cachix-action: extraPullNames does not seem to work

I have a job that looks like this:

---
name: Build
on:
  pull_request:
  push:
jobs:
  builds:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
      with:
        fetch-depth: 0
    - uses: cachix/install-nix-action@v12
      with:
        install_url: https://github.com/numtide/nix-flakes-installer/releases/download/nix-2.4pre20201221_9fab14a/install
        extra_nix_config: |
          experimental-features = nix-command flakes
    - uses: cachix/cachix-action@v8
      with:
        name: terlar
        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
        extraPullNames: nix-community
    - run: cat $HOME/.config/nix/nix.conf
    - run: nix build --print-build-logs .#defaultPackage.x86_64-linux

The output of cachix/cachix-action@v8:

Run cachix/cachix-action@v8
Cachix: installing
/home/runner/.nix-profile/bin/cachix authtoken ***
Written to /home/runner/.config/cachix/cachix.dhall
Cachix: using cache terlar
  /nix/var/nix/profiles/per-user/runner/profile/bin/cachix use terlar
  Configured https://terlar.cachix.org binary cache in /home/runner/.config/nix/nix.conf
Cachix: using extra caches nix-community
  /nix/var/nix/profiles/per-user/runner/profile/bin/cachix use nix-community
  Configured https://terlar.cachix.org binary cache in /home/runner/.config/nix/nix.conf
/bin/sh -c nix path-info --all | grep -v '.drv$' > /tmp/store-path-pre-build

The output of the cat:

Run cat $HOME/.config/nix/nix.conf
substituters = https://cache.nixos.org https://terlar.cachix.org
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= terlar.cachix.org-1:M8CXTOaJib7CP/jEfpNJAyrgW4qECnOUI02q7cnmh8U=

Seems it always add the cache name also for the extra caches as indicated by the output of cachix/cachix-action@v8. I started looking into this as when I transitioned from adding the cache myself to using the extraPullNames my build times went up a lot. Any idea what is going on?

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 17 (8 by maintainers)

Most upvoted comments

Okay, thank you for the clarification, that makes sense. I guess those examples I saw was configured before this feature. Then I will stick to the recommendations and await your changes. In the meantime there is also the work-around to populate the nix configuration with other caches “manually”.

Funnily enough if you recommended to use signing key my next question would be about how I rotate/revoke them 😸

Thank you for cachix, apart from this it has been smooth sailing.

+1
terlar on Dec 28, 2020

I also read somewhere that it was recommended to use the Cache Auth Tokens instead of the Personal Auth Tokens. So just to understand this, the issue is that using a Cache Auth Token is not working in the same way?

That is correct. The problem is that cache token is tied to a specific cache, but really requesting another cache should just work.

I tried generating a signing key (cachix generate-keypair terlar) with the Cache Auth Token and that failed, are you supposed to be able to do that as well? Because I saw most people were using signing keys in their GitHub Actions (for public projects).

That is if you want to manage signing yourself, which I don’t recommend as per https://blog.cachix.org/posts/2020-11-09-write-access-control-for-binary-caches/

+1
domenkozar on Dec 28, 2020
Read more comments on GitHub
← cachix-action: `cachix: CppStdException "Exception: path '/nix/store/...' is not valid; type: nix::InvalidPath"`
cachix-action: path '/nix/store/{b32}-headscale-{rev}-go-modules' is not valid; type: nix::InvalidPath →