Address CI friction between security and caching #155

New issue

Open

opened 2025-02-19 12:25:13 +01:00 by kiara · 4 comments

kiara commented 2025-02-19 12:25:13 +01:00

Owner

Copy link

Our NixOS-based Gitea actions runner's jobs can access their Nix store (shared), which includes other jobs. This is a potential security concern, particularly if we wanted to allow anyone to sign up to this Forgejo instance and make PRs checked by CI.
As such, we may want to further consider our options on this.

c.f. prior discussion at #152

Our NixOS-based Gitea actions runner's jobs can access their Nix store (shared), which includes other jobs. This is a potential security concern, particularly if we wanted to allow anyone to sign up to this Forgejo instance and make PRs checked by CI. As such, we may want to further consider our options on this. c.f. prior discussion at #152

kiara added the

security

label 2025-02-19 12:25:13 +01:00

fricklerhandwerk commented 2025-02-19 14:03:07 +01:00

Owner

Copy link

Yes, essentially we just need two isolated instances for eval/build.

Yes, essentially we just need two isolated instances for eval/build.

kiara commented 2025-02-19 18:19:12 +01:00

Author

Owner

Copy link

@fricklerhandwerk could you explain that a bit?

@fricklerhandwerk could you explain that a bit?

fricklerhandwerk commented 2025-02-19 18:25:04 +01:00

Owner

Copy link

Like Nixpkgs or NGIpkgs does it: There's an isolated instance that will run builds on PRs, read-only accessing the main cache and not caching build results (or only between PR rebuilds), and another instance that runs builds on main and caches build results publicly.

Like [Nixpkgs](https://github.com/NixOS/nixpkgs/) or [NGIpkgs](https://github.com/ngi-nix/ngipkgs/) does it: There's an isolated instance that will run builds on PRs, read-only accessing the main cache and not caching build results (or only between PR rebuilds), and another instance that runs builds on `main` and caches build results publicly.

kiara commented 2025-02-19 18:32:04 +01:00

Author

Owner

Copy link

that makes sense, thanks.
in addition tho, i think we would need to make sure our (main) builds would not contain sensitive info then.

that makes sense, thanks. in addition tho, i think we would need to make sure our (main) builds would not contain sensitive info then.

kiara referenced this issue 2025-03-22 09:49:04 +01:00

Continuous Integration builds available in a public cache #92

kiara added a new dependency 2025-04-01 23:01:24 +02:00

#291 code passes security check

kiara added the

type unclear

label 2025-05-01 12:19:38 +02:00

kiara added

type: task

and removed

type unclear

labels 2025-06-01 10:22:37 +02:00

kiara added a new dependency 2025-12-02 20:09:04 +01:00

#92 Continuous Integration builds available in a public cache

kiara added a new dependency 2025-12-02 20:13:35 +01:00

#493 portable ephemeral state

kiara added a new dependency 2025-12-02 20:13:52 +01:00

#87 Replace snakeoil-key with proper secret

kiara added the

2 points

label 2025-12-02 20:14:19 +01:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

ci/pixelfed

pixelfed-ci

No results found.

Labels

Clear labels   

0 points

fibonacci complexity: 0 points

  

0.5 points

fibonacci complexity: 0.5 points

  

1 point

fibonacci complexity: 1 point

  

13 points

fibonacci complexity: 13 points

  

2 points

fibonacci complexity: 2 points

  

21 points

fibonacci complexity: 21 points

  

3 points

fibonacci complexity: 3 points

  

34 points

fibonacci complexity: 34 points

  

5 points

fibonacci complexity: 5 points

  

55 points

fibonacci complexity: 55 points

  

8 points

fibonacci complexity: 8 points

  

api service

features that may relate more to a (to be created) API service

  

blocked

  

component: fediversity panel

  

component: nixops4

  

documentation

  

estimation high: >3d

  

estimation low: <2h

  

estimation mid: <8h

  

infinite points

fibonacci complexity: infinite points

  

productisation

features out-scoped with the decoupling of the productisation effort

  

project-management

Project management related tasks

  

question

  

role: application developer

  

role: application operator

  

role: hosting provider

  

role: maintainer

  

security

  

technical debt

  

testing

  

type unclear

  

type: bug

Anything that doesn't work as advertised

  

type: deliverable

  

type: key result

  

type: objective

  

type: task

  

type: user story

  

user experience

No labels

0 points

0.5 points

1 point

13 points

2 points

21 points

3 points

34 points

5 points

55 points

8 points

api service

blocked

component: fediversity panel

component: nixops4

documentation

estimation high: >3d

estimation low: <2h

estimation mid: <8h

infinite points

productisation

project-management

question

role: application developer

role: application operator

role: hosting provider

role: maintainer

security

technical debt

testing

type unclear

type: bug

type: deliverable

type: key result

type: objective

type: task

type: user story

user experience

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Blocks

#291 code passes security check

fediversity/fediversity

Depends on

#87 Replace snakeoil-key with proper secret

fediversity/fediversity

#92 Continuous Integration builds available in a public cache

fediversity/fediversity

#493 portable ephemeral state

fediversity/fediversity

Reference: fediversity/fediversity#155

No description provided.