| 14 May 2026 |
 hexa | hetzner@intense-heron.mac.nixos.org | 3:28 up 48 days, 8:07, 0 users, load averages: 15.91 14.71 11.59
customer@eager-heisenberg.mac.nixos.org | 1:28 up 28 days, 13:38, 1 user, load averages: 7.24 8.43 8.04
customer@kind-lumiere.mac.nixos.org | 1:28 up 40 days, 9:47, 1 user, load averages: 4.58 6.38 6.41
hetzner@growing-jennet.mac.nixos.org | 3:28 up 20 days, 22:27, 0 users, load averages: 5.80 8.05 9.15
hetzner@enormous-catfish.mac.nixos.org | 3:28 up 40 days, 9:54, 0 users, load averages: 5.01 7.72 7.86
hetzner@sweeping-filly.mac.nixos.org | 3:28 up 40 days, 9:59, 0 users, load averages: 3.97 5.49 6.28
hetzner@maximum-snail.mac.nixos.org | 3:28 up 40 days, 9:55, 0 users, load averages: 8.13 7.53 7.29
root@norwegian-blue.mac.nixos.org | 3:28 up 2 days, 16:39, 1 user, load averages: 2.55 4.79 5.16
| 01:28:53 |
|  @tjni:matrix.org left the room. | 04:57:49 |
 Vladimír Čunát | Channels are blocked.
remote: Personal access tokens (classic) are forbidden from accessing this repository.
https://github.com/NixOS/org/issues/247#issuecomment-4447783439
| 09:38:48 |
 emily | I did ping infra team on that issue weeks ago after doing a brief review myself 😅 | 13:32:02 |
| emily | we should probably roll back for now until the uses can be fixed | 13:32:15 |
| emily | the channel scripts should be using a GitHub app like CI/rfc39/etc. do, most likely | 13:33:40 |
| emily | IIRC it looked to me like the channel scripts used an SSH key for the Git push btw, what is the token in question used for? | 13:53:32 |
| Vladimír Čunát | Well, I did not know this stuff. Just tried to diagnose the issue quickly. | 14:22:55 |
| Vladimír Čunát | Which pointed me to
GIT_DIR=$dir git config credential.helper 'store --file=${config.age.secrets.hydra-mirror-git-credentials.path}'
| 14:37:47 |
| hexa | this is easily fixed | 14:50:56 |
| hexa | we'll go for an ssh key this time, I think | 14:56:06 |
| emily | yeah, making it use an app is probably good for the long term to scope the permissions further but SSH key will at least restrict it down to Git ops | 15:14:48 |
| emily | sorry for missing that when looking through the infra repo | 15:15:18 |
| emily | I'll look through the other reports in more detail later | 15:16:28 |
| emily | but I guess this was the only thing noticed for official infra? | 15:16:38 |
| hexa | I didn't check, because I assumed you did | 15:18:12 |
| hexa | but no biggie | 15:18:15 |
| hexa | I'll check the rest of infra in a bit | 15:18:30 |
| emily | I did | 15:28:51 |
| emily | I listed my findings in the original issue | 15:29:03 |
| emily | but pinged because it seemed possible I missed something since I'm not super savvy with the infra repo and don't have access to the secrets to see what format they take | 15:29:33 |
| emily | the secret had Hydra in the name and I checked that the Hydra code was doing it right (with other Hydra secrets I guess). didn't correlate it with the channel scripts that looked like they'd just be using an SSH key | 15:30:35 |
| hexa | infra call in 30m | 15:31:24 |
| hexa | no worries, emily | 15:31:49 |
| hexa | https://github.com/NixOS/infra/pull/1033 | 15:33:55 |
| hexa | at least the git* secrets look clean | 15:45:48 |
| hexa | they're not random pats | 15:46:00 |
| hexa | https://meet.cccda.de/nix-osin-fra | 15:53:25 |
| hexa | We enabled Intelligent Tiering on the cache.nixos.org S3 bucket. The idea is that we'll save money by moving older objects to lower storing tiers "intelligently". We'll check back in a month to evaluate the update cost structure. | 16:47:51 |
| hexa | Redacted or Malformed Event | 16:48:01 |
