From 302af5d3a307f2fddfac5a45840b0160c9f1a406 Mon Sep 17 00:00:00 2001 From: Zahary Karadjov Date: Mon, 22 Jun 2026 12:47:07 +0300 Subject: [PATCH] Migrate Cachix usage to Attic --- .github/WORKFLOW_PATTERN.md | 5 +- .github/act-env.env | 8 +-- .github/act-secrets.local.env.example | 14 +++--- .github/actions/setup-nix/action.yml | 26 +++++----- .github/scripts/get-auth-tokens.sh | 62 ++++++++---------------- .github/workflows/ci.yml | 18 ++++--- .github/workflows/dependency-updates.yml | 3 +- .github/workflows/performance.yml | 9 ++-- .github/workflows/release.yml | 8 ++- .github/workflows/security-audit.yml | 6 ++- .github/workflows/tee-attestation.yml | 12 +++-- scripts/nix.conf | 4 +- scripts/setup-nix-substituters.sh | 4 +- 13 files changed, 89 insertions(+), 90 deletions(-) diff --git a/.github/WORKFLOW_PATTERN.md b/.github/WORKFLOW_PATTERN.md index b0e5b27..95d8a12 100644 --- a/.github/WORKFLOW_PATTERN.md +++ b/.github/WORKFLOW_PATTERN.md @@ -13,7 +13,6 @@ steps: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} ``` ### 2. Set Default Shell for Jobs @@ -48,8 +47,8 @@ Commands no longer need the `nix develop --command` prefix: ## Composite Action The shared setup action (`.github/actions/setup-nix/action.yml`) handles: -- Nix installation via cachix/install-nix-action -- Cachix configuration for caching +- Nix installation via metacraft-labs/nixos-modules setup-nix action +- Attic configuration for caching ## Environment Variables diff --git a/.github/act-env.env b/.github/act-env.env index a65c1cb..f7f54f7 100644 --- a/.github/act-env.env +++ b/.github/act-env.env @@ -13,7 +13,7 @@ MAX_MEMORY=4096 # Act-specific settings ACT=true -# Cachix configuration (missing in act environment) -CACHIX_CACHE=blocksense -TRUSTED_PUBLIC_KEYS= -SUBSTITUTERS= \ No newline at end of file +# Attic configuration (missing in act environment) +ATTIC_CACHE=blocksense-public +TRUSTED_PUBLIC_KEYS=blocksense-public:OOgTc0ye1FONCiVHMrbpScc/HP+lX3uoU0EfwzX6ypE= +SUBSTITUTERS=https://cache.metacraft-labs.com/blocksense-public \ No newline at end of file diff --git a/.github/act-secrets.local.env.example b/.github/act-secrets.local.env.example index 121c356..8fdc047 100644 --- a/.github/act-secrets.local.env.example +++ b/.github/act-secrets.local.env.example @@ -8,11 +8,11 @@ # # This script automatically retrieves tokens from your existing CLI tool logins: # - GitHub token from: gh auth token -# - Cachix token from: ~/.config/cachix/cachix.dhall +# - Attic token from: ATTIC_TOKEN environment variable # # Prerequisites: # 1. Install and login to GitHub CLI: gh auth login -# 2. Install and configure Cachix: cachix authtoken +# 2. Export an Attic token: export ATTIC_TOKEN= # # Usage: # ./.github/scripts/get-auth-tokens.sh @@ -25,10 +25,10 @@ # If you prefer to manually configure tokens, copy this file to # .github/act-secrets.local.env and fill in your actual values below: -# Cachix authentication token for blocksense-os cache -# Get from: https://app.cachix.org/ -> Your cache -> Settings -> Auth Tokens -# Required for: Downloading from and pushing to Cachix binary cache -CACHIX_AUTH_TOKEN=your_cachix_auth_token_here +# Attic authentication token for blocksense-os cache +# Get from the Metacraft Attic token issuer +# Required for: Downloading from and pushing to Attic binary cache +ATTIC_TOKEN=your_attic_token_here # GitHub personal access token # Get from: https://github.com/settings/tokens @@ -55,6 +55,6 @@ CODECOV_TOKEN=your_codecov_token_here # Most workflows will run without the optional secrets, but may have reduced # functionality (e.g., no coverage uploads). # -# For the CI workflow, only CACHIX_AUTH_TOKEN and GITHUB_TOKEN are typically needed. +# For the CI workflow, only ATTIC_TOKEN and GITHUB_TOKEN are typically needed. # # Keep this file secure and never commit it to version control! \ No newline at end of file diff --git a/.github/actions/setup-nix/action.yml b/.github/actions/setup-nix/action.yml index 3e55adb..2285b44 100644 --- a/.github/actions/setup-nix/action.yml +++ b/.github/actions/setup-nix/action.yml @@ -1,21 +1,23 @@ name: 'Setup Nix Environment' -description: 'Install Nix and setup Cachix for BlocksenseOS' +description: 'Install Nix and configure binary caches for BlocksenseOS' inputs: github_token: description: 'GitHub token for Nix installation' required: true - cachix_auth_token: - description: 'Cachix authentication token' - required: true + substituters: + description: 'Additional Nix substituters' + required: false + default: '' + trusted_public_keys: + description: 'Additional Nix trusted public keys' + required: false + default: '' runs: using: 'composite' steps: - - uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26 - with: - github_access_token: ${{ inputs.github_token }} - - - name: Setup Cachix - uses: cachix/cachix-action@18cf96c7c98e048e10a83abd92116114cd8504be # v14 + - name: Setup Nix + uses: metacraft-labs/nixos-modules/.github/setup-nix@main with: - name: blocksense - authToken: ${{ inputs.cachix_auth_token }} + trusted-public-keys: ${{ inputs.trusted_public_keys }} + substituters: ${{ inputs.substituters }} + nix-github-token: ${{ inputs.github_token }} diff --git a/.github/scripts/get-auth-tokens.sh b/.github/scripts/get-auth-tokens.sh index f738e3d..6320479 100755 --- a/.github/scripts/get-auth-tokens.sh +++ b/.github/scripts/get-auth-tokens.sh @@ -45,47 +45,25 @@ get_github_token() { fi } -# Function to get Cachix token -get_cachix_token() { - print_status "$YELLOW" "Retrieving Cachix token from cachix CLI..." - - # Try different possible config locations - local config_paths=( - "$HOME/.config/cachix/cachix.dhall" - "$HOME/.cachix/cachix.dhall" - ) - - # Add XDG_CONFIG_HOME path only if the variable is set - if [[ -n "${XDG_CONFIG_HOME:-}" ]]; then - config_paths+=("$XDG_CONFIG_HOME/cachix/cachix.dhall") +# Function to get Attic token +get_attic_token() { + print_status "$YELLOW" "Retrieving Attic token from ATTIC_TOKEN..." + + if [[ -n "${ATTIC_TOKEN:-}" ]]; then + print_status "$GREEN" "✓ Attic token retrieved successfully" + echo "$ATTIC_TOKEN" # Only the token goes to stdout + return 0 fi - for config_path in "${config_paths[@]}"; do - if [[ -f "$config_path" ]]; then - print_status "$YELLOW" "Found Cachix config at: $config_path" - - # Use dhall-to-json and jq to properly parse the Dhall config - local token - token=$(dhall-to-json <<< "($(<"$config_path")).authToken" 2>/dev/null | jq -r '.' 2>/dev/null) - - if [[ -n "$token" && "$token" != "null" ]]; then - print_status "$GREEN" "✓ Cachix token retrieved successfully" - echo "$token" # Only the token goes to stdout - return 0 - fi - fi - done - - print_status "$RED" "Error: Could not find Cachix authentication token" - print_status "$YELLOW" "Please run: cachix authtoken " - print_status "$YELLOW" "Or login via: cachix use " + print_status "$RED" "Error: ATTIC_TOKEN is not set" + print_status "$YELLOW" "Export an Attic push token before running this script." return 1 } # Function to create/update act secrets file create_act_secrets() { local github_token=$1 - local cachix_token=$2 + local attic_token=$2 local secrets_file=".github/act-secrets.local.env" print_status "$YELLOW" "Creating/updating $secrets_file..." @@ -98,8 +76,8 @@ create_act_secrets() { # REQUIRED FOR WORKFLOW EXECUTION (Auto-retrieved) # ============================================================================= -# Cachix authentication token for blocksense-os cache (from cachix CLI) -CACHIX_AUTH_TOKEN=$cachix_token +# Attic authentication token for blocksense-os cache +ATTIC_TOKEN=$attic_token # GitHub personal access token (from gh CLI) GITHUB_TOKEN=$github_token @@ -125,7 +103,7 @@ main() { cd "$(dirname "$0")/../.." # Go to repo root - local github_token cachix_token + local github_token attic_token # Get GitHub token if github_token=$(get_github_token); then @@ -135,16 +113,16 @@ main() { exit 1 fi - # Get Cachix token - if cachix_token=$(get_cachix_token); then - print_status "$GREEN" "Cachix token: ${cachix_token:0:8}..." # Show only first 8 chars + # Get Attic token + if attic_token=$(get_attic_token); then + print_status "$GREEN" "Attic token: ${attic_token:0:8}..." # Show only first 8 chars else - print_status "$RED" "Failed to get Cachix token" + print_status "$RED" "Failed to get Attic token" exit 1 fi # Create secrets file - create_act_secrets "$github_token" "$cachix_token" + create_act_secrets "$github_token" "$attic_token" print_status "$GREEN" "=== Setup Complete ===" print_status "$YELLOW" "You can now run workflows locally with: act" @@ -152,4 +130,4 @@ main() { } # Run main function -main "$@" \ No newline at end of file +main "$@" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c67583f..4f01c0f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -57,7 +57,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Run code quality checks run: just ci-code-quality @@ -111,7 +112,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Build ${{ matrix.component }} run: nix build .#${{ matrix.component }} -o build/${{ matrix.component }} @@ -156,7 +158,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Run unit tests for ${{ matrix.project }} run: | @@ -198,7 +201,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Download build artifacts uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 @@ -240,7 +244,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Enable KVM run: | @@ -273,7 +278,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Generate documentation run: just generate-docs diff --git a/.github/workflows/dependency-updates.yml b/.github/workflows/dependency-updates.yml index 96ee321..9630684 100644 --- a/.github/workflows/dependency-updates.yml +++ b/.github/workflows/dependency-updates.yml @@ -25,7 +25,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Check current dependency status run: just check-dependency-freshness diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml index 0a1b091..c728611 100644 --- a/.github/workflows/performance.yml +++ b/.github/workflows/performance.yml @@ -36,7 +36,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Run service startup performance tests run: just test-startup-performance @@ -56,7 +57,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Run load testing run: just test-load @@ -80,7 +82,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Build current version run: just build-all diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0828cad..e1fd9b8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -79,7 +79,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Build release artifacts run: just build-release-artifacts @@ -122,7 +123,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Generate documentation run: just generate-docs @@ -131,4 +133,6 @@ jobs: uses: peaceiris/actions-gh-pages@4a2e02b36f31d8974a0d09d3bb9f3172aa2d0d0d # v3 with: github_token: ${{ secrets.GITHUB_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} publish_dir: ./docs/build \ No newline at end of file diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml index b2164f3..3b1dd4d 100644 --- a/.github/workflows/security-audit.yml +++ b/.github/workflows/security-audit.yml @@ -34,7 +34,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Run comprehensive security audit run: just security-audit @@ -80,7 +81,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Generate comprehensive SBOM run: just generate-sbom diff --git a/.github/workflows/tee-attestation.yml b/.github/workflows/tee-attestation.yml index b9f15c3..6b8b3fe 100644 --- a/.github/workflows/tee-attestation.yml +++ b/.github/workflows/tee-attestation.yml @@ -39,7 +39,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Run attestation unit tests for ${{ matrix.component }} run: | @@ -69,7 +70,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Test ${{ matrix.tee_type }} compatibility run: just test-tee-compatibility @@ -89,7 +91,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Test derivation hash consistency run: just test-derivation-consistency @@ -109,7 +112,8 @@ jobs: - uses: ./.github/actions/setup-nix with: github_token: ${{ secrets.GITHUB_TOKEN }} - cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} + substituters: ${{ vars.SUBSTITUTERS }} + trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }} - name: Run end-to-end attestation tests run: just test-attestation-e2e diff --git a/scripts/nix.conf b/scripts/nix.conf index 0b2d4c3..443075c 100644 --- a/scripts/nix.conf +++ b/scripts/nix.conf @@ -11,10 +11,10 @@ accept-flake-config = true max-jobs = auto # Enable binary caches for faster builds -substituters = https://cache.nixos.org/ https://nix-community.cachix.org +substituters = https://cache.nixos.org/ https://cache.metacraft-labs.com/blocksense-public # Trust public keys for binary caches -trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= +trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= blocksense-public:OOgTc0ye1FONCiVHMrbpScc/HP+lX3uoU0EfwzX6ypE= # Keep build outputs for debugging CI failures keep-outputs = true diff --git a/scripts/setup-nix-substituters.sh b/scripts/setup-nix-substituters.sh index 0ff3bb8..e89c6a6 100644 --- a/scripts/setup-nix-substituters.sh +++ b/scripts/setup-nix-substituters.sh @@ -17,8 +17,8 @@ if [ -f ~/.config/nix/nix.conf ]; then else echo "⚠️ Adding missing substituters to existing config" echo "" >> ~/.config/nix/nix.conf - echo "substituters = https://cache.nixos.org/ https://nix-community.cachix.org" >> ~/.config/nix/nix.conf - echo "trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" >> ~/.config/nix/nix.conf + echo "substituters = https://cache.nixos.org/ https://cache.metacraft-labs.com/blocksense-public" >> ~/.config/nix/nix.conf + echo "trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= blocksense-public:OOgTc0ye1FONCiVHMrbpScc/HP+lX3uoU0EfwzX6ypE=" >> ~/.config/nix/nix.conf fi else echo "❌ Nix configuration not found - should be copied during Docker build"