| 14 May 2026 |
 emily | the channel scripts should be using a GitHub app like CI/rfc39/etc. do, most likely | 13:33:40 |
| emily | IIRC it looked to me like the channel scripts used an SSH key for the Git push btw, what is the token in question used for? | 13:53:32 |
 Vladimír Čunát | Well, I did not know this stuff. Just tried to diagnose the issue quickly. | 14:22:55 |
| Vladimír Čunát | Which pointed me to
GIT_DIR=$dir git config credential.helper 'store --file=${config.age.secrets.hydra-mirror-git-credentials.path}'
| 14:37:47 |
 hexa | this is easily fixed | 14:50:56 |
| hexa | we'll go for an ssh key this time, I think | 14:56:06 |
| emily | yeah, making it use an app is probably good for the long term to scope the permissions further but SSH key will at least restrict it down to Git ops | 15:14:48 |
| emily | sorry for missing that when looking through the infra repo | 15:15:18 |
| emily | I'll look through the other reports in more detail later | 15:16:28 |
| emily | but I guess this was the only thing noticed for official infra? | 15:16:38 |
| hexa | I didn't check, because I assumed you did | 15:18:12 |
| hexa | but no biggie | 15:18:15 |
| hexa | I'll check the rest of infra in a bit | 15:18:30 |
| emily | I did | 15:28:51 |
| emily | I listed my findings in the original issue | 15:29:03 |
| emily | but pinged because it seemed possible I missed something since I'm not super savvy with the infra repo and don't have access to the secrets to see what format they take | 15:29:33 |
| emily | the secret had Hydra in the name and I checked that the Hydra code was doing it right (with other Hydra secrets I guess). didn't correlate it with the channel scripts that looked like they'd just be using an SSH key | 15:30:35 |
| hexa | infra call in 30m | 15:31:24 |
| hexa | no worries, emily | 15:31:49 |
| hexa | https://github.com/NixOS/infra/pull/1033 | 15:33:55 |
| hexa | at least the git* secrets look clean | 15:45:48 |
| hexa | they're not random pats | 15:46:00 |
| hexa | https://meet.cccda.de/nix-osin-fra | 15:53:25 |
| hexa | We enabled Intelligent Tiering on the cache.nixos.org S3 bucket. The idea is that we'll save money by moving older objects to lower storing tiers "intelligently". We'll check back in a month to evaluate the update cost structure. | 16:47:51 |
| hexa | Redacted or Malformed Event | 16:48:01 |
| hexa | $ git remote update origin >&2
Fetching origin
From https://github.com/NixOS/nixpkgs
* [new branch] backport-518430-to-release-25.11 -> origin/backport-518430-to-release-25.11
7f1371b3a6db..3054723ea2b1 master -> origin/master
625b14ada4b3..aa8faea6d577 python-updates -> origin/python-updates
fbc1b6e6d1ad..503504ad2d36 release-25.11 -> origin/release-25.11
997d0d965a30..0b1741a3bf36 staging -> origin/staging
e81ce22cc447..2a7e5c6f1f46 staging-next -> origin/staging-next
ec5490bc79b6..2a49f0d42ca9 staging-nixos -> origin/staging-nixos
$ git push origin 54a8ef403e0b27e1eed0298f92e8d3cb863c968a:refs/heads/nixos-25.11-small >&2
fatal: could not read Username for 'https://github.com': No such device or address
Command failed with code (128) errno (0).
| 22:38:38 |
| hexa | welp | 22:38:45 |
| hexa | https://seashells.io/v/TrBcrEvC | 22:40:30 |
| hexa | ok, we're good | 22:41:36 |
| 15 May 2026 |
| hexa | in 2 minutes | 10:22:54 |
