Authenticate the update workflow

[grahamc]

Description

Checklist

• Tested changes against a test repository
• Added or updated relevant documentation (leave unchecked if not applicable)
• (If this PR is for a release) Updated README to point to the new tag (leave unchecked if not applicable)

Summary by CodeRabbit

• Chores
  • Updated CI workflow permissions for enhanced security controls.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[netlify]

✅ Deploy Preview for detsys-ts-docs ready!

Name	Link
🔨 Latest commit	18d0b0c
🔍 Latest deploy log	https://app.netlify.com/projects/detsys-ts-docs/deploys/697a46048cdcc200089593cf
😎 Deploy Preview	https://deploy-preview-132--detsys-ts-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added permissions configuration to the checks job in the CI workflow, granting contents: read and id-token: write permissions under Ubuntu 24.04 runner.

Changes

Cohort / File(s)	Summary
CI Configuration .github/workflows/ci.yml	Added permissions block to checks job with contents: read and id-token: write

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• cole-h

Poem

🐰✨ A permissions pass through actions flow,
Read and tokens, let them know,
Ubuntu checks now secured right,
With a config touch so light!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title 'Authenticate the update workflow' is vague and does not accurately reflect the specific change made, which is adding a permissions block to a CI workflow.	Use a more specific title like 'Add permissions block to CI workflow' or 'Configure OIDC authentication for CI checks job' to clearly describe the actual change being made.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/ci.yml:
- Around line 13-15: The workflow currently grants id-token: write at top-level
permissions which exposes OIDC token to all events (including pull_request);
change this by scoping id-token write to only the job(s) that require OIDC
(e.g., the job running DeterminateSystems/flakehub-cache-action and
determinate-nix-action) and keep the PR/other jobs at read-only contents
permission; specifically, create a separate job for the caching/oidc steps that
is restricted to trusted triggers (e.g., only run-on push to main or
workflow_dispatch) and set permissions: id-token: write only on that job while
leaving the default/top-level permissions as contents: read (no id-token write)
for PR runs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Read the full CI workflow file to understand which actions are used
cat -n .github/workflows/ci.yml

Repository: DeterminateSystems/detsys-ts

Length of output: 1525

---

🌐 Web query:

DeterminateSystems flakehub-cache-action GitHub OIDC id-token requirements

💡 Result:

To use DeterminateSystems/flakehub-cache-action with GitHub OIDC, your workflow/job must be allowed to request a GitHub Actions OIDC ID token, which requires explicitly granting the id-token: write permission (otherwise no JWT can be minted/retrieved). GitHub also commonly pairs this with contents: read so actions/checkout works when you’ve overridden default permissions. [1][2]

Minimal example:

jobs:
  nix-ci:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v5
      - uses: DeterminateSystems/determinate-nix-action@v3
      - uses: DeterminateSystems/flakehub-cache-action@main
      - run: nix build

Notes / gotchas:

• The FlakeHub Cache docs explicitly call out that the permissions block is what enables authentication (no keys needed), and that the action can’t push if you omit it. [2][3]
• FlakeHub Cache is not available for pull requests from forks because the GitHub-provided JWT doesn’t include the needed claims to authenticate. [2]
• If you’re calling a reusable workflow (especially one outside your org/enterprise), GitHub requires setting permissions: id-token: write in the caller to allow OIDC token use. [1][4]

Sources: [1] GitHub OIDC reference, [2] FlakeHub Cache docs, [3] Determinate “Migrating to FlakeHub Cache”, [4] GitHub changelog on OIDC permissions in reusable workflows.

---

🌐 Web query:

DeterminateSystems determinate-nix-action GitHub OIDC authentication permissions

💡 Result:

To use GitHub OIDC with DeterminateSystems/determinate-nix-action (e.g., to log in to FlakeHub / access private flakes / authenticate to FlakeHub Cache), your workflow/job must grant these token permissions:

permissions:
  id-token: write
  contents: read

This is the permissions block shown in Determinate’s GitHub Actions guidance and examples. [1], [2]

Notes

• id-token: write is required so the job can request a GitHub OIDC JWT.
• contents: read is the minimal repo permission typically needed alongside checkout and related reads. [1], [2]

Sources:
[1] Determinate docs: “Determinate in GitHub Actions” (example workflow permissions) (docs.determinate.systems)
[2] Determinate docs: “FlakeHub Cache” (GitHub Actions example permissions for auth) (docs.determinate.systems)

Citations:

• 1: https://docs.determinate.systems/guides/github-actions/
• 2: https://docs.determinate.systems/flakehub/cache/?utm_source=openai

---

Scope id-token: write to trusted contexts only.

This job runs on pull_request, push to main, and workflow_dispatch. While DeterminateSystems/flakehub-cache-action and determinate-nix-action do require id-token: write for OIDC authentication (documented in their official guides), consider limiting OIDC token availability to only trusted events as a defense-in-depth measure. For example, move the cache action to a separate job that runs only on push to main, keeping the PR job at read-only permissions. This reduces the window during which untrusted code could potentially mint OIDC tokens, even though fork PRs are already limited by GitHub's JWT claim constraints.

🤖 Prompt for AI Agents

In @.github/workflows/ci.yml around lines 13 - 15, The workflow currently grants
id-token: write at top-level permissions which exposes OIDC token to all events
(including pull_request); change this by scoping id-token write to only the
job(s) that require OIDC (e.g., the job running
DeterminateSystems/flakehub-cache-action and determinate-nix-action) and keep
the PR/other jobs at read-only contents permission; specifically, create a
separate job for the caching/oidc steps that is restricted to trusted triggers
(e.g., only run-on push to main or workflow_dispatch) and set permissions:
id-token: write only on that job while leaving the default/top-level permissions
as contents: read (no id-token write) for PR runs.