Christopher Mühl
19468d38d8
Replace low-level S3 operations with native Attic client for better performance, simplicity, and proper Nix binary cache protocol support. Changes: - Replace 'nix copy' + S3 with 'attic push' - Remove S3_ACCESS_KEY, S3_SECRET_KEY, NIX_SIGNING_KEY requirements - Add ATTIC_TOKEN requirement (explicit per-repo security) - Default to 'ci' cache instead of 'toph' - Update Nomad fetch task to pull from Attic instead of S3 - Simplify push-nix-cache to single attic push command - Update documentation with new security model Security: - ATTIC_TOKEN must be explicitly provided as Forgejo secret - Prevents untrusted repos from pushing to cache - Separate ci/toph caches for different trust levels Benefits: - Simpler: Single command instead of sign + copy + sync - Faster: Native Attic protocol vs S3 object storage - Safer: Explicit opt-in prevents unauthorized cache writes - Standards-compliant: Proper Nix binary cache protocol Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| action.yaml | ||