Skip to content

ci(test): remove PAT and Cachix token dependencies from the Test workflow#4159

Draft
Stevengre wants to merge 2 commits into
masterfrom
worktree-avoid-pat
Draft

ci(test): remove PAT and Cachix token dependencies from the Test workflow#4159
Stevengre wants to merge 2 commits into
masterfrom
worktree-avoid-pat

Conversation

@Stevengre

@Stevengre Stevengre commented Jun 30, 2026

Copy link
Copy Markdown

Removes both credential dependencies from the `Test` workflow, so it no longer relies on long-lived or manually-managed tokens.

Changes

  • Drop `JENKINS_GITHUB_PAT` from the formatting job.
    The job previously used the PAT to push a fourmolu commit back to the PR branch. It now runs fourmolu and fails if any `.hs` file changed, prompting the author to format locally and commit. No write token or push is needed.

  • Drop `CACHIX_PUBLIC_TOKEN` (pull-only Cachix).
    The `k-framework` Cachix cache is publicly readable, so no auth token is needed to use it as a substituter. Removing `authToken` makes `cachix-action` pull-only (no push-back). Cache repopulation is left to other authenticated workflows.

Notes

  • The only remaining secret is the built-in `GITHUB_TOKEN` (auto-injected, short-lived, repo-scoped), used for nix flake-input rate limiting. Nothing to manage there.
  • Trade-off for pull-only Cachix: PR CI no longer repopulates the cache; it still gets cache hits on read.

…pushing

The formatting job used JENKINS_GITHUB_PAT to push a fourmolu commit back
to the PR branch. Remove the PAT dependency: run fourmolu and fail the job
if any .hs file changed, prompting the author to format locally and commit.
No write token or push is needed.
@Stevengre Stevengre requested a review from ehildenb June 30, 2026 10:07
@Stevengre Stevengre self-assigned this Jun 30, 2026
@Stevengre Stevengre removed the request for review from ehildenb June 30, 2026 10:08
@Stevengre Stevengre marked this pull request as draft June 30, 2026 10:08
The k-framework Cachix cache is publicly readable, so no auth token is
needed to use it as a substituter. Removing authToken makes cachix-action
pull-only (no push-back to the cache), eliminating the token dependency.
Cache repopulation is left to other authenticated workflows.
@Stevengre Stevengre changed the title ci(test): drop PAT from formatting job, check format instead of auto-pushing ci(test): remove PAT and Cachix token dependencies from the Test workflow Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant