ci-actions

History

Christopher Mühl 01d6a3e779 Switch to S3 binary cache with isolated store paths - Build in isolated Nix container - Push to S3 binary cache (no host /nix/store access) - Pull specific store paths to alvin - Mount only specific /nix/store/hash to /var/www (read-only) - Generate signing keys for cache authentication - Update documentation with binary cache setup Security improvements: - Build container has no access to host /nix/store - Web server only mounts its specific store path - Proper isolation at every layer Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-16 14:53:11 +01:00
..
action.yaml	Switch to S3 binary cache with isolated store paths	2026-02-16 14:53:11 +01:00

Switch to S3 binary cache with isolated store paths

- Build in isolated Nix container
- Push to S3 binary cache (no host /nix/store access)
- Pull specific store paths to alvin
- Mount only specific /nix/store/hash to /var/www (read-only)
- Generate signing keys for cache authentication
- Update documentation with binary cache setup

Security improvements:
- Build container has no access to host /nix/store
- Web server only mounts its specific store path
- Proper isolation at every layer

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-16 14:53:11 +01:00

action.yaml

Switch to S3 binary cache with isolated store paths

2026-02-16 14:53:11 +01:00