Merge pull request #5 from zhaofengli/trust-runner-user

Make the runner user trusted by default
This commit is contained in:
Ana Hobden 2023-02-02 11:35:00 -08:00 committed by GitHub
commit e1f2e54ff9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 31 additions and 11 deletions

View file

@ -56,6 +56,8 @@ jobs:
log-directives: nix_installer=trace log-directives: nix_installer=trace
backtrace: full backtrace: full
reinstall: true reinstall: true
extra-conf: |
use-sqlite-wal = true
- name: Test `nix` with `$GITHUB_PATH` - name: Test `nix` with `$GITHUB_PATH`
if: success() || failure() if: success() || failure()
run: | run: |
@ -64,6 +66,11 @@ jobs:
fortune fortune
nix store gc nix store gc
nix run nixpkgs#fortune nix run nixpkgs#fortune
- name: Verify the generated nix.conf
run: |
cat -n /etc/nix/nix.conf
grep -E "^trusted-users = .*$USER" /etc/nix/nix.conf
grep -E "^use-sqlite-wal = true" /etc/nix/nix.conf
run-x86_64-darwin: run-x86_64-darwin:
name: Run x86_64 Darwin name: Run x86_64 Darwin
@ -119,6 +126,8 @@ jobs:
log-directives: nix_installer=trace log-directives: nix_installer=trace
backtrace: full backtrace: full
reinstall: true reinstall: true
extra-conf: |
use-sqlite-wal = true
- name: Test `nix` with `$GITHUB_PATH` - name: Test `nix` with `$GITHUB_PATH`
if: success() || failure() if: success() || failure()
run: | run: |
@ -127,3 +136,8 @@ jobs:
fortune fortune
nix store gc nix store gc
nix run nixpkgs#fortune nix run nixpkgs#fortune
- name: Verify the generated nix.conf
run: |
cat -n /etc/nix/nix.conf
grep -E "^trusted-users = .*$USER" /etc/nix/nix.conf
grep -E "^use-sqlite-wal = true" /etc/nix/nix.conf

View file

@ -13,6 +13,9 @@ inputs:
github-token: github-token:
description: A GitHub Token for making authenticated requests (which have a higher rate-limit quota than unauthenticated requests) description: A GitHub Token for making authenticated requests (which have a higher rate-limit quota than unauthenticated requests)
default: ${{ github.token }} default: ${{ github.token }}
trust-runner-user:
description: Whether to make the runner user trusted by the Nix daemon
default: "true"
channels: channels:
description: Channel(s) to add (eg `nixpkgs=https://nixos.org/channels/nixpkgs-unstable`) description: Channel(s) to add (eg `nixpkgs=https://nixos.org/channels/nixpkgs-unstable`)
required: false required: false
@ -160,18 +163,21 @@ runs:
echo "Set NIX_INSTALLER_NIX_PACKAGE_URL=$NIX_INSTALLER_NIX_PACKAGE_URL" echo "Set NIX_INSTALLER_NIX_PACKAGE_URL=$NIX_INSTALLER_NIX_PACKAGE_URL"
fi fi
NIX_EXTRA_CONF=""
NEWLINE='
'
if [ -n "${{ inputs.extra-conf }}" ]; then if [ -n "${{ inputs.extra-conf }}" ]; then
if [ -n "${{ inputs.github-token }}" ]; then NIX_EXTRA_CONF="${{ inputs.extra-conf }}"
export NIX_INSTALLER_EXTRA_CONF="${{ inputs.extra-conf }}access-tokens = github.com=${{ inputs.github-token }}" fi
else if [ -n "${{ inputs.github-token }}" ]; then
export NIX_INSTALLER_EXTRA_CONF="${{ inputs.extra-conf }}" NIX_EXTRA_CONF="${NIX_EXTRA_CONF:+$NIX_EXTRA_CONF$NEWLINE}access-tokens = github.com=${{ inputs.github-token }}"
fi fi
if [ "${{ inputs.trust-runner-user }}" == "true" ]; then
NIX_EXTRA_CONF="${NIX_EXTRA_CONF:+$NIX_EXTRA_CONF$NEWLINE}trusted-users = root $USER"
fi
if [ -n "$NIX_EXTRA_CONF" ]; then
export NIX_INSTALLER_EXTRA_CONF="$NIX_EXTRA_CONF"
echo "Set NIX_INSTALLER_EXTRA_CONF=$NIX_INSTALLER_EXTRA_CONF" echo "Set NIX_INSTALLER_EXTRA_CONF=$NIX_INSTALLER_EXTRA_CONF"
else
if [ -n "${{ inputs.github-token }}" ]; then
export NIX_INSTALLER_EXTRA_CONF="access-tokens = github.com=${{ inputs.github-token }}"
echo "Set NIX_INSTALLER_EXTRA_CONF=$NIX_INSTALLER_EXTRA_CONF"
fi
fi fi
if [ -n "${{ inputs.mac-encrypt }}" ]; then if [ -n "${{ inputs.mac-encrypt }}" ]; then