diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index b7e02ef..41b3b0a 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -19,9 +19,25 @@ jobs: - run: nix develop -c prettier --check . DeterminateCI: + needs: DisabledCacheNixOSOrg uses: ./.github/workflows/workflow.yml permissions: id-token: write contents: read with: directory: ./tests/smoke + + DisabledCacheNixOSOrg: + uses: ./.github/workflows/workflow.yml + permissions: + id-token: write + contents: read + with: + directory: ./tests/smoke + disable-cache-nixos-org: true + post-inventory-commands: | + if nix config show substituters | grep -q "cache.nixos.org"; then + echo "Nix has cache.nixos.org enabled as a substituter, which is prohibited by configuration:" + nix config show substituters + exit 1 + fi diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index e448815..c86f8e5 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -53,6 +53,20 @@ on: required: false type: string default: "" + disable-cache-nixos-org: + description: | + Whether to disable cache.nixos.org as a substituter + required: false + type: boolean + default: false + post-inventory-commands: + description: | + A command or set of commands to run at the end of the Inventory job. + + For example, a linting step. + required: false + type: string + default: "" outputs: flake_name: value: ${{ jobs.success.outputs.flake_name }} @@ -101,7 +115,21 @@ jobs: # disabled pending strategy discussion on exposing tunables # - uses: Determinatesystems/flake-checker-action@main - uses: DeterminateSystems/determinate-nix-action@v3 + with: + extra-conf: | + ${{ (inputs.disable-cache-nixos-org == true) && 'substituters =' || '' }} - uses: DeterminateSystems/flakehub-cache-action@main + - &policy_step + name: "Configuration policy checks" + if: ${{ inputs.disable-cache-nixos-org == true }} + run: | + if nix config show substituters | grep -q cache.nixos.org; then + echo "❌ Nix has cache.nixos.org enabled as a substituter, which is prohibited by configuration:" + nix config show substituters + exit 1 + else + echo "✅ Nix does not have cache.nixos.org enabled as a substituter." + fi - uses: webfactory/ssh-agent@v0.9.0 if: ${{ inputs.enable-ssh-agent }} with: @@ -114,6 +142,9 @@ jobs: working-directory: ${{ inputs.directory }} run: | nix run "$FLAKE_ITER_FLAKEREF" -- systems + - name: Post-inventory commands + if: ${{ inputs.post-inventory-commands != '' }} + run: ${{ inputs.post-inventory-commands }} build: runs-on: ${{ matrix.systems.runner }} needs: inventory @@ -133,7 +164,9 @@ jobs: extra-conf: | extra-experimental-features = provenance ${{ inputs.extra-nix-conf }} + ${{ (inputs.disable-cache-nixos-org == true) && 'substituters =' || '' }} - uses: DeterminateSystems/flakehub-cache-action@main + - *policy_step - uses: webfactory/ssh-agent@v0.9.0 if: ${{ inputs.enable-ssh-agent }} with: @@ -147,7 +180,9 @@ jobs: success: runs-on: ubuntu-latest - needs: build + needs: + - inventory + - build if: ${{ always() }} permissions: id-token: write @@ -169,9 +204,22 @@ jobs: - uses: actions/checkout@main if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }} - uses: DeterminateSystems/determinate-nix-action@v3 + with: + extra-conf: | + ${{ (inputs.disable-cache-nixos-org == true) && 'substituters =' || '' }} if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }} - uses: DeterminateSystems/flakehub-cache-action@main if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }} + - name: "Configuration policy checks" + if: ${{ inputs.disable-cache-nixos-org == true && (!github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/'))) }} + run: | + if nix config show substituters | grep -q cache.nixos.org; then + echo "❌ Nix has cache.nixos.org enabled as a substituter, which is prohibited by configuration:" + nix config show substituters + exit 1 + else + echo "✅ Nix does not have cache.nixos.org enabled as a substituter." + fi - uses: DeterminateSystems/flakehub-push@main if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }} id: publish diff --git a/README.md b/README.md index 04a2415..287a7cb 100644 --- a/README.md +++ b/README.md @@ -51,15 +51,17 @@ You'll see something like this when your workflow has run successfully: ## Configuration options -| Parameter | Description | Default | -| :----------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------- | -| `visibility` | `public`, `unlisted`, or `private` ([private flakes][private-flakes] are available only on a [FlakeHub paid plan][signup]) | | -| `default-branch` | The [default Git branch][default-branch] for the repository | `${{ github.event.repository.default_branch }}` | -| `enable-ssh-agent` | Whether to enable [`webfactory/ssh-agent`][ssh-agent] in the workflow. If you set this to `true` you need to supply a secret named `ssh-private-key`. | `false` | -| `directory` | The root directory of your flake. | `.` | -| `fail-fast` | Whether to cancel all in-progress jobs if any matrix job fails | `true` | -| `runner-map` | A custom mapping of [Nix system types][nix-system] to desired Actions runners | `{ "aarch64-darwin": "macos-latest", "x86_64-linux": "ubuntu-latest", "aarch64-linux": "ubuntu-latest" }` | -| `extra-nix-conf` | Extra Nix configuration to pass to Determinate Nix | | +| Parameter | Description | Default | +| :------------------------ | :---------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------------------- | +| `visibility` | `public`, `unlisted`, or `private` ([private flakes][private-flakes] are available only on a [FlakeHub paid plan][signup]) | | +| `default-branch` | The [default Git branch][default-branch] for the repository | `${{ github.event.repository.default_branch }}` | +| `enable-ssh-agent` | Whether to enable [`webfactory/ssh-agent`][ssh-agent] in the workflow. If you set this to `true` you need to supply a secret named `ssh-private-key`. | `false` | +| `directory` | The root directory of your flake. | `.` | +| `fail-fast` | Whether to cancel all in-progress jobs if any matrix job fails | `true` | +| `runner-map` | A custom mapping of [Nix system types][nix-system] to desired Actions runners | `{ "aarch64-darwin": "macos-latest", "x86_64-linux": "ubuntu-latest", "aarch64-linux": "ubuntu-24.04-arm" }` | +| `extra-nix-conf` | Extra Nix configuration to pass to Determinate Nix | | +| `post-inventory-commands` | Commands to run after the inventory step. For example, a linting command. | unset | +| `disable-cache-nixos-org` | Do not substitute from cache.nixos.org. | `false` (use cache.nixos.org) | ## Example configurations