Our new private caches

When you use garnix to build your Nix packages, you automatically get a cache. The cache is integrated with the CI itself, so it helps substantially speed up rebuilds. But we also make that cache available so you, your colleagues, or the users of your software can benefit from the built artifacts. Recently we also made that cache substantially faster.

For private repositories, however, there were only two choices: either you ask us for an enterprise deployment, with its entirely separate infrastructure and higher costs (enough so that it makes sense mostly for larger companies or companies with a very high confidentiality premium), or make the build artifacts "public". The quotes are there because in order to retrieve that cache artifacts, an attacker still needs to know the hash of that artifact. But relying on this hash staying secret for confidentiality has it's problems: the hash isn't treated as secret by most tooling — including by Nix itself, which prints it directly into your terminal in various logs, making it very easy to accidentally copy-paste it into a GitHub issue or StackOverflow question.

Recently, however, we added the ability to make caches more properly private without an enterprise deployment. In order to get the artifacts, you then need an access token. You can create the token in your account page, which also gives you instructions about where exactly to put it.

A noteworthy thing about how we figure out what it is that that token is authorized to access is that you don't need to configure any of it! Every artifact built during a CI run of a repo you have read access to will be accessible to you. This is an accurate representation of what you can already do, since, with the repo access, you could have built the artifact yourself. You also don't have to worry about adding or removing permissions when team members join or leave: because we use the repo permissions, that's all you have to change.

Right now this feature is opt-in, and you have to reach out to us for us to enable it. In the near future we intend to make it the default for any new repos. We won't enable it for existing repos anytime soon, unless asked, because users already have workflows that might break if we do that.