toph/ci-actions
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
ci-actions/push-nix-cache/action.yaml
Christopher Mühl 19468d38d8
refactor: migrate from S3 to Attic binary cache 
Replace low-level S3 operations with native Attic client for better
performance, simplicity, and proper Nix binary cache protocol support.

Changes:
- Replace 'nix copy' + S3 with 'attic push'
- Remove S3_ACCESS_KEY, S3_SECRET_KEY, NIX_SIGNING_KEY requirements
- Add ATTIC_TOKEN requirement (explicit per-repo security)
- Default to 'ci' cache instead of 'toph'
- Update Nomad fetch task to pull from Attic instead of S3
- Simplify push-nix-cache to single attic push command
- Update documentation with new security model

Security:
- ATTIC_TOKEN must be explicitly provided as Forgejo secret
- Prevents untrusted repos from pushing to cache
- Separate ci/toph caches for different trust levels

Benefits:
- Simpler: Single command instead of sign + copy + sync
- Faster: Native Attic protocol vs S3 object storage
- Safer: Explicit opt-in prevents unauthorized cache writes
- Standards-compliant: Proper Nix binary cache protocol

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-27 21:19:09 +01:00

38 lines
1 KiB
YAML
Raw Blame History

name: Push Nix Cache
description: Push a Nix store path to the Attic binary cache
# Required env var: ATTIC_TOKEN
inputs:
store-path:
description: 'Path to the Nix store symlink or derivation to push (e.g. ./result)'
required: true
cache-name:
description: 'Attic cache name'
required: false
default: 'ci'
attic-endpoint:
description: 'Attic server endpoint'
required: false
default: 'https://cache.toph.so'
runs:
using: composite
steps:
- name: Push to Attic cache
shell: bash
env:
ATTIC_TOKEN: ${{ env.ATTIC_TOKEN }}
run: |
# Configure attic client with explicit token (not relying on mounted config)
mkdir -p ~/.config/attic
cat > ~/.config/attic/config.toml <<EOF
[servers.cache]
endpoint = "${{ inputs.attic-endpoint }}"
token = "${ATTIC_TOKEN}"
EOF
# attic push automatically signs and uploads the entire closure
attic push "${{ inputs.cache-name }}" "${{ inputs.store-path }}"
Reference in a new issue View git blame Copy permalink