5bbbc3a30b
In the previous two commits, security issues with these workflows were fixed. In order for these to not be exploitable for PRs to branches that don't have the fixes yet (including read-only branches like nixos-unstable), these workflows are renamed, so that the old ones can be turned off manually via GitHub interface. Co-Authored-By: 13x1 <tori@disroot.org> Co-Authored-By: basti564 <e3e@disroot.org>
34 lines
1.1 KiB
YAML
34 lines
1.1 KiB
YAML
name: "Build NixOS manual v2"
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
on:
|
|
pull_request_target:
|
|
branches:
|
|
- master
|
|
paths:
|
|
- 'nixos/**'
|
|
|
|
jobs:
|
|
nixos:
|
|
name: nixos-manual-build
|
|
runs-on: ubuntu-latest
|
|
if: github.repository_owner == 'NixOS'
|
|
steps:
|
|
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
|
|
with:
|
|
# pull_request_target checks out the base branch by default
|
|
ref: refs/pull/${{ github.event.pull_request.number }}/merge
|
|
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
|
|
with:
|
|
# explicitly enable sandbox
|
|
extra_nix_config: sandbox = true
|
|
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
|
|
with:
|
|
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
|
|
name: nixpkgs-ci
|
|
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
|
|
- name: Building NixOS manual
|
|
run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true nixos/release.nix -A manual.x86_64-linux
|