toph/ci-actions
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
49 commits 1 branch 0 tags 212 KiB
Commit graph

7 commits

Author SHA1 Message Date
Christopher Mühl
19468d38d8
refactor: migrate from S3 to Attic binary cache 
Replace low-level S3 operations with native Attic client for better
performance, simplicity, and proper Nix binary cache protocol support.

Changes:
- Replace 'nix copy' + S3 with 'attic push'
- Remove S3_ACCESS_KEY, S3_SECRET_KEY, NIX_SIGNING_KEY requirements
- Add ATTIC_TOKEN requirement (explicit per-repo security)
- Default to 'ci' cache instead of 'toph'
- Update Nomad fetch task to pull from Attic instead of S3
- Simplify push-nix-cache to single attic push command
- Update documentation with new security model

Security:
- ATTIC_TOKEN must be explicitly provided as Forgejo secret
- Prevents untrusted repos from pushing to cache
- Separate ci/toph caches for different trust levels

Benefits:
- Simpler: Single command instead of sign + copy + sync
- Faster: Native Attic protocol vs S3 object storage
- Safer: Explicit opt-in prevents unauthorized cache writes
- Standards-compliant: Proper Nix binary cache protocol

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-27 21:19:09 +01:00
Christopher Mühl
ee3dfcb19a
feat: add NOMAD_TOKEN support and static-sites namespace 
Jobs now target the static-sites namespace (required by the CI ACL
policy) and docs include NOMAD_TOKEN in all workflow examples.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-18 00:18:34 +01:00
Christopher Mühl
01d6a3e779
Switch to S3 binary cache with isolated store paths 
- Build in isolated Nix container
- Push to S3 binary cache (no host /nix/store access)
- Pull specific store paths to alvin
- Mount only specific /nix/store/hash to /var/www (read-only)
- Generate signing keys for cache authentication
- Update documentation with binary cache setup

Security improvements:
- Build container has no access to host /nix/store
- Web server only mounts its specific store path
- Proper isolation at every layer

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-16 14:53:11 +01:00
Christopher Mühl
33c8946041
Add Nix-based deploy action for isolated builds 
- New deploy-nix-site action using Nix flakes
- Runs in nixos/nix:latest container for proper isolation
- Builds using flake.nix, uploads to S3, deploys to Nomad
- Update deploy-site action to install Nomad CLI
- Document both actions in README

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-16 14:39:25 +01:00
Christopher Mühl
82a08bf071
Update static-site hosting 2026-02-16 14:28:12 +01:00
Christopher Mühl
98d8a8190b
Add deployment setup 2026-02-16 14:20:18 +01:00
Christopher Mühl
0933cf2bf5
Initial commit: deploy-site action 2026-02-16 11:05:35 +01:00