it's the most critical one and hard to rotate once leaked. I thought I already deleted it. The only impacted project AFAIK is https://github.com/nix-community/hardware-mnt-reform. /cc @jollheef and @ehmry.

For the other token, I propose to make an inventory of the affected repos, and notify the maintainers.

@zowoq
Copy link
Contributor Author

zowoq commented Apr 18, 2023

Not as many as I was expecting:

@zimbatm
Copy link
Member

zimbatm commented Apr 19, 2023
edited
Loading

How reliable and easy to use is Hercules CI? Is it something you would recommend all the repos migrate to? If not, we still have the self-hosted GitHub runners route.

For the macs, having them setup as remote builders is probably the safest route. The sandboxing on macOS isn't really the best so I wouldn't trust putting the cachix token in there.

@zowoq
Copy link
Contributor Author

zowoq commented Apr 19, 2023

For standard use (e.g building a flake when a branch is pushed to the repo) I'd say it's fine, I'd expect most repos can migrate without any problems.

Currently it doesn't build PRs from forks so repos would need to use bors, gh merge queue or similar. A repo like home-manager that has a lot of third party contributors may be better off staying on actions with their own cachix so they don't need to deal with that.

Repos that want to properly support darwin (e.g. home-manager) should probably stay on actions anyway, at least until we have a darwin builder.

Hercules effects can also replace actions entirely for things like opening and merging flake update PRs or publishing gh pages, etc.

@zowoq
Copy link
Contributor Author

zowoq commented Apr 24, 2023

Maybe we should wait a bit longer before we move forward with this?

If we had a darwin builder that would eliminate one of the current downsides and would also mean we can offer something github actions currently doesn't have: aarch64-darwin.

It's an empty repo at the moment but this looks like it could be useful?

https://github.com/hercules-ci/miniherc
A GitHub Action that runs Hercules CI jobs. Good enough for some use cases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zimbatm @zowoq