This repository has been archived by the owner on Apr 29, 2024. It is now read-only.
Upgrade wrappers to resolve time
security issue (#27)
#38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Cache upload | |
on: | |
push: | |
branches: | |
- main | |
permissions: | |
contents: write | |
packages: write | |
id-token: write | |
jobs: | |
build: | |
strategy: | |
fail-fast: false | |
runs-on: ubuntu-latest | |
name: nix-build | |
steps: | |
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | |
with: | |
fetch-depth: 0 | |
- uses: DeterminateSystems/nix-installer-action@65d7c888b2778e8cf30a07a88422ccb23499bfb8 | |
- uses: DeterminateSystems/magic-nix-cache-action@749fc5bbc9fa49d60c2b93f6c4bc867b82e1d295 | |
- name: configure aws credentials for s3 | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
role-to-assume: ${{ secrets.DEV_AWS_ROLE }} | |
aws-region: "us-east-1" | |
- name: write secret key | |
# use python so we don't interpolate the secret into the workflow logs, in case of bugs | |
run: | | |
python -c "import os; file = open('nix-secret-key', 'w'); file.write(os.environ['NIX_SIGN_SECRET_KEY']); file.close()" | |
env: | |
NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }} | |
- name: build and copy to S3 | |
run: | | |
for x in 14 15; do | |
nix build .#psql_$x/bin -o result-$x | |
done | |
nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./result* |