Merge pull request #231 from Enzime/untrusted-users

action: add option to configure updating trusted users

README.md

@@ -75,6 +75,8 @@ To install Nix from any commit, go to [the corresponding installer_test action](
 
 - `enable_kvm`: whether to enable KVM for hardware-accelerated virtualization on Linux. Enabled by default if available.
 
+- `set_as_trusted_user`: whether to add the current user to `trusted-users`. Enabled by default.
+
 
 ## Differences from the default Nix installer
 

action.yml

@@ -5,7 +5,7 @@ inputs:
   extra_nix_config:
     description: 'Gets appended to `/etc/nix/nix.conf` if passed.'
   github_access_token:
-    description: 'Configure nix to pull from github using the given github token.'
+    description: 'Configure Nix to pull from GitHub using the given GitHub token.'
   install_url:
     description: 'Installation URL that will contain a script to install Nix.'
   install_options:
@@ -16,6 +16,10 @@ inputs:
     description: 'Enable KVM for hardware-accelerated virtualization on Linux, if available.'
     required: false
     default: true
+  set_as_trusted_user:
+    description: 'Add current user to `trusted-users`.'
+    required: false
+    default: true
 branding:
   color: 'blue'
   icon: 'sun'
@@ -31,4 +35,5 @@ runs:
         INPUT_INSTALL_URL: ${{ inputs.install_url }}
         INPUT_NIX_PATH: ${{ inputs.nix_path }}
         INPUT_ENABLE_KVM: ${{ inputs.enable_kvm }}
+        INPUT_SET_AS_TRUSTED_USER: ${{ inputs.set_as_trusted_user }}
         GITHUB_TOKEN: ${{ github.token }}

install-nix.sh

@@ -34,8 +34,10 @@ add_config "max-jobs = auto"
 if [[ $OSTYPE =~ darwin ]]; then
   add_config "ssl-cert-file = /etc/ssl/cert.pem"
 fi
-# Allow binary caches for user
+# Allow binary caches specified at user level
+if [[ $INPUT_SET_AS_TRUSTED_USER == 'true' ]]; then
   add_config "trusted-users = root ${USER:-}"
+fi
 # Add a GitHub access token.
 # Token-less access is subject to lower rate limits.
 if [[ -n "${INPUT_GITHUB_ACCESS_TOKEN:-}" ]]; then