Skip to content

Watching a good video about GitHub Actions by got me thinking: What is CI?

To me, CI is a thing that builds my things, runs my tests and deploys my things.

To build and test, I use Nix. To deploy, I copy the software that I've built using Nix to a server and run it (simplified; I actually use NixOS, but it's pretty much equivalent to running a script on a server that installs my software).

Therefore, a build step is a simple nix build. A deploy step could therefore potentially be a nix run .#deploy in a clean, semi-isolated environment (deploys are an effect so we can't have a pure environment) that has some sort of secret defined so nobody else can deploy except my CI runner.

Could I potentially create something like this? Maybe. Could I also use it for my own purposes? Also maybe. Would it be secure? ...probably? As long as I do a good job at isolating things and not running untrusted code (such as deploying from branches that I do not control), it should be. I mean, GitHub Actions is attacked by cryptominers occasionally as a result of PRs running CI.

Nix has timeouts, so jobs can't run forever. Also Nix isolates builds from networking, so a cryptominer would be rather useless in such an environment.

Deploy steps are trickier to secure. But on the other hand, you don't really want to deploy from an untrusted branch that you don't even know about, right? One usually deploys from main, and this simplifies things — you just have to make sure you don't fuck up your main branch. So I guess security becomes a matter of code review. And also keeping your deploy secrets a secret.

I think I should try my hand at this someday.