From a4dce0b74f5f7de17ec1936a1cb088eda5b738e4 Mon Sep 17 00:00:00 2001 From: Niklas Zender Date: Fri, 10 Apr 2026 20:10:07 +0200 Subject: [PATCH 1/2] fix(workflows): add Nix access-tokens for private GitHub flake inputs mkNixGitAuthStep only configured git URL rewriting, which does not affect Nix's tarball fetcher. Nix fetches GitHub flake inputs as tarballs via the GitHub API, not via git, so private repos returned HTTP 404 despite the token being available. Append access-tokens to /etc/nix/nix.conf and restart the daemon so Nix can authenticate tarball downloads from private repositories. Made-with: Cursor --- nix/modules/workflows/lib.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nix/modules/workflows/lib.nix b/nix/modules/workflows/lib.nix index 860f993..24078e8 100644 --- a/nix/modules/workflows/lib.nix +++ b/nix/modules/workflows/lib.nix @@ -95,6 +95,8 @@ rec { # Configure git HTTPS credentials so the Nix daemon can fetch private flake inputs. # Uses a PAT via git credential helper — works for any user (root, nixbld, runner). + # Also configures Nix access-tokens so the daemon can fetch private GitHub + # flake inputs (which are downloaded as tarballs via the API, not via git). mkNixGitAuthStep = { token }: { @@ -105,6 +107,8 @@ rec { set -euo pipefail if [[ -n "''${GH_TOKEN:-}" ]]; then sudo git config --system url."https://x-access-token:''${GH_TOKEN}@github.com/".insteadOf "https://github.com/" + echo "access-tokens = github.com=''${GH_TOKEN}" | sudo tee -a /etc/nix/nix.conf > /dev/null + sudo systemctl restart nix-daemon.service 2>/dev/null || true fi ''; }; From c79792dd86aeee30327fd3d04f234d3db822ff31 Mon Sep 17 00:00:00 2001 From: Niklas Zender Date: Fri, 10 Apr 2026 20:21:48 +0200 Subject: [PATCH 2/2] fix(deny): allow unused license exceptions and add famedly-operator The shared deny.toml template contains exceptions for all Famedly AGPL crates, but not every project depends on all of them. cargo-deny fails on unmatched exceptions by default. Add unused-license-exception = "allow" so projects using this template don't fail when they only depend on a subset of Famedly crates. Also add famedly-operator to the AGPL exception list. Made-with: Cursor --- linting/rust/deny.toml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/linting/rust/deny.toml b/linting/rust/deny.toml index d107a45..bcf0343 100644 --- a/linting/rust/deny.toml +++ b/linting/rust/deny.toml @@ -20,6 +20,7 @@ allow = [ "Zlib", ] unused-allowed-license = "allow" +unused-license-exception = "allow" confidence-threshold = 0.95 [licenses.private] @@ -62,3 +63,7 @@ allow = ["AGPL-3.0-only", "AGPL-3.0-or-later"] [[licenses.exceptions]] name = "zitadel-token" allow = ["AGPL-3.0-only", "AGPL-3.0-or-later"] + +[[licenses.exceptions]] +name = "famedly-operator" +allow = ["AGPL-3.0-only", "AGPL-3.0-or-later"]