Tighten the actions' sandbox #36
Conversation
pnmadelaine
changed the title
|
I think we should either mount Without the This could be worked around by adding the flag to each nix invocation, but one would probably like stuff such as custom substituters and max-jobs as well? |
I have been thinking about this. I would note that the sandbox is only used for the actions, no the builds. In spirit an action should not run a Nix build. The only current occurence of Nix in an action is in I would oppose mounting |
As I quickly wrote in my previous comment, this is only relevant if actions are running Nix builds, which is against the spirit of actions. I just want to give a few details about why : an action is meant to be a quick operation (EDIT: well actually not necessarily quick, but light on resources). Long arbitrary computations should be left to jobs, and any dependency an action uses should be built by the action's derivation, at the time of a project's refresh. Of course we can't force people to follow these principles and prevent them from calling something like |
Agree, this was more a thought about a stop-gap as we just gave up on mounting all of /etc/, including /etc/nix/nix.conf, anyway. But your design considerations sound good! :) Sorry if this is too off-topic (there isn't a forum/matrix channel yet, right?), but are you aware of https://docs.hercules-ci.com/hercules-ci-effects/ and if so what's your thoughts on that in comparison to typhons approach? |
I reserved https://typhon.zulipchat.com, which is ready as soon as there is demand for it!
I know about them but I have not dived too deep into it yet. Now that I am starting to work on extending the library beyond basic features I think I should take a closer look. From a brief overview of the documentation, I could spot two main differences of design: Hercules CI seems focused on GitHub, and the effects have native access to some state (which is not the case in Typhon without hacks). What I don't know but am interested in is how easily Hercules' effects can be run locally for testing. This was a major frustration point with GitHub actions that contributed to the creation of Typhon. And I loop back to the subject of this PR, because the reason I noticed the issues with the sandbox is that I was writing https://github.com/typhon-ci/typhon-github-action to test wether we could actually run Typhon's actions in different contexts :) |
Just tried to sign up, but would seemingly need an invite atm.
It says something about Gitlab in the docs as well, and conceptually there should be nothing that blocks usage of Gitea or so?
Yes, but I think that's a useful feature to have, at long as it's explicit?
Hercules implements local actions in it's agent: https://docs.hercules-ci.com/hercules-ci-agent/hci/effect/run, which effectively runs them in a local OCI container after preparing it's environment. |
I just opened up the instance!
Well at least it requires a GitHub account to sign up, and it asks for an amount of permissions I am not confortable with. That's the main reason I did not really test it…
That actually sounds really nice :) I think it would definitely be a good thing to do a proper comparison at some point! |
I am not yet sold on the feature. My reasonning is that introducing state complicates things both for the implementation and for the user. There are design decisions to make that seem arbitrary to me: is the state shared by all actions of the same project? by all actions of the same jobset? At the very least these are decisions that I want to leave for later. I am not saying that it is a bad idea either. I am just inclined to keep things as simple as possible at first, and wait for people to come up with scenarios that we are interested in handling that require the feature. |
|
I'm also in favor of setting nice (flake enabled) defaults for We should definitely look more at Hercules effects, looks like there are lots of cool ideas there! Would be great to offer some level of compatibility, even. Concerning state, I think that can actually be pretty nice! For instance, say you want to track build time regressions, having a simple state API would be cool :) |
pnmadelaine
changed the title
/etcsee NixOS/nix#8074 about why
$HOMEis now set before calling Nix from an action