diff --git a/.github/actions/nix-cachix-setup/action.yml b/.github/actions/nix-cachix-setup/action.yml index 80ec236..47fa904 100644 --- a/.github/actions/nix-cachix-setup/action.yml +++ b/.github/actions/nix-cachix-setup/action.yml @@ -59,18 +59,23 @@ runs: nix_conf: | keep-env-derivations = true keep-outputs = true - # Authenticate nix GitHub API calls (flake resolution) so they - # use the run token rate limit (~1000/hr) instead of the - # unauthenticated 60/hr/IP cap, which 429s under CI bursts. - access-tokens = github.com=${{ inputs.github-token || github.token }} - # TEMPORARY: log token lengths (never values) to diagnose the cross-org - # flake-fetch 429. Remove once the wiring is confirmed. - - name: Debug token wiring + # Authenticate nix's GitHub API calls (flake resolution) so they use the run + # token rate limit (~1000/hr) instead of the unauthenticated 60/hr/IP cap + # that 429s under CI bursts. Exported via NIX_CONFIG to $GITHUB_ENV so every + # subsequent nix command in the job (incl. `nix develop github:...`) reads + # it — the access-tokens line in nix-quick-install's nix_conf does NOT land + # in the effective nix.conf. + - name: Authenticate nix GitHub API calls shell: bash env: - INPUT_TOK: ${{ inputs.github-token }} - BARE_TOK: ${{ github.token }} - run: echo "WIRING inputs.github-token len=${#INPUT_TOK} bare-github.token len=${#BARE_TOK}" + GH_API_TOKEN: ${{ inputs.github-token || github.token }} + run: echo "NIX_CONFIG=access-tokens = github.com=$GH_API_TOKEN" >> "$GITHUB_ENV" + # TEMPORARY verification — remove before merge. + - name: VERIFY access-tokens applied + shell: bash + run: | + echo "VERIFY config_count=$(nix config show 2>/dev/null | grep -c access-tokens)" + echo "VERIFY flake=$(nix flake metadata github:rainlanguage/rainix --no-write-lock-file 2>&1 | grep -aoiE 'resolved|429|http error|forbidden' | head -1)" # Substitute prebuilt rainix derivations from the shared Cachix binary # cache instead of rebuilding toolchain crates from source (rainix#196). # Pushes new paths when the auth token is set; continue-on-error so a diff --git a/.github/workflows/rainix-manual-sol-artifacts.yaml b/.github/workflows/rainix-manual-sol-artifacts.yaml index efc4974..4dc2888 100644 --- a/.github/workflows/rainix-manual-sol-artifacts.yaml +++ b/.github/workflows/rainix-manual-sol-artifacts.yaml @@ -48,7 +48,7 @@ jobs: # Shared nix + cachix CI preamble (checkout, nix-quick-install, Cachix, # cache-nix-action) — pinned action SHAs live in the composite. Fully # qualified ref: a bare `./` would resolve against the calling repo. - - uses: rainlanguage/rainix/.github/actions/nix-cachix-setup@main + - uses: rainlanguage/rainix/.github/actions/nix-cachix-setup@debug/token-wiring-2 with: cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} github-token: ${{ github.token }}