We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Untrusted CI

2
 Cite
 Share
 Download
 Purchase
Logo of NixConNixCon
 Klink, Florian (flokli)

Formal Metadata

Title
Untrusted CI
Alternative Title
Using post-build hooks to get automatic caching of untrusted builds
Title of Series
Number of Parts
19
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
This talk describes how to use post-build hooks, a recently added Nix feature, to automatically sign and upload artifacts to a binary cache, so they can be re-used for subsequent builds. It compares that approach with existing ones, and explains why using post-build hooks are superior in terms of what's cached, and when it comes to building untrusted code, for example Pull Requests from external contributors. Finally, it shows an example on how this can be set up in a cloud provider setting, and discusses further improvements.