toph/ci-actions
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Fix binary cache secret key handling

Browse source 
Write NIX_SIGNING_KEY to temp file since --secret-key expects a path.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Christopher Mühl 2026-02-16 15:37:49 +01:00
parent 6d75ec10f6
commit a8e0e936fc
No known key found for this signature in database
GPG key ID: 925AC7D69955293F
1 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
deploy-nix-site/action.yaml
View file

@ -60,12 +60,19 @@ runs:
export AWS_ACCESS_KEY_ID="${{ env.S3_ACCESS_KEY }}" export AWS_ACCESS_KEY_ID="${{ env.S3_ACCESS_KEY }}"
export AWS_SECRET_ACCESS_KEY="${{ env.S3_SECRET_KEY }}" export AWS_SECRET_ACCESS_KEY="${{ env.S3_SECRET_KEY }}"
# Write signing key to temporary file
echo "${{ env.NIX_SIGNING_KEY }}" > /tmp/nix-signing-key.pem
chmod 600 /tmp/nix-signing-key.pem
# Push entire closure (derivation + all dependencies) to cache # Push entire closure (derivation + all dependencies) to cache
nix copy \ nix copy \
--to "s3://nix-cache?endpoint=${{ inputs.s3-endpoint }}&scheme=https&secret-key=${{ env.NIX_SIGNING_KEY }}" \ --to "s3://nix-cache?endpoint=${{ inputs.s3-endpoint }}&scheme=https&secret-key=/tmp/nix-signing-key.pem" \
--derivation \ --derivation \
"$STORE_PATH" "$STORE_PATH"
# Clean up key file
rm -f /tmp/nix-signing-key.pem
echo "✅ Pushed to binary cache: $STORE_HASH (with all dependencies)" echo "✅ Pushed to binary cache: $STORE_HASH (with all dependencies)"
- name: Deploy via Nomad - name: Deploy via Nomad