From b7b7f9899e6030b3d2ce1ed8ae6acec7a0fe066a Mon Sep 17 00:00:00 2001
From: Zhaofeng Li <hello@zhaofeng.li>
Date: Fri, 27 Jan 2023 16:10:13 -0700
Subject: [PATCH 1/3] Make the runner user trusted by default

Usually we want the runner user to be able to configure
binary caches.
---
 action.yml | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/action.yml b/action.yml
index 193f904..f147751 100644
--- a/action.yml
+++ b/action.yml
@@ -13,6 +13,9 @@ inputs:
   github-token:
     description: A GitHub Token for making authenticated requests (which have a higher rate-limit quota than unauthenticated requests)
     default: ${{ github.token }}
+  trust-runner-user:
+    description: Whether to make the runner user trusted by the Nix daemon
+    default: "true"
   channels:
     description: Channel(s) to add (eg `nixpkgs=https://nixos.org/channels/nixpkgs-unstable`)
     required: false
@@ -160,18 +163,21 @@ runs:
           echo "Set NIX_INSTALLER_NIX_PACKAGE_URL=$NIX_INSTALLER_NIX_PACKAGE_URL"
         fi
 
+        NIX_EXTRA_CONF=""
+        NEWLINE='
+        '
         if [ -n "${{ inputs.extra-conf }}" ]; then
-          if [ -n "${{ inputs.github-token }}" ]; then
-            export NIX_INSTALLER_EXTRA_CONF="${{ inputs.extra-conf }}access-tokens = github.com=${{ inputs.github-token }}"
-          else
-            export NIX_INSTALLER_EXTRA_CONF="${{ inputs.extra-conf }}"
-          fi
+          NIX_EXTRA_CONF="${{ inputs.extra-conf }}"
+        fi
+        if [ -n "${{ inputs.github-token }}" ]; then
+          NIX_EXTRA_CONF="${NIX_EXTRA_CONF:+$NIX_EXTRA_CONF$NEWLINE}access-tokens = github.com=${{ inputs.github-token }}"
+        fi
+        if [ "${{ inputs.trust-runner-user }}" == "true" ]; then
+          NIX_EXTRA_CONF="${NIX_EXTRA_CONF:+$NIX_EXTRA_CONF$NEWLINE}trusted-users = root $USER"
+        fi
+        if [ -n "$NIX_EXTRA_CONF" ]; then
+          export NIX_INSTALLER_EXTRA_CONF="$NIX_EXTRA_CONF"
           echo "Set NIX_INSTALLER_EXTRA_CONF=$NIX_INSTALLER_EXTRA_CONF"
-        else
-          if [ -n "${{ inputs.github-token }}" ]; then
-            export NIX_INSTALLER_EXTRA_CONF="access-tokens = github.com=${{ inputs.github-token }}"
-            echo "Set NIX_INSTALLER_EXTRA_CONF=$NIX_INSTALLER_EXTRA_CONF"
-          fi
         fi
 
         if [ -n "${{ inputs.mac-encrypt }}" ]; then

From 8589344a035c0e23245bbf739cc6016129e5338f Mon Sep 17 00:00:00 2001
From: Zhaofeng Li <hello@zhaofeng.li>
Date: Fri, 27 Jan 2023 16:10:13 -0700
Subject: [PATCH 2/3] .github: Verify trusted-users is set in nix.conf

---
 .github/workflows/ci.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 763bf1e..7adf9dd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -67,6 +67,10 @@ jobs:
           fortune
           nix store gc
           nix run nixpkgs#fortune
+      - name: Verify the generated nix.conf
+        run: |
+          cat -n /etc/nix/nix.conf
+          grep -E "^trusted-users = .*$USER" /etc/nix/nix.conf
 
   run-x86_64-darwin:
     name: Run x86_64 Darwin
@@ -132,4 +136,8 @@ jobs:
           nix profile install nixpkgs#fortune
           fortune
           nix store gc
-          nix run nixpkgs#fortune
\ No newline at end of file
+          nix run nixpkgs#fortune
+      - name: Verify the generated nix.conf
+        run: |
+          cat -n /etc/nix/nix.conf
+          grep -E "^trusted-users = .*$USER" /etc/nix/nix.conf

From 224c33d6382385ab22697be00b9eab1e165a3028 Mon Sep 17 00:00:00 2001
From: Zhaofeng Li <hello@zhaofeng.li>
Date: Fri, 27 Jan 2023 16:10:13 -0700
Subject: [PATCH 3/3] .github: Verify that extra-conf is honored

---
 .github/workflows/ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7adf9dd..9700a35 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -59,6 +59,8 @@ jobs:
           backtrace: full
           github-token: ${{ secrets.GITHUB_TOKEN }}
           reinstall: true
+          extra-conf: |
+            use-sqlite-wal = true
       - name: Test `nix` with `$GITHUB_PATH`
         if: success() || failure()
         run: |
@@ -71,6 +73,7 @@ jobs:
         run: |
           cat -n /etc/nix/nix.conf
           grep -E "^trusted-users = .*$USER" /etc/nix/nix.conf
+          grep -E "^use-sqlite-wal = true" /etc/nix/nix.conf
 
   run-x86_64-darwin:
     name: Run x86_64 Darwin
@@ -129,6 +132,8 @@ jobs:
           backtrace: full
           github-token: ${{ secrets.GITHUB_TOKEN }}
           reinstall: true
+          extra-conf: |
+            use-sqlite-wal = true
       - name: Test `nix` with `$GITHUB_PATH`
         if: success() || failure()
         run: |
@@ -141,3 +146,4 @@ jobs:
         run: |
           cat -n /etc/nix/nix.conf
           grep -E "^trusted-users = .*$USER" /etc/nix/nix.conf
+          grep -E "^use-sqlite-wal = true" /etc/nix/nix.conf