-
-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
removing the org wide cachix secrets #532
Comments
I deleted the CACHIX_SIGNING_KEY as it's the most critical one and hard to rotate once leaked. I thought I already deleted it. The only impacted project AFAIK is https://github.com/nix-community/hardware-mnt-reform. /cc @jollheef and @ehmry. For the other token, I propose to make an inventory of the affected repos, and notify the maintainers. |
Not as many as I was expecting: |
How reliable and easy to use is Hercules CI? Is it something you would recommend all the repos migrate to? If not, we still have the self-hosted GitHub runners route. For the macs, having them setup as remote builders is probably the safest route. The sandboxing on macOS isn't really the best so I wouldn't trust putting the cachix token in there. |
For standard use (e.g building a flake when a branch is pushed to the repo) I'd say it's fine, I'd expect most repos can migrate without any problems. Currently it doesn't build PRs from forks so repos would need to use bors, gh merge queue or similar. A repo like home-manager that has a lot of third party contributors may be better off staying on actions with their own cachix so they don't need to deal with that. Repos that want to properly support darwin (e.g. home-manager) should probably stay on actions anyway, at least until we have a darwin builder. Hercules effects can also replace actions entirely for things like opening and merging flake update PRs or publishing gh pages, etc. |
Maybe we should wait a bit longer before we move forward with this? If we had a darwin builder that would eliminate one of the current downsides and would also mean we can offer something github actions currently doesn't have: aarch64-darwin. It's an empty repo at the moment but this looks like it could be useful?
|
https://github.com/organizations/nix-community/settings/secrets/actions
I think we had all agreed these needed to be removed, how to we want to do it? 60 days notice seems reasonable to me?
Projects that want to use the nix-community cachix need to move to hercules or hydra, alternatively they can create their own separate cachix.
This will mean that there is no nix-community cache for darwin as we currently don't have a builder for that platform.
The text was updated successfully, but these errors were encountered: