Description
As the readme rightly points out,
Pull requests do not have access to secrets so read access to a public binary cache will work, but pushing will be disabled since there is no signing key.
This begs the question: if one wanted to cache builds of PRs from arbitrary forks, what's the best way to do that? And what are caveats/security implications of doing so?
Off the top of my head, I can think of two approaches:
- the simple approach would be to use the
pull_request_targettrigger to build the PR via something likenix build .?rev=${{ github.event.pull_request.head.sha }}(entirely untested), relying on hermetic evaluation to ensure that the PR code cannot access any secrets. This would fail if the build relies on scripts that are run outside of a Nix build, and the PR modified some of them. - a different approach following GitHub's own suggestions would be to build the PR in an untrusted context, put the resulting Nix closure in an artifact, and restore and push that closure in a trusted workflow job. A little more involved, but once someone figures out a generic recipe, that shouldn't be too hard to set up either.
In either case, one might want to be mindful of the possibility of cache poisoning. I haven't seen too much discussion about this in the Nix community, but I would assume that Nix' hashing scheme is strong enough to make that a non-issue in practice. Still, concerned users might want to set up a separate cache for untrusted PRs and e.g. only activate it selectively on the cmdline (keeping in mind that the results of such a temporary build will, of course, remain in the local Nix store until they are GC'ed).