From 292e51a6547e322d3a887e82db41d09700f1d5bd Mon Sep 17 00:00:00 2001 From: dannyfaris Date: Thu, 28 May 2026 23:20:17 +1200 Subject: [PATCH] ci: trust niri.cachix.org substituter in flake-check workflow (ADR-028) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Companion to slice 3b.5 (#57). Slice 3b.5 added niri.cachix.org to nix.settings in modules/core/nixos/niri.nix — that configures the substituter on deployed systems *after* `nh os switch`. CI's nix daemon reads its own config from cachix/install-nix-action's extra_nix_config, which (until this commit) did not include niri.cachix.org. Without this trust in CI, flake-check source-builds niri on the x86_64-linux matrix entry when any host imports the desktop-env bundle, and the source build hits the in-flight nixpkgs Rust crate fetcher 403 cascade (rust-lang/crates.io#13482, NixOS/nixpkgs#512735). Slice 3d (next) is the first commit that imports the bundle into a host, so this trust must land first. Implementation: - Adds `extra-substituters = https://niri.cachix.org` and the matching `extra-trusted-public-keys` line to the workflow's extra_nix_config. - Uses the `extra-` prefix so it appends to install-nix-action's defaults rather than replacing them (cache.nixos.org is preserved). - `accept-flake-config = false` is preserved unchanged — transitive flake inputs still cannot silently mutate config; only this operator-owned line adds new trust. The whitelist principle is intact. Cross-arch note: niri.cachix.org serves x86_64-linux only. flake-check builds every host's system.build.toplevel including the aarch64 nixos-vm host, but nixos-vm does not import the niri module, so the aarch64 matrix entry lists the substituter but never queries it. Header comment updated to remove the prior "binary-cache config in a follow-up workflow tweak" placeholder and replace with the rationale + source-of-key + cross-arch reasoning. Peer-reviewed (8 checkpoints: extra- semantics, block-scalar format, key byte-match against modules/core/nixos/niri.nix, whitelist preservation, YAML indent, actionlint compatibility, cross-arch correctness, concurrency). Per ADR-028 §Implementation slice 3 (amendment). --- .github/workflows/ci.yaml | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a5f47dd..d5c3134 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -42,10 +42,24 @@ jobs: # `accept-flake-config = false` carries the whitelist-over-blanket # stance from modules/core/nixos/nix-daemon.nix into CI: a # transitive input's nixConfig block can't silently add a - # substituter or change settings here. Binary-cache configuration - # lands in a follow-up workflow tweak per ADR-026. + # substituter or change settings here. + # + # niri.cachix.org is whitelisted explicitly below — mirrors the + # nix.settings in modules/core/nixos/niri.nix (ADR-028 slice 3b.5). + # Without this, CI's daemon doesn't trust the cache, niri builds + # from source, and the build hits the in-flight nixpkgs Rust + # crate fetcher 403 (rust-lang/crates.io#13482, + # NixOS/nixpkgs#512735). Public key sourced from niri-flake's + # flake.nix (the same key niri-flake would have added via the + # default-true cache.enable). Cross-arch note: niri.cachix.org + # serves x86_64-linux only, but flake-check builds every host + # (including aarch64 nixos-vm) and aarch64 hosts don't import + # the niri module, so the substituter is queried only for the + # x86_64 matrix entry. extra_nix_config: | experimental-features = nix-command flakes accept-flake-config = false + extra-substituters = https://niri.cachix.org + extra-trusted-public-keys = niri.cachix.org-1:Wv0OmO7PsuocRKzfDoJ3mulSl7Z6oezYhGhR+3W2964= - run: nix flake check --print-build-logs