Behave well when MNCA isn't trusted

This commit is contained in:
Graham Christensen 2024-05-10 16:12:34 -04:00
parent 87e8236f46
commit b57e263ed1
6 changed files with 121 additions and 16 deletions

View file

@ -44,6 +44,29 @@ jobs:
- name: Cache the store - name: Cache the store
uses: ./ uses: ./
run-x86_64-linux-untrusted:
name: Run x86_64 Linux
runs-on: ubuntu-22.04
permissions:
id-token: "write"
contents: "read"
env:
ACTIONS_STEP_DEBUG: true
steps:
- uses: actions/checkout@v4
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
with:
trust-runner-user: false
flakehub: true
extra-conf: |
narinfo-cache-negative-ttl = 0
- name: Cache the store
uses: ./
- name: Check the cache for liveness
run: |
.github/workflows/cache-test.sh
run-x86_64-linux: run-x86_64-linux:
name: Run x86_64 Linux name: Run x86_64 Linux
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04

72
dist/index.js generated vendored
View file

@ -93752,7 +93752,7 @@ const got = source_create(defaults);
const external_node_stream_promises_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:stream/promises"); const external_node_stream_promises_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:stream/promises");
;// CONCATENATED MODULE: external "node:zlib" ;// CONCATENATED MODULE: external "node:zlib"
const external_node_zlib_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:zlib"); const external_node_zlib_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:zlib");
;// CONCATENATED MODULE: ./node_modules/.pnpm/github.com+DeterminateSystems+detsys-ts@2391ba1ef3d22027cd4d9ecce147007a88f63643_is35d24tynybsms6zejuqsabhi/node_modules/detsys-ts/dist/index.js ;// CONCATENATED MODULE: ./node_modules/.pnpm/github.com+DeterminateSystems+detsys-ts@c1c2371f083f911beb01d75e4d194df0e8cd4416_laqtfm6jblzcvupdk4zopxnh6q/node_modules/detsys-ts/dist/index.js
var __defProp = Object.defineProperty; var __defProp = Object.defineProperty;
var __export = (target, all) => { var __export = (target, all) => {
for (var name in all) for (var name in all)
@ -94204,6 +94204,7 @@ function constructSourceParameters(legacyPrefix) {
var DEFAULT_IDS_HOST = "https://install.determinate.systems"; var DEFAULT_IDS_HOST = "https://install.determinate.systems";
var IDS_HOST = process.env["IDS_HOST"] ?? DEFAULT_IDS_HOST; var IDS_HOST = process.env["IDS_HOST"] ?? DEFAULT_IDS_HOST;
var EVENT_EXCEPTION = "exception"; var EVENT_EXCEPTION = "exception";
@ -94214,12 +94215,17 @@ var FACT_ENDED_WITH_EXCEPTION = "ended_with_exception";
var FACT_FINAL_EXCEPTION = "final_exception"; var FACT_FINAL_EXCEPTION = "final_exception";
var FACT_SOURCE_URL = "source_url"; var FACT_SOURCE_URL = "source_url";
var FACT_SOURCE_URL_ETAG = "source_url_etag"; var FACT_SOURCE_URL_ETAG = "source_url_etag";
var FACT_NIX_STORE_TRUST = "nix_store_trusted";
var FACT_NIX_STORE_VERSION = "nix_store_version";
var FACT_NIX_STORE_CHECK_METHOD = "nix_store_check_method";
var FACT_NIX_STORE_CHECK_ERROR = "nix_store_check_error";
var IdsToolbox = class { var IdsToolbox = class {
constructor(actionOptions) { constructor(actionOptions) {
this.actionOptions = makeOptionsConfident(actionOptions); this.actionOptions = makeOptionsConfident(actionOptions);
this.hookMain = void 0; this.hookMain = void 0;
this.hookPost = void 0; this.hookPost = void 0;
this.exceptionAttachments = /* @__PURE__ */ new Map(); this.exceptionAttachments = /* @__PURE__ */ new Map();
this.nixStoreTrust = "unknown";
this.events = []; this.events = [];
this.client = got_dist_source.extend({ this.client = got_dist_source.extend({
retry: { retry: {
@ -94332,6 +94338,9 @@ var IdsToolbox = class {
if (!await this.preflightRequireNix()) { if (!await this.preflightRequireNix()) {
this.recordEvent("preflight-require-nix-denied"); this.recordEvent("preflight-require-nix-denied");
return; return;
} else {
await this.preflightNixStoreInfo();
this.addFact(FACT_NIX_STORE_TRUST, this.nixStoreTrust);
} }
if (this.executionPhase === "main" && this.hookMain) { if (this.executionPhase === "main" && this.hookMain) {
await this.hookMain(); await this.hookMain();
@ -94537,6 +94546,7 @@ var IdsToolbox = class {
await promises_namespaceObject.access(candidateNix, promises_namespaceObject.constants.X_OK); await promises_namespaceObject.access(candidateNix, promises_namespaceObject.constants.X_OK);
core.debug(`Found Nix at ${candidateNix}`); core.debug(`Found Nix at ${candidateNix}`);
nixLocation = candidateNix; nixLocation = candidateNix;
break;
} catch { } catch {
core.debug(`Nix not at ${candidateNix}`); core.debug(`Nix not at ${candidateNix}`);
} }
@ -94569,6 +94579,46 @@ var IdsToolbox = class {
} }
return false; return false;
} }
async preflightNixStoreInfo() {
this.nixStoreTrust = "unknown";
let output = "";
const options = {};
options.listeners = {
stdout: (data) => {
output += data.toString();
}
};
try {
output = "";
await exec.exec("nix", ["store", "info", "--json"], options);
this.addFact(FACT_NIX_STORE_CHECK_METHOD, "info");
} catch {
try {
output = "";
await exec.exec("nix", ["store", "ping", "--json"], options);
this.addFact(FACT_NIX_STORE_CHECK_METHOD, "ping");
} catch {
this.addFact(FACT_NIX_STORE_CHECK_METHOD, "none");
return;
}
}
try {
const parsed = JSON.parse(output);
if (parsed.trusted === 1) {
this.nixStoreTrust = "trusted";
} else if (parsed.trusted === 0) {
this.nixStoreTrust = "untrusted";
} else if (parsed.trusted !== void 0) {
this.addFact(
FACT_NIX_STORE_CHECK_ERROR,
`Mysterious trusted value: ${JSON.stringify(parsed.trusted)}`
);
}
this.addFact(FACT_NIX_STORE_VERSION, JSON.stringify(parsed.version));
} catch (e) {
this.addFact(FACT_NIX_STORE_CHECK_ERROR, this.stringifyError(e));
}
}
async submitEvents() { async submitEvents() {
if (!this.actionOptions.diagnosticsUrl) { if (!this.actionOptions.diagnosticsUrl) {
core.debug( core.debug(
@ -94749,7 +94799,9 @@ var ENV_DAEMON_DIR = "MAGIC_NIX_CACHE_DAEMONDIR";
var STATE_DAEMONDIR = "MAGIC_NIX_CACHE_DAEMONDIR"; var STATE_DAEMONDIR = "MAGIC_NIX_CACHE_DAEMONDIR";
var STATE_STARTED = "MAGIC_NIX_CACHE_STARTED"; var STATE_STARTED = "MAGIC_NIX_CACHE_STARTED";
var STARTED_HINT = "true"; var STARTED_HINT = "true";
var NOOP_TEXT = "Magic Nix Cache is already running, this workflow job is in noop mode. Is the Magic Nix Cache in the workflow twice?"; var TEXT_NOOP = "Magic Nix Cache is already running, this workflow job is in noop mode. Is the Magic Nix Cache in the workflow twice?";
var TEXT_TRUST_UNTRUSTED = "The Nix daemon does not consider the user running this workflow to be trusted. Magic Nix Cache is disabled.";
var TEXT_TRUST_UNKNOWN = "The Nix daemon may not consider the user running this workflow to be trusted. Magic Nix Cache may not start correctly.";
var MagicNixCacheAction = class { var MagicNixCacheAction = class {
constructor() { constructor() {
this.idslib = new IdsToolbox({ this.idslib = new IdsToolbox({
@ -94987,17 +95039,29 @@ function main() {
const cacheAction = new MagicNixCacheAction(); const cacheAction = new MagicNixCacheAction();
cacheAction.idslib.onMain(async () => { cacheAction.idslib.onMain(async () => {
if (cacheAction.noopMode) { if (cacheAction.noopMode) {
core.warning(NOOP_TEXT); core.warning(TEXT_NOOP);
return; return;
} }
if (cacheAction.idslib.nixStoreTrust === "untrusted") {
core.warning(TEXT_TRUST_UNTRUSTED);
return;
} else if (cacheAction.idslib.nixStoreTrust === "unknown") {
core.info(TEXT_TRUST_UNKNOWN);
}
await cacheAction.setUpAutoCache(); await cacheAction.setUpAutoCache();
await cacheAction.notifyAutoCache(); await cacheAction.notifyAutoCache();
}); });
cacheAction.idslib.onPost(async () => { cacheAction.idslib.onPost(async () => {
if (cacheAction.noopMode) { if (cacheAction.noopMode) {
core.debug(NOOP_TEXT); core.debug(TEXT_NOOP);
return; return;
} }
if (cacheAction.idslib.nixStoreTrust === "untrusted") {
core.debug(TEXT_TRUST_UNTRUSTED);
return;
} else if (cacheAction.idslib.nixStoreTrust === "unknown") {
core.debug(TEXT_TRUST_UNKNOWN);
}
await cacheAction.tearDownAutoCache(); await cacheAction.tearDownAutoCache();
}); });
cacheAction.idslib.execute(); cacheAction.idslib.execute();

2
dist/index.js.map generated vendored

File diff suppressed because one or more lines are too long

View file

@ -27,7 +27,7 @@
"dependencies": { "dependencies": {
"@actions/core": "^1.10.1", "@actions/core": "^1.10.1",
"@actions/exec": "^1.1.1", "@actions/exec": "^1.1.1",
"detsys-ts": "github:DeterminateSystems/detsys-ts", "detsys-ts": "github:DeterminateSystems/detsys-ts#store-trust",
"got": "^14.2.1", "got": "^14.2.1",
"tail": "^2.2.6" "tail": "^2.2.6"
}, },

View file

@ -12,8 +12,8 @@ dependencies:
specifier: ^1.1.1 specifier: ^1.1.1
version: 1.1.1 version: 1.1.1
detsys-ts: detsys-ts:
specifier: github:DeterminateSystems/detsys-ts specifier: github:DeterminateSystems/detsys-ts#store-trust
version: github.com/DeterminateSystems/detsys-ts/2391ba1ef3d22027cd4d9ecce147007a88f63643 version: github.com/DeterminateSystems/detsys-ts/c1c2371f083f911beb01d75e4d194df0e8cd4416
got: got:
specifier: ^14.2.1 specifier: ^14.2.1
version: 14.2.1 version: 14.2.1
@ -1275,7 +1275,7 @@ packages:
hasBin: true hasBin: true
dependencies: dependencies:
caniuse-lite: 1.0.30001617 caniuse-lite: 1.0.30001617
electron-to-chromium: 1.4.761 electron-to-chromium: 1.4.763
node-releases: 2.0.14 node-releases: 2.0.14
update-browserslist-db: 1.0.15(browserslist@4.23.0) update-browserslist-db: 1.0.15(browserslist@4.23.0)
dev: true dev: true
@ -1533,8 +1533,8 @@ packages:
resolution: {integrity: sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==} resolution: {integrity: sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==}
dev: true dev: true
/electron-to-chromium@1.4.761: /electron-to-chromium@1.4.763:
resolution: {integrity: sha512-PIbxpiJGx6Bb8dQaonNc6CGTRlVntdLg/2nMa1YhnrwYOORY9a3ZgGN0UQYE6lAcj/lkyduJN7BPt/JiY+jAQQ==} resolution: {integrity: sha512-k4J8NrtJ9QrvHLRo8Q18OncqBCB7tIUyqxRcJnlonQ0ioHKYB988GcDFF3ZePmnb8eHEopDs/wPHR/iGAFgoUQ==}
dev: true dev: true
/emoji-regex@8.0.0: /emoji-regex@8.0.0:
@ -3818,8 +3818,8 @@ packages:
engines: {node: '>=10'} engines: {node: '>=10'}
dev: true dev: true
github.com/DeterminateSystems/detsys-ts/2391ba1ef3d22027cd4d9ecce147007a88f63643: github.com/DeterminateSystems/detsys-ts/c1c2371f083f911beb01d75e4d194df0e8cd4416:
resolution: {tarball: https://codeload.github.com/DeterminateSystems/detsys-ts/tar.gz/2391ba1ef3d22027cd4d9ecce147007a88f63643} resolution: {tarball: https://codeload.github.com/DeterminateSystems/detsys-ts/tar.gz/c1c2371f083f911beb01d75e4d194df0e8cd4416}
name: detsys-ts name: detsys-ts
version: 1.0.0 version: 1.0.0
dependencies: dependencies:

View file

@ -19,8 +19,12 @@ const STATE_DAEMONDIR = "MAGIC_NIX_CACHE_DAEMONDIR";
const STATE_STARTED = "MAGIC_NIX_CACHE_STARTED"; const STATE_STARTED = "MAGIC_NIX_CACHE_STARTED";
const STARTED_HINT = "true"; const STARTED_HINT = "true";
const NOOP_TEXT = const TEXT_NOOP =
"Magic Nix Cache is already running, this workflow job is in noop mode. Is the Magic Nix Cache in the workflow twice?"; "Magic Nix Cache is already running, this workflow job is in noop mode. Is the Magic Nix Cache in the workflow twice?";
const TEXT_TRUST_UNTRUSTED =
"The Nix daemon does not consider the user running this workflow to be trusted. Magic Nix Cache is disabled.";
const TEXT_TRUST_UNKNOWN =
"The Nix daemon may not consider the user running this workflow to be trusted. Magic Nix Cache may not start correctly.";
class MagicNixCacheAction { class MagicNixCacheAction {
idslib: IdsToolbox; idslib: IdsToolbox;
@ -322,19 +326,33 @@ function main(): void {
cacheAction.idslib.onMain(async () => { cacheAction.idslib.onMain(async () => {
if (cacheAction.noopMode) { if (cacheAction.noopMode) {
actionsCore.warning(NOOP_TEXT); actionsCore.warning(TEXT_NOOP);
return; return;
} }
if (cacheAction.idslib.nixStoreTrust === "untrusted") {
actionsCore.warning(TEXT_TRUST_UNTRUSTED);
return;
} else if (cacheAction.idslib.nixStoreTrust === "unknown") {
actionsCore.info(TEXT_TRUST_UNKNOWN);
}
await cacheAction.setUpAutoCache(); await cacheAction.setUpAutoCache();
await cacheAction.notifyAutoCache(); await cacheAction.notifyAutoCache();
}); });
cacheAction.idslib.onPost(async () => { cacheAction.idslib.onPost(async () => {
if (cacheAction.noopMode) { if (cacheAction.noopMode) {
actionsCore.debug(NOOP_TEXT); actionsCore.debug(TEXT_NOOP);
return; return;
} }
if (cacheAction.idslib.nixStoreTrust === "untrusted") {
actionsCore.debug(TEXT_TRUST_UNTRUSTED);
return;
} else if (cacheAction.idslib.nixStoreTrust === "unknown") {
actionsCore.debug(TEXT_TRUST_UNKNOWN);
}
await cacheAction.tearDownAutoCache(); await cacheAction.tearDownAutoCache();
}); });