mirror of
https://github.com/DeterminateSystems/magic-nix-cache-action.git
synced 2024-12-23 13:32:03 +01:00
Behave well when MNCA isn't trusted
This commit is contained in:
parent
87e8236f46
commit
b57e263ed1
6 changed files with 121 additions and 16 deletions
23
.github/workflows/ci.yml
vendored
23
.github/workflows/ci.yml
vendored
|
@ -44,6 +44,29 @@ jobs:
|
||||||
- name: Cache the store
|
- name: Cache the store
|
||||||
uses: ./
|
uses: ./
|
||||||
|
|
||||||
|
run-x86_64-linux-untrusted:
|
||||||
|
name: Run x86_64 Linux
|
||||||
|
runs-on: ubuntu-22.04
|
||||||
|
permissions:
|
||||||
|
id-token: "write"
|
||||||
|
contents: "read"
|
||||||
|
env:
|
||||||
|
ACTIONS_STEP_DEBUG: true
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- name: Install Nix
|
||||||
|
uses: DeterminateSystems/nix-installer-action@main
|
||||||
|
with:
|
||||||
|
trust-runner-user: false
|
||||||
|
flakehub: true
|
||||||
|
extra-conf: |
|
||||||
|
narinfo-cache-negative-ttl = 0
|
||||||
|
- name: Cache the store
|
||||||
|
uses: ./
|
||||||
|
- name: Check the cache for liveness
|
||||||
|
run: |
|
||||||
|
.github/workflows/cache-test.sh
|
||||||
|
|
||||||
run-x86_64-linux:
|
run-x86_64-linux:
|
||||||
name: Run x86_64 Linux
|
name: Run x86_64 Linux
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
|
|
72
dist/index.js
generated
vendored
72
dist/index.js
generated
vendored
|
@ -93752,7 +93752,7 @@ const got = source_create(defaults);
|
||||||
const external_node_stream_promises_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:stream/promises");
|
const external_node_stream_promises_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:stream/promises");
|
||||||
;// CONCATENATED MODULE: external "node:zlib"
|
;// CONCATENATED MODULE: external "node:zlib"
|
||||||
const external_node_zlib_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:zlib");
|
const external_node_zlib_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("node:zlib");
|
||||||
;// CONCATENATED MODULE: ./node_modules/.pnpm/github.com+DeterminateSystems+detsys-ts@2391ba1ef3d22027cd4d9ecce147007a88f63643_is35d24tynybsms6zejuqsabhi/node_modules/detsys-ts/dist/index.js
|
;// CONCATENATED MODULE: ./node_modules/.pnpm/github.com+DeterminateSystems+detsys-ts@c1c2371f083f911beb01d75e4d194df0e8cd4416_laqtfm6jblzcvupdk4zopxnh6q/node_modules/detsys-ts/dist/index.js
|
||||||
var __defProp = Object.defineProperty;
|
var __defProp = Object.defineProperty;
|
||||||
var __export = (target, all) => {
|
var __export = (target, all) => {
|
||||||
for (var name in all)
|
for (var name in all)
|
||||||
|
@ -94204,6 +94204,7 @@ function constructSourceParameters(legacyPrefix) {
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
var DEFAULT_IDS_HOST = "https://install.determinate.systems";
|
var DEFAULT_IDS_HOST = "https://install.determinate.systems";
|
||||||
var IDS_HOST = process.env["IDS_HOST"] ?? DEFAULT_IDS_HOST;
|
var IDS_HOST = process.env["IDS_HOST"] ?? DEFAULT_IDS_HOST;
|
||||||
var EVENT_EXCEPTION = "exception";
|
var EVENT_EXCEPTION = "exception";
|
||||||
|
@ -94214,12 +94215,17 @@ var FACT_ENDED_WITH_EXCEPTION = "ended_with_exception";
|
||||||
var FACT_FINAL_EXCEPTION = "final_exception";
|
var FACT_FINAL_EXCEPTION = "final_exception";
|
||||||
var FACT_SOURCE_URL = "source_url";
|
var FACT_SOURCE_URL = "source_url";
|
||||||
var FACT_SOURCE_URL_ETAG = "source_url_etag";
|
var FACT_SOURCE_URL_ETAG = "source_url_etag";
|
||||||
|
var FACT_NIX_STORE_TRUST = "nix_store_trusted";
|
||||||
|
var FACT_NIX_STORE_VERSION = "nix_store_version";
|
||||||
|
var FACT_NIX_STORE_CHECK_METHOD = "nix_store_check_method";
|
||||||
|
var FACT_NIX_STORE_CHECK_ERROR = "nix_store_check_error";
|
||||||
var IdsToolbox = class {
|
var IdsToolbox = class {
|
||||||
constructor(actionOptions) {
|
constructor(actionOptions) {
|
||||||
this.actionOptions = makeOptionsConfident(actionOptions);
|
this.actionOptions = makeOptionsConfident(actionOptions);
|
||||||
this.hookMain = void 0;
|
this.hookMain = void 0;
|
||||||
this.hookPost = void 0;
|
this.hookPost = void 0;
|
||||||
this.exceptionAttachments = /* @__PURE__ */ new Map();
|
this.exceptionAttachments = /* @__PURE__ */ new Map();
|
||||||
|
this.nixStoreTrust = "unknown";
|
||||||
this.events = [];
|
this.events = [];
|
||||||
this.client = got_dist_source.extend({
|
this.client = got_dist_source.extend({
|
||||||
retry: {
|
retry: {
|
||||||
|
@ -94332,6 +94338,9 @@ var IdsToolbox = class {
|
||||||
if (!await this.preflightRequireNix()) {
|
if (!await this.preflightRequireNix()) {
|
||||||
this.recordEvent("preflight-require-nix-denied");
|
this.recordEvent("preflight-require-nix-denied");
|
||||||
return;
|
return;
|
||||||
|
} else {
|
||||||
|
await this.preflightNixStoreInfo();
|
||||||
|
this.addFact(FACT_NIX_STORE_TRUST, this.nixStoreTrust);
|
||||||
}
|
}
|
||||||
if (this.executionPhase === "main" && this.hookMain) {
|
if (this.executionPhase === "main" && this.hookMain) {
|
||||||
await this.hookMain();
|
await this.hookMain();
|
||||||
|
@ -94537,6 +94546,7 @@ var IdsToolbox = class {
|
||||||
await promises_namespaceObject.access(candidateNix, promises_namespaceObject.constants.X_OK);
|
await promises_namespaceObject.access(candidateNix, promises_namespaceObject.constants.X_OK);
|
||||||
core.debug(`Found Nix at ${candidateNix}`);
|
core.debug(`Found Nix at ${candidateNix}`);
|
||||||
nixLocation = candidateNix;
|
nixLocation = candidateNix;
|
||||||
|
break;
|
||||||
} catch {
|
} catch {
|
||||||
core.debug(`Nix not at ${candidateNix}`);
|
core.debug(`Nix not at ${candidateNix}`);
|
||||||
}
|
}
|
||||||
|
@ -94569,6 +94579,46 @@ var IdsToolbox = class {
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
async preflightNixStoreInfo() {
|
||||||
|
this.nixStoreTrust = "unknown";
|
||||||
|
let output = "";
|
||||||
|
const options = {};
|
||||||
|
options.listeners = {
|
||||||
|
stdout: (data) => {
|
||||||
|
output += data.toString();
|
||||||
|
}
|
||||||
|
};
|
||||||
|
try {
|
||||||
|
output = "";
|
||||||
|
await exec.exec("nix", ["store", "info", "--json"], options);
|
||||||
|
this.addFact(FACT_NIX_STORE_CHECK_METHOD, "info");
|
||||||
|
} catch {
|
||||||
|
try {
|
||||||
|
output = "";
|
||||||
|
await exec.exec("nix", ["store", "ping", "--json"], options);
|
||||||
|
this.addFact(FACT_NIX_STORE_CHECK_METHOD, "ping");
|
||||||
|
} catch {
|
||||||
|
this.addFact(FACT_NIX_STORE_CHECK_METHOD, "none");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
try {
|
||||||
|
const parsed = JSON.parse(output);
|
||||||
|
if (parsed.trusted === 1) {
|
||||||
|
this.nixStoreTrust = "trusted";
|
||||||
|
} else if (parsed.trusted === 0) {
|
||||||
|
this.nixStoreTrust = "untrusted";
|
||||||
|
} else if (parsed.trusted !== void 0) {
|
||||||
|
this.addFact(
|
||||||
|
FACT_NIX_STORE_CHECK_ERROR,
|
||||||
|
`Mysterious trusted value: ${JSON.stringify(parsed.trusted)}`
|
||||||
|
);
|
||||||
|
}
|
||||||
|
this.addFact(FACT_NIX_STORE_VERSION, JSON.stringify(parsed.version));
|
||||||
|
} catch (e) {
|
||||||
|
this.addFact(FACT_NIX_STORE_CHECK_ERROR, this.stringifyError(e));
|
||||||
|
}
|
||||||
|
}
|
||||||
async submitEvents() {
|
async submitEvents() {
|
||||||
if (!this.actionOptions.diagnosticsUrl) {
|
if (!this.actionOptions.diagnosticsUrl) {
|
||||||
core.debug(
|
core.debug(
|
||||||
|
@ -94749,7 +94799,9 @@ var ENV_DAEMON_DIR = "MAGIC_NIX_CACHE_DAEMONDIR";
|
||||||
var STATE_DAEMONDIR = "MAGIC_NIX_CACHE_DAEMONDIR";
|
var STATE_DAEMONDIR = "MAGIC_NIX_CACHE_DAEMONDIR";
|
||||||
var STATE_STARTED = "MAGIC_NIX_CACHE_STARTED";
|
var STATE_STARTED = "MAGIC_NIX_CACHE_STARTED";
|
||||||
var STARTED_HINT = "true";
|
var STARTED_HINT = "true";
|
||||||
var NOOP_TEXT = "Magic Nix Cache is already running, this workflow job is in noop mode. Is the Magic Nix Cache in the workflow twice?";
|
var TEXT_NOOP = "Magic Nix Cache is already running, this workflow job is in noop mode. Is the Magic Nix Cache in the workflow twice?";
|
||||||
|
var TEXT_TRUST_UNTRUSTED = "The Nix daemon does not consider the user running this workflow to be trusted. Magic Nix Cache is disabled.";
|
||||||
|
var TEXT_TRUST_UNKNOWN = "The Nix daemon may not consider the user running this workflow to be trusted. Magic Nix Cache may not start correctly.";
|
||||||
var MagicNixCacheAction = class {
|
var MagicNixCacheAction = class {
|
||||||
constructor() {
|
constructor() {
|
||||||
this.idslib = new IdsToolbox({
|
this.idslib = new IdsToolbox({
|
||||||
|
@ -94987,17 +95039,29 @@ function main() {
|
||||||
const cacheAction = new MagicNixCacheAction();
|
const cacheAction = new MagicNixCacheAction();
|
||||||
cacheAction.idslib.onMain(async () => {
|
cacheAction.idslib.onMain(async () => {
|
||||||
if (cacheAction.noopMode) {
|
if (cacheAction.noopMode) {
|
||||||
core.warning(NOOP_TEXT);
|
core.warning(TEXT_NOOP);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
if (cacheAction.idslib.nixStoreTrust === "untrusted") {
|
||||||
|
core.warning(TEXT_TRUST_UNTRUSTED);
|
||||||
|
return;
|
||||||
|
} else if (cacheAction.idslib.nixStoreTrust === "unknown") {
|
||||||
|
core.info(TEXT_TRUST_UNKNOWN);
|
||||||
|
}
|
||||||
await cacheAction.setUpAutoCache();
|
await cacheAction.setUpAutoCache();
|
||||||
await cacheAction.notifyAutoCache();
|
await cacheAction.notifyAutoCache();
|
||||||
});
|
});
|
||||||
cacheAction.idslib.onPost(async () => {
|
cacheAction.idslib.onPost(async () => {
|
||||||
if (cacheAction.noopMode) {
|
if (cacheAction.noopMode) {
|
||||||
core.debug(NOOP_TEXT);
|
core.debug(TEXT_NOOP);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
if (cacheAction.idslib.nixStoreTrust === "untrusted") {
|
||||||
|
core.debug(TEXT_TRUST_UNTRUSTED);
|
||||||
|
return;
|
||||||
|
} else if (cacheAction.idslib.nixStoreTrust === "unknown") {
|
||||||
|
core.debug(TEXT_TRUST_UNKNOWN);
|
||||||
|
}
|
||||||
await cacheAction.tearDownAutoCache();
|
await cacheAction.tearDownAutoCache();
|
||||||
});
|
});
|
||||||
cacheAction.idslib.execute();
|
cacheAction.idslib.execute();
|
||||||
|
|
2
dist/index.js.map
generated
vendored
2
dist/index.js.map
generated
vendored
File diff suppressed because one or more lines are too long
|
@ -27,7 +27,7 @@
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@actions/core": "^1.10.1",
|
"@actions/core": "^1.10.1",
|
||||||
"@actions/exec": "^1.1.1",
|
"@actions/exec": "^1.1.1",
|
||||||
"detsys-ts": "github:DeterminateSystems/detsys-ts",
|
"detsys-ts": "github:DeterminateSystems/detsys-ts#store-trust",
|
||||||
"got": "^14.2.1",
|
"got": "^14.2.1",
|
||||||
"tail": "^2.2.6"
|
"tail": "^2.2.6"
|
||||||
},
|
},
|
||||||
|
|
|
@ -12,8 +12,8 @@ dependencies:
|
||||||
specifier: ^1.1.1
|
specifier: ^1.1.1
|
||||||
version: 1.1.1
|
version: 1.1.1
|
||||||
detsys-ts:
|
detsys-ts:
|
||||||
specifier: github:DeterminateSystems/detsys-ts
|
specifier: github:DeterminateSystems/detsys-ts#store-trust
|
||||||
version: github.com/DeterminateSystems/detsys-ts/2391ba1ef3d22027cd4d9ecce147007a88f63643
|
version: github.com/DeterminateSystems/detsys-ts/c1c2371f083f911beb01d75e4d194df0e8cd4416
|
||||||
got:
|
got:
|
||||||
specifier: ^14.2.1
|
specifier: ^14.2.1
|
||||||
version: 14.2.1
|
version: 14.2.1
|
||||||
|
@ -1275,7 +1275,7 @@ packages:
|
||||||
hasBin: true
|
hasBin: true
|
||||||
dependencies:
|
dependencies:
|
||||||
caniuse-lite: 1.0.30001617
|
caniuse-lite: 1.0.30001617
|
||||||
electron-to-chromium: 1.4.761
|
electron-to-chromium: 1.4.763
|
||||||
node-releases: 2.0.14
|
node-releases: 2.0.14
|
||||||
update-browserslist-db: 1.0.15(browserslist@4.23.0)
|
update-browserslist-db: 1.0.15(browserslist@4.23.0)
|
||||||
dev: true
|
dev: true
|
||||||
|
@ -1533,8 +1533,8 @@ packages:
|
||||||
resolution: {integrity: sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==}
|
resolution: {integrity: sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==}
|
||||||
dev: true
|
dev: true
|
||||||
|
|
||||||
/electron-to-chromium@1.4.761:
|
/electron-to-chromium@1.4.763:
|
||||||
resolution: {integrity: sha512-PIbxpiJGx6Bb8dQaonNc6CGTRlVntdLg/2nMa1YhnrwYOORY9a3ZgGN0UQYE6lAcj/lkyduJN7BPt/JiY+jAQQ==}
|
resolution: {integrity: sha512-k4J8NrtJ9QrvHLRo8Q18OncqBCB7tIUyqxRcJnlonQ0ioHKYB988GcDFF3ZePmnb8eHEopDs/wPHR/iGAFgoUQ==}
|
||||||
dev: true
|
dev: true
|
||||||
|
|
||||||
/emoji-regex@8.0.0:
|
/emoji-regex@8.0.0:
|
||||||
|
@ -3818,8 +3818,8 @@ packages:
|
||||||
engines: {node: '>=10'}
|
engines: {node: '>=10'}
|
||||||
dev: true
|
dev: true
|
||||||
|
|
||||||
github.com/DeterminateSystems/detsys-ts/2391ba1ef3d22027cd4d9ecce147007a88f63643:
|
github.com/DeterminateSystems/detsys-ts/c1c2371f083f911beb01d75e4d194df0e8cd4416:
|
||||||
resolution: {tarball: https://codeload.github.com/DeterminateSystems/detsys-ts/tar.gz/2391ba1ef3d22027cd4d9ecce147007a88f63643}
|
resolution: {tarball: https://codeload.github.com/DeterminateSystems/detsys-ts/tar.gz/c1c2371f083f911beb01d75e4d194df0e8cd4416}
|
||||||
name: detsys-ts
|
name: detsys-ts
|
||||||
version: 1.0.0
|
version: 1.0.0
|
||||||
dependencies:
|
dependencies:
|
||||||
|
|
24
src/index.ts
24
src/index.ts
|
@ -19,8 +19,12 @@ const STATE_DAEMONDIR = "MAGIC_NIX_CACHE_DAEMONDIR";
|
||||||
const STATE_STARTED = "MAGIC_NIX_CACHE_STARTED";
|
const STATE_STARTED = "MAGIC_NIX_CACHE_STARTED";
|
||||||
const STARTED_HINT = "true";
|
const STARTED_HINT = "true";
|
||||||
|
|
||||||
const NOOP_TEXT =
|
const TEXT_NOOP =
|
||||||
"Magic Nix Cache is already running, this workflow job is in noop mode. Is the Magic Nix Cache in the workflow twice?";
|
"Magic Nix Cache is already running, this workflow job is in noop mode. Is the Magic Nix Cache in the workflow twice?";
|
||||||
|
const TEXT_TRUST_UNTRUSTED =
|
||||||
|
"The Nix daemon does not consider the user running this workflow to be trusted. Magic Nix Cache is disabled.";
|
||||||
|
const TEXT_TRUST_UNKNOWN =
|
||||||
|
"The Nix daemon may not consider the user running this workflow to be trusted. Magic Nix Cache may not start correctly.";
|
||||||
|
|
||||||
class MagicNixCacheAction {
|
class MagicNixCacheAction {
|
||||||
idslib: IdsToolbox;
|
idslib: IdsToolbox;
|
||||||
|
@ -322,19 +326,33 @@ function main(): void {
|
||||||
|
|
||||||
cacheAction.idslib.onMain(async () => {
|
cacheAction.idslib.onMain(async () => {
|
||||||
if (cacheAction.noopMode) {
|
if (cacheAction.noopMode) {
|
||||||
actionsCore.warning(NOOP_TEXT);
|
actionsCore.warning(TEXT_NOOP);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (cacheAction.idslib.nixStoreTrust === "untrusted") {
|
||||||
|
actionsCore.warning(TEXT_TRUST_UNTRUSTED);
|
||||||
|
return;
|
||||||
|
} else if (cacheAction.idslib.nixStoreTrust === "unknown") {
|
||||||
|
actionsCore.info(TEXT_TRUST_UNKNOWN);
|
||||||
|
}
|
||||||
|
|
||||||
await cacheAction.setUpAutoCache();
|
await cacheAction.setUpAutoCache();
|
||||||
await cacheAction.notifyAutoCache();
|
await cacheAction.notifyAutoCache();
|
||||||
});
|
});
|
||||||
cacheAction.idslib.onPost(async () => {
|
cacheAction.idslib.onPost(async () => {
|
||||||
if (cacheAction.noopMode) {
|
if (cacheAction.noopMode) {
|
||||||
actionsCore.debug(NOOP_TEXT);
|
actionsCore.debug(TEXT_NOOP);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (cacheAction.idslib.nixStoreTrust === "untrusted") {
|
||||||
|
actionsCore.debug(TEXT_TRUST_UNTRUSTED);
|
||||||
|
return;
|
||||||
|
} else if (cacheAction.idslib.nixStoreTrust === "unknown") {
|
||||||
|
actionsCore.debug(TEXT_TRUST_UNKNOWN);
|
||||||
|
}
|
||||||
|
|
||||||
await cacheAction.tearDownAutoCache();
|
await cacheAction.tearDownAutoCache();
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue