ci-actions

toph/ci-actions

Fork 0

Commit graph

Author	SHA1	Message	Date
Christopher Mühl	19468d38d8	refactor: migrate from S3 to Attic binary cache Replace low-level S3 operations with native Attic client for better performance, simplicity, and proper Nix binary cache protocol support. Changes: - Replace 'nix copy' + S3 with 'attic push' - Remove S3_ACCESS_KEY, S3_SECRET_KEY, NIX_SIGNING_KEY requirements - Add ATTIC_TOKEN requirement (explicit per-repo security) - Default to 'ci' cache instead of 'toph' - Update Nomad fetch task to pull from Attic instead of S3 - Simplify push-nix-cache to single attic push command - Update documentation with new security model Security: - ATTIC_TOKEN must be explicitly provided as Forgejo secret - Prevents untrusted repos from pushing to cache - Separate ci/toph caches for different trust levels Benefits: - Simpler: Single command instead of sign + copy + sync - Faster: Native Attic protocol vs S3 object storage - Safer: Explicit opt-in prevents unauthorized cache writes - Standards-compliant: Proper Nix binary cache protocol Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-27 21:19:09 +01:00
Christopher Mühl	b7ba4c1c0a	fix(deploy-static-site): inject NOMAD_ADDR via runner, use shared nomad/jobs var Remove hardcoded nomad-addr input — NOMAD_ADDR is now injected by the Forgejo runner via container.options using host.docker.internal. Switch Nomad Variable path from static-sites/s3 to nomad/jobs so all jobs in the namespace can read it without explicit ACL policies. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-19 01:15:08 +01:00
Christopher Mühl	4af132296e	refactor: replace generate-job.py with nomad-job.nix, add flake-output input Use nix eval --raw --impure + builtins.getEnv instead of Python for Nomad job JSON generation. Add flake-output input (default: default) so projects can build non-default outputs like docs. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-18 13:16:08 +01:00

Author

SHA1

Message

Date

Christopher Mühl

19468d38d8

refactor: migrate from S3 to Attic binary cache

Replace low-level S3 operations with native Attic client for better
performance, simplicity, and proper Nix binary cache protocol support.

Changes:
- Replace 'nix copy' + S3 with 'attic push'
- Remove S3_ACCESS_KEY, S3_SECRET_KEY, NIX_SIGNING_KEY requirements
- Add ATTIC_TOKEN requirement (explicit per-repo security)
- Default to 'ci' cache instead of 'toph'
- Update Nomad fetch task to pull from Attic instead of S3
- Simplify push-nix-cache to single attic push command
- Update documentation with new security model

Security:
- ATTIC_TOKEN must be explicitly provided as Forgejo secret
- Prevents untrusted repos from pushing to cache
- Separate ci/toph caches for different trust levels

Benefits:
- Simpler: Single command instead of sign + copy + sync
- Faster: Native Attic protocol vs S3 object storage
- Safer: Explicit opt-in prevents unauthorized cache writes
- Standards-compliant: Proper Nix binary cache protocol

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-27 21:19:09 +01:00

Christopher Mühl

b7ba4c1c0a

fix(deploy-static-site): inject NOMAD_ADDR via runner, use shared nomad/jobs var

Remove hardcoded nomad-addr input — NOMAD_ADDR is now injected by the
Forgejo runner via container.options using host.docker.internal.

Switch Nomad Variable path from static-sites/s3 to nomad/jobs so all
jobs in the namespace can read it without explicit ACL policies.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-19 01:15:08 +01:00

Christopher Mühl

4af132296e

refactor: replace generate-job.py with nomad-job.nix, add flake-output input

Use nix eval --raw --impure + builtins.getEnv instead of Python for
Nomad job JSON generation. Add flake-output input (default: default)
so projects can build non-default outputs like docs.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-18 13:16:08 +01:00

3 commits