-
-
Notifications
You must be signed in to change notification settings - Fork 14.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
workflows/periodic-merges: use nix-backport app's token when merging #372041
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be tested in @infinisil's test organization.
20835f7
to
7415599
Compare
…branches This will allow GitHub to run actions on those commits, specifically Eval action. Currently as these merges are commited by `github-actions`, Eval doesn't run on the commits. ie, https://github.com/NixOS/nixpkgs/actions/runs/12646467735/job/35237397411?pr=371701 failed due to NixOS@fa2d66f commit was done by github-actions. With this every periodic merge will be authored and commited by the nix-backports bot. We can reuse the bot here as they have similar perms (NixOS/org#38) Signed-off-by: John Titor <50095635+JohnRTitor@users.noreply.github.com>
7415599
to
e89759d
Compare
- uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1 | ||
id: app-token | ||
with: | ||
app-id: ${{ vars.BACKPORT_APP_ID }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks ok from a security perspective. We may want to add variable with a new name for BACKPORT_APP_ID
and BACKPORT_PRIVATE_KEY
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you are asking because of https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable ?
These (BACKPORT_APP_ID, BACKPORT_PRIVATE_KEY) are set by NixOS org admins I think? So I don't think we have to worry about untrusted inputs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. I am not worried about security here. I think the name should just reflect where it's being used and this key is after this change no longer limited to just backport actions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. Let's set it to something generic and I will update the variable here.
Instead of nix-backports
, can we use nixpkgs-ci
?
I've opened NixOS/org#54 to rename the App to "Nixpkgs CI", which when implemented should give us variables It would be great to start a little docs section in perhaps |
I guess they could go to .github/workflows/README.md after #371216 is merged, since the "permissions" topic is touched there already. |
Done in #373935 |
This will allow GitHub to run actions on those commits, specifically Eval action. Currently as these merges are commited by
github-actions
, Eval doesn't run on the commits.ie, https://github.com/NixOS/nixpkgs/actions/runs/12646467735/job/35237397411?pr=371701 Processing failed due to fa2d66f commit was done by github-actions.
With this every periodic merge will be authored and commited by the nix-backports bot. We can reuse the bot here as it has the perms (NixOS/org#38) required here.