Buildkite: Difference between revisions
imported>Mic92 add sandbox builds |
imported>Mic92 No edit summary |
||
| Line 31: | Line 31: | ||
Make sure that you don't add secrets to your nix store! | Make sure that you don't add secrets to your nix store! | ||
<syntaxHighlight lang=nix> | |||
{ pkgs, config, ... }: | { pkgs, config, ... }: | ||
{ | { | ||
| Line 54: | Line 54: | ||
}; | }; | ||
} | } | ||
</syntaxHighlight> | |||
Since pull requests can modify the build instructions it is recommend to move <code>.buildkite/pipeline.yml</code> from the repository itself and only provide it via the web interface. Also consider using <code>restrict-eval</code> options to prevent leaking the buildkite's ssh key and api token, since those are still mounte into the chroot. | Since pull requests can modify the build instructions it is recommend to move <code>.buildkite/pipeline.yml</code> from the repository itself and only provide it via the web interface. Also consider using <code>restrict-eval</code> options to prevent leaking the buildkite's ssh key and api token, since those are still mounte into the chroot. | ||