mirror of
https://github.com/DeterminateSystems/magic-nix-cache-action.git
synced 2025-01-10 14:12:03 +01:00
Merge pull request #52 from DeterminateSystems/untrusted
Behave well when MNCA isn't trusted
This commit is contained in:
commit
5555b8bb7b
5 changed files with 119 additions and 14 deletions
23
.github/workflows/ci.yml
vendored
23
.github/workflows/ci.yml
vendored
|
@ -44,6 +44,29 @@ jobs:
|
|||
- name: Cache the store
|
||||
uses: ./
|
||||
|
||||
run-x86_64-linux-untrusted:
|
||||
name: Run x86_64 Linux, Untrusted
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
id-token: "write"
|
||||
contents: "read"
|
||||
env:
|
||||
ACTIONS_STEP_DEBUG: true
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Install Nix
|
||||
uses: DeterminateSystems/nix-installer-action@main
|
||||
with:
|
||||
flakehub: true
|
||||
extra-conf: |
|
||||
narinfo-cache-negative-ttl = 0
|
||||
trusted-users = root
|
||||
- name: Cache the store
|
||||
uses: ./
|
||||
- name: Check the cache isn't enabled
|
||||
run: |
|
||||
[ $(nix config show substituters) == "https://cache.nixos.org/" ]
|
||||
|
||||
run-x86_64-linux:
|
||||
name: Run x86_64 Linux
|
||||
runs-on: ubuntu-22.04
|
||||
|
|
72
dist/index.js
generated
vendored
72
dist/index.js
generated
vendored
|
@ -93752,7 +93752,7 @@ const got = source_create(defaults);
|
|||
const external_node_stream_promises_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:stream/promises");
|
||||
;// CONCATENATED MODULE: external "node:zlib"
|
||||
const external_node_zlib_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:zlib");
|
||||
;// CONCATENATED MODULE: ./node_modules/.pnpm/github.com+DeterminateSystems+detsys-ts@2391ba1ef3d22027cd4d9ecce147007a88f63643_is35d24tynybsms6zejuqsabhi/node_modules/detsys-ts/dist/index.js
|
||||
;// CONCATENATED MODULE: ./node_modules/.pnpm/github.com+DeterminateSystems+detsys-ts@93a5166cd57eefcd448ea79923c11eb4b56d4563_rgjnyo4jd3kdijkrub73izga24/node_modules/detsys-ts/dist/index.js
|
||||
var __defProp = Object.defineProperty;
|
||||
var __export = (target, all) => {
|
||||
for (var name in all)
|
||||
|
@ -94204,6 +94204,7 @@ function constructSourceParameters(legacyPrefix) {
|
|||
|
||||
|
||||
|
||||
|
||||
var DEFAULT_IDS_HOST = "https://install.determinate.systems";
|
||||
var IDS_HOST = process.env["IDS_HOST"] ?? DEFAULT_IDS_HOST;
|
||||
var EVENT_EXCEPTION = "exception";
|
||||
|
@ -94214,12 +94215,17 @@ var FACT_ENDED_WITH_EXCEPTION = "ended_with_exception";
|
|||
var FACT_FINAL_EXCEPTION = "final_exception";
|
||||
var FACT_SOURCE_URL = "source_url";
|
||||
var FACT_SOURCE_URL_ETAG = "source_url_etag";
|
||||
var FACT_NIX_STORE_TRUST = "nix_store_trusted";
|
||||
var FACT_NIX_STORE_VERSION = "nix_store_version";
|
||||
var FACT_NIX_STORE_CHECK_METHOD = "nix_store_check_method";
|
||||
var FACT_NIX_STORE_CHECK_ERROR = "nix_store_check_error";
|
||||
var IdsToolbox = class {
|
||||
constructor(actionOptions) {
|
||||
this.actionOptions = makeOptionsConfident(actionOptions);
|
||||
this.hookMain = void 0;
|
||||
this.hookPost = void 0;
|
||||
this.exceptionAttachments = /* @__PURE__ */ new Map();
|
||||
this.nixStoreTrust = "unknown";
|
||||
this.events = [];
|
||||
this.client = got_dist_source.extend({
|
||||
retry: {
|
||||
|
@ -94332,6 +94338,9 @@ var IdsToolbox = class {
|
|||
if (!await this.preflightRequireNix()) {
|
||||
this.recordEvent("preflight-require-nix-denied");
|
||||
return;
|
||||
} else {
|
||||
await this.preflightNixStoreInfo();
|
||||
this.addFact(FACT_NIX_STORE_TRUST, this.nixStoreTrust);
|
||||
}
|
||||
if (this.executionPhase === "main" && this.hookMain) {
|
||||
await this.hookMain();
|
||||
|
@ -94537,6 +94546,7 @@ var IdsToolbox = class {
|
|||
await promises_namespaceObject.access(candidateNix, promises_namespaceObject.constants.X_OK);
|
||||
core.debug(`Found Nix at ${candidateNix}`);
|
||||
nixLocation = candidateNix;
|
||||
break;
|
||||
} catch {
|
||||
core.debug(`Nix not at ${candidateNix}`);
|
||||
}
|
||||
|
@ -94569,6 +94579,46 @@ var IdsToolbox = class {
|
|||
}
|
||||
return false;
|
||||
}
|
||||
async preflightNixStoreInfo() {
|
||||
let output = "";
|
||||
const options = {};
|
||||
options.silent = true;
|
||||
options.listeners = {
|
||||
stdout: (data) => {
|
||||
output += data.toString();
|
||||
}
|
||||
};
|
||||
try {
|
||||
output = "";
|
||||
await exec.exec("nix", ["store", "info", "--json"], options);
|
||||
this.addFact(FACT_NIX_STORE_CHECK_METHOD, "info");
|
||||
} catch {
|
||||
try {
|
||||
output = "";
|
||||
await exec.exec("nix", ["store", "ping", "--json"], options);
|
||||
this.addFact(FACT_NIX_STORE_CHECK_METHOD, "ping");
|
||||
} catch {
|
||||
this.addFact(FACT_NIX_STORE_CHECK_METHOD, "none");
|
||||
return;
|
||||
}
|
||||
}
|
||||
try {
|
||||
const parsed = JSON.parse(output);
|
||||
if (parsed.trusted === 1) {
|
||||
this.nixStoreTrust = "trusted";
|
||||
} else if (parsed.trusted === 0) {
|
||||
this.nixStoreTrust = "untrusted";
|
||||
} else if (parsed.trusted !== void 0) {
|
||||
this.addFact(
|
||||
FACT_NIX_STORE_CHECK_ERROR,
|
||||
`Mysterious trusted value: ${JSON.stringify(parsed.trusted)}`
|
||||
);
|
||||
}
|
||||
this.addFact(FACT_NIX_STORE_VERSION, JSON.stringify(parsed.version));
|
||||
} catch (e) {
|
||||
this.addFact(FACT_NIX_STORE_CHECK_ERROR, this.stringifyError(e));
|
||||
}
|
||||
}
|
||||
async submitEvents() {
|
||||
if (!this.actionOptions.diagnosticsUrl) {
|
||||
core.debug(
|
||||
|
@ -94749,7 +94799,9 @@ var ENV_DAEMON_DIR = "MAGIC_NIX_CACHE_DAEMONDIR";
|
|||
var STATE_DAEMONDIR = "MAGIC_NIX_CACHE_DAEMONDIR";
|
||||
var STATE_STARTED = "MAGIC_NIX_CACHE_STARTED";
|
||||
var STARTED_HINT = "true";
|
||||
var NOOP_TEXT = "Magic Nix Cache is already running, this workflow job is in noop mode. Is the Magic Nix Cache in the workflow twice?";
|
||||
var TEXT_NOOP = "Magic Nix Cache is already running, this workflow job is in noop mode. Is the Magic Nix Cache in the workflow twice?";
|
||||
var TEXT_TRUST_UNTRUSTED = "The Nix daemon does not consider the user running this workflow to be trusted. Magic Nix Cache is disabled.";
|
||||
var TEXT_TRUST_UNKNOWN = "The Nix daemon may not consider the user running this workflow to be trusted. Magic Nix Cache may not start correctly.";
|
||||
var MagicNixCacheAction = class {
|
||||
constructor() {
|
||||
this.idslib = new IdsToolbox({
|
||||
|
@ -94987,17 +95039,29 @@ function main() {
|
|||
const cacheAction = new MagicNixCacheAction();
|
||||
cacheAction.idslib.onMain(async () => {
|
||||
if (cacheAction.noopMode) {
|
||||
core.warning(NOOP_TEXT);
|
||||
core.warning(TEXT_NOOP);
|
||||
return;
|
||||
}
|
||||
if (cacheAction.idslib.nixStoreTrust === "untrusted") {
|
||||
core.warning(TEXT_TRUST_UNTRUSTED);
|
||||
return;
|
||||
} else if (cacheAction.idslib.nixStoreTrust === "unknown") {
|
||||
core.info(TEXT_TRUST_UNKNOWN);
|
||||
}
|
||||
await cacheAction.setUpAutoCache();
|
||||
await cacheAction.notifyAutoCache();
|
||||
});
|
||||
cacheAction.idslib.onPost(async () => {
|
||||
if (cacheAction.noopMode) {
|
||||
core.debug(NOOP_TEXT);
|
||||
core.debug(TEXT_NOOP);
|
||||
return;
|
||||
}
|
||||
if (cacheAction.idslib.nixStoreTrust === "untrusted") {
|
||||
core.debug(TEXT_TRUST_UNTRUSTED);
|
||||
return;
|
||||
} else if (cacheAction.idslib.nixStoreTrust === "unknown") {
|
||||
core.debug(TEXT_TRUST_UNKNOWN);
|
||||
}
|
||||
await cacheAction.tearDownAutoCache();
|
||||
});
|
||||
cacheAction.idslib.execute();
|
||||
|
|
2
dist/index.js.map
generated
vendored
2
dist/index.js.map
generated
vendored
File diff suppressed because one or more lines are too long
|
@ -13,7 +13,7 @@ dependencies:
|
|||
version: 1.1.1
|
||||
detsys-ts:
|
||||
specifier: github:DeterminateSystems/detsys-ts
|
||||
version: github.com/DeterminateSystems/detsys-ts/2391ba1ef3d22027cd4d9ecce147007a88f63643
|
||||
version: github.com/DeterminateSystems/detsys-ts/93a5166cd57eefcd448ea79923c11eb4b56d4563
|
||||
got:
|
||||
specifier: ^14.2.1
|
||||
version: 14.2.1
|
||||
|
@ -1275,7 +1275,7 @@ packages:
|
|||
hasBin: true
|
||||
dependencies:
|
||||
caniuse-lite: 1.0.30001617
|
||||
electron-to-chromium: 1.4.761
|
||||
electron-to-chromium: 1.4.763
|
||||
node-releases: 2.0.14
|
||||
update-browserslist-db: 1.0.15(browserslist@4.23.0)
|
||||
dev: true
|
||||
|
@ -1533,8 +1533,8 @@ packages:
|
|||
resolution: {integrity: sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==}
|
||||
dev: true
|
||||
|
||||
/electron-to-chromium@1.4.761:
|
||||
resolution: {integrity: sha512-PIbxpiJGx6Bb8dQaonNc6CGTRlVntdLg/2nMa1YhnrwYOORY9a3ZgGN0UQYE6lAcj/lkyduJN7BPt/JiY+jAQQ==}
|
||||
/electron-to-chromium@1.4.763:
|
||||
resolution: {integrity: sha512-k4J8NrtJ9QrvHLRo8Q18OncqBCB7tIUyqxRcJnlonQ0ioHKYB988GcDFF3ZePmnb8eHEopDs/wPHR/iGAFgoUQ==}
|
||||
dev: true
|
||||
|
||||
/emoji-regex@8.0.0:
|
||||
|
@ -3818,8 +3818,8 @@ packages:
|
|||
engines: {node: '>=10'}
|
||||
dev: true
|
||||
|
||||
github.com/DeterminateSystems/detsys-ts/2391ba1ef3d22027cd4d9ecce147007a88f63643:
|
||||
resolution: {tarball: https://codeload.github.com/DeterminateSystems/detsys-ts/tar.gz/2391ba1ef3d22027cd4d9ecce147007a88f63643}
|
||||
github.com/DeterminateSystems/detsys-ts/93a5166cd57eefcd448ea79923c11eb4b56d4563:
|
||||
resolution: {tarball: https://codeload.github.com/DeterminateSystems/detsys-ts/tar.gz/93a5166cd57eefcd448ea79923c11eb4b56d4563}
|
||||
name: detsys-ts
|
||||
version: 1.0.0
|
||||
dependencies:
|
||||
|
|
24
src/index.ts
24
src/index.ts
|
@ -19,8 +19,12 @@ const STATE_DAEMONDIR = "MAGIC_NIX_CACHE_DAEMONDIR";
|
|||
const STATE_STARTED = "MAGIC_NIX_CACHE_STARTED";
|
||||
const STARTED_HINT = "true";
|
||||
|
||||
const NOOP_TEXT =
|
||||
const TEXT_NOOP =
|
||||
"Magic Nix Cache is already running, this workflow job is in noop mode. Is the Magic Nix Cache in the workflow twice?";
|
||||
const TEXT_TRUST_UNTRUSTED =
|
||||
"The Nix daemon does not consider the user running this workflow to be trusted. Magic Nix Cache is disabled.";
|
||||
const TEXT_TRUST_UNKNOWN =
|
||||
"The Nix daemon may not consider the user running this workflow to be trusted. Magic Nix Cache may not start correctly.";
|
||||
|
||||
class MagicNixCacheAction {
|
||||
idslib: IdsToolbox;
|
||||
|
@ -322,19 +326,33 @@ function main(): void {
|
|||
|
||||
cacheAction.idslib.onMain(async () => {
|
||||
if (cacheAction.noopMode) {
|
||||
actionsCore.warning(NOOP_TEXT);
|
||||
actionsCore.warning(TEXT_NOOP);
|
||||
return;
|
||||
}
|
||||
|
||||
if (cacheAction.idslib.nixStoreTrust === "untrusted") {
|
||||
actionsCore.warning(TEXT_TRUST_UNTRUSTED);
|
||||
return;
|
||||
} else if (cacheAction.idslib.nixStoreTrust === "unknown") {
|
||||
actionsCore.info(TEXT_TRUST_UNKNOWN);
|
||||
}
|
||||
|
||||
await cacheAction.setUpAutoCache();
|
||||
await cacheAction.notifyAutoCache();
|
||||
});
|
||||
cacheAction.idslib.onPost(async () => {
|
||||
if (cacheAction.noopMode) {
|
||||
actionsCore.debug(NOOP_TEXT);
|
||||
actionsCore.debug(TEXT_NOOP);
|
||||
return;
|
||||
}
|
||||
|
||||
if (cacheAction.idslib.nixStoreTrust === "untrusted") {
|
||||
actionsCore.debug(TEXT_TRUST_UNTRUSTED);
|
||||
return;
|
||||
} else if (cacheAction.idslib.nixStoreTrust === "unknown") {
|
||||
actionsCore.debug(TEXT_TRUST_UNKNOWN);
|
||||
}
|
||||
|
||||
await cacheAction.tearDownAutoCache();
|
||||
});
|
||||
|
||||
|
|
Loading…
Reference in a new issue