rules_nixpkgs icon indicating copy to clipboard operation
rules_nixpkgs copied to clipboard
verified publisher icon tweag

Enable CI runs on external PRs

Open aherrmann opened this issue 3 years ago • 1 comments

Enable CI runs on PRs coming from forks. As discussed in https://github.com/tweag/rules_nixpkgs/pull/236#issuecomment-1176396264 this is currently not possible because the BuildBuddy secret cannot be exposed to actions run from forks and the run fails due to missing credentials.

Ideally, we'd find a way to configure a read-only token for actions run from forks while using a read-write token for internal runs.

Short of that, we could simply run without BuildBuddy at all for actions triggered from forks.

aherrmann avatar Jul 06 '22 15:07 aherrmann

I think we could combine the "Auth file", and read-only keys to achieve this. Perhaps have the CI try and generate a file in the CI when the read-write secrets exists, and otherwise fall-back on this read-only key that could just live in source control itself. Or have the read-only "auth-file" be the default, and have the CI overwrite it when the read-write one is available?

bryanhonof avatar Jul 07 '22 08:07 bryanhonof