robin/attic-action
1
0
Fork 0
mirror of https://codeberg.org/icewind/attic-action.git synced 2026-06-03 17:44:07 +02:00
Code Issues Projects Releases Packages Wiki Activity
Github action to use an Attic binary cache https://cachix.org
77 commits 1 branch 7 tags 624 KiB
  • TypeScript 67.8%
  • Nix 26.9%
  • JavaScript 5.3%
Find a file
Domen Kožar 09c0620ab0
 Merge pull request #49 from fiadliel/add-extra-pull-cachixes 
Add extra caches for pulls/substitutions
2020-06-23 11:51:24 +02:00
.github/workflows more 2020-05-27 17:13:58 +02:00
dist/main Adds extra caches for pulling from (binary substitution). 2020-06-23 11:20:12 +02:00
src Adds extra caches for pulling from (binary substitution). 2020-06-23 11:20:12 +02:00
.gitignore bundle all the dependencies 2020-04-10 14:55:10 +02:00
action.yml Adds extra caches for pulling from (binary substitution). 2020-06-23 11:20:12 +02:00
jest.config.js Initial commit 2019-09-30 15:32:36 +02:00
LICENSE Split Nix installation into separate action 2019-10-02 16:25:24 +02:00
package.json WIP: save cache on post 2020-04-17 12:20:05 +02:00
README.md Update README.md 2020-05-27 16:59:34 +02:00
shell.nix add shell.nix for development 2020-04-16 05:18:25 +01:00
test-with-arg.nix Add nixBuildArgs parameter 2020-02-27 16:46:25 +01:00
test.nix fix for #3 2019-10-03 15:43:16 +02:00
tsconfig.json Initial commit 2019-09-30 15:32:36 +02:00
yarn.lock bundle all the dependencies 2020-04-10 14:55:10 +02:00

README.md

cachix-action

github actions badge

Build software only once using Nix with the help of Cachix.

This action will configure Cachix and invoke nix-build.

Why do I need this

Because you'd like for your CI to be fast. Let me explain.

Directory-based caching on a typical CI doesn't work well for Nix.

/nix/store is a global storage of everything Nix operates on. These are your sources, patches, tarballs, packages, configuration.

A directory-based cache requires downloading a whole store, including the irrelevant parts. cachix-action will only fetch what's needed by configuring a Nix binary cache.

When the build is done, cachix-action only has to upload the new store paths, rather than syncing the whole store.

Purging paths from a directory-based cache is not feasible because it'd have to be aware of all branches and their respective contents somehow.

Usage

1. Login to Cachix and create a new cache.

1. Follow getting started to create your signing key
2. Backup the signing key in the process.

2. As an admin of your github repository:

1. Click on Settings
2. Click on Secrets ([If missing, you need to sign up first for actions beta](https://github.com/features/actions))
3. Add your signing key value under name `CACHIX_SIGNING_KEY`.

3. Create .github/workflows/test.yml in your repo with the following contents:

name: "Test"
on:
  pull_request:
  push:
jobs:
  tests:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - uses: cachix/install-nix-action@v9
    - uses: cachix/cachix-action@v6
      with:
        name: mycache
        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
        # Only needed for private caches
        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
    - run: nix-build

See action.yml for all options.

Security

Cachix auth token and signing key need special care as they give read and write access to your caches.

As per GitHub Actions' security model:

Anyone with write access to a repository can create, read, and use secrets.

Which means all developers with push access can read your secrets and write to your cache. Furthermore, malicious code submitted via a pull request can, once merged into master, reveal the tokens.

Hacking

Install the dependencies

$ yarn install

Build the typescript

$ yarn build

Run the tests ✔️

$ yarn test