Do not use secrets if they are not available

jfroche · jfroche · commit c7aa7d27bc8e · 2025-06-16T19:40:11.000+02:00
In the forks, secrets are not available.
diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml
@@ -31,6 +31,7 @@ jobs:
         uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - name: aws-creds
         uses: aws-actions/configure-aws-credentials@v4
+        if: ${{ github.secret_source == 'Actions' }}
         with:
           role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
           aws-region: "us-east-1"
@@ -43,7 +44,7 @@ jobs:
         env:
           NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
       - name: Log in to Docker Hub
-        if: matrix.runner != 'macos-latest' && matrix.runner != 'macos-13'
+        if: matrix.runner != 'macos-latest' && matrix.runner != 'macos-13' && github.secret_source == 'Actions'
         uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
diff --git a/docker/nix/build_nix.sh b/docker/nix/build_nix.sh
@@ -18,11 +18,13 @@ nix build .#wal-g-2 -o wal-g-2 -L
 nix build .#wal-g-3 -o wal-g-3 -L
 
 # Copy to S3
-nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./wal-g-2
-nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./wal-g-3
-nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_15
-nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_orioledb_17
-nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_17
+if [[ -n "${AWS_ACCESS_KEY_ID-}" && -n "${AWS_SECRET_ACCESS_KEY-}" ]]; then
+    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./wal-g-2
+    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./wal-g-3
+    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_15
+    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_orioledb_17
+    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_17
+fi
 
 if [ "$SYSTEM" = "aarch64-linux" ]; then
     nix build .#postgresql_15_debug -o ./postgresql_15_debug
@@ -31,10 +33,13 @@ if [ "$SYSTEM" = "aarch64-linux" ]; then
     nix build .#postgresql_orioledb-17_src -o ./postgresql_orioledb-17_src
     nix build .#postgresql_17_debug -o ./postgresql_17_debug
     nix build .#postgresql_17_src -o ./postgresql_17_src
-    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./postgresql_15_debug-debug
-    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key  ./postgresql_15_src
-    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./postgresql_orioledb-17_debug-debug
-    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key  ./postgresql_orioledb-17_src
-    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./postgresql_17_debug-debug
-    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key  ./postgresql_17_src
+
+    if [[ -n "${AWS_ACCESS_KEY_ID-}" && -n "${AWS_SECRET_ACCESS_KEY-}" ]]; then
+        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./postgresql_15_debug-debug
+        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key  ./postgresql_15_src
+        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./postgresql_orioledb-17_debug-debug
+        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key  ./postgresql_orioledb-17_src
+        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./postgresql_17_debug-debug
+        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key  ./postgresql_17_src
+    fi
 fi
