Skip to content

chore: remove unnecessary/unsafe permissions to gen_ai_review (#28) #85

chore: remove unnecessary/unsafe permissions to gen_ai_review (#28)

chore: remove unnecessary/unsafe permissions to gen_ai_review (#28) #85

---
name: "push: build and cache devShells"
on:
pull_request:
push:
branches:
- main
jobs:
artifacts:
strategy:
matrix:
os: [blacksmith-2vcpu-ubuntu-2204, blacksmith-2vcpu-ubuntu-2204-arm]
fail-fast: true
runs-on: ${{ matrix.os }}
timeout-minutes: 240
permissions:
id-token: write
contents: write
steps:
- name: "Check out repository"
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Configure aws
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}:role/github-actions-nhost-${{ github.event.repository.name }}
aws-region: eu-central-1
role-duration-seconds: 10800
- uses: cachix/install-nix-action@v27
with:
install_url: "https://releases.nixos.org/nix/nix-2.22.3/install"
install_options: "--no-daemon"
extra_nix_config: |
experimental-features = nix-command flakes
sandbox = false
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
substituters = https://cache.nixos.org/?priority=40 s3://nhost-nix-cache?region=eu-central-1&priority=50
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ${{ secrets.NIX_CACHE_PUB_KEY }}
- name: "Verify if we need to build"
id: verify-build
run: |
export drvPath=$(make build-dry-run)
nix store verify --store s3://nhost-nix-cache\?region=eu-central-1 $drvPath \
&& export BUILD_NEEDED=no \
|| export BUILD_NEEDED=yes
echo BUILD_NEEDED=$BUILD_NEEDED >> $GITHUB_OUTPUT
echo DERIVATION_PATH=$drvPath >> $GITHUB_OUTPUT
- name: "Build"
run: |
make build
- name: "Cache build"
run: |
echo ${{ secrets.NIX_CACHE_PRIV_KEY }} > cache-priv-key.pem
nix store sign --key-file cache-priv-key.pem --all
DEPENDENCIES=($(nix-store --query --requisites --include-outputs ${{ steps.verify-build.outputs.DERIVATION_PATH }}))
nix copy --to s3://nhost-nix-cache\?region=eu-central-1 "${DEPENDENCIES[@]}"
if: always()
- run: rm cache-priv-key.pem
if: always()