mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-22 15:03:28 +00:00
b246490d8c
In the previous two commits, security issues with these workflows were
fixed. In order for these to not be exploitable for PRs to branches that
don't have the fixes yet (including read-only branches like
nixos-unstable), these workflows are renamed, so that the old ones can
be turned off manually via GitHub interface.
Co-Authored-By: 13x1 <tori@disroot.org>
Co-Authored-By: basti564 <e3e@disroot.org>
(cherry picked from commit 5bbbc3a30b)
35 lines
1.1 KiB
YAML
35 lines
1.1 KiB
YAML
name: "Build Nixpkgs manual v2"
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
on:
|
|
pull_request_target:
|
|
branches:
|
|
- master
|
|
paths:
|
|
- 'doc/**'
|
|
- 'lib/**'
|
|
- 'pkgs/tools/nix/nixdoc/**'
|
|
|
|
jobs:
|
|
nixpkgs:
|
|
runs-on: ubuntu-latest
|
|
if: github.repository_owner == 'NixOS'
|
|
steps:
|
|
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
|
|
with:
|
|
# pull_request_target checks out the base branch by default
|
|
ref: refs/pull/${{ github.event.pull_request.number }}/merge
|
|
- uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26
|
|
with:
|
|
# explicitly enable sandbox
|
|
extra_nix_config: sandbox = true
|
|
- uses: cachix/cachix-action@18cf96c7c98e048e10a83abd92116114cd8504be # v14
|
|
with:
|
|
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
|
|
name: nixpkgs-ci
|
|
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
|
|
- name: Building Nixpkgs manual
|
|
run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true pkgs/top-level/release.nix -A manual -A manual.tests
|