I was actually in need of this, so thank you so much! I guess the biggest clue for me here is NIX_CONFIG and what exactly to put there.
I went to try it out and have some questions already.
What is the recommended way to wire it in the CI - let’s say Github Actions, the .envrc is not going to get automatically applied there anyway, right? So I guess the workflows need to set the NIX_CONFIG directly, as in .envrc? Also - note that Github will not let one create secrets starting by GITHUB_, so I went with NIX_GITHUB_TOKEN, but I guess it doesn’t matter much if NIX_CONFIG needs to be set manually anyway.
echo 'NIX_CONFIG=\"access-tokens = github.com=$NIX_GITHUB_TOKEN\"" > $GITHUB_ENV somewhere early should do that job, I guess?
Yes you’ll need to create a PAT or GitHub App that has the permissions to clone the other repos at the moment. I’ll see if I can hook up an example for GitHub actions next
It seems this could be very helpful in allowing GitHub actions access to other repos without long lived PATs:
https://twitter.com/lorenc_dan/status/1778459301515776012?t=IuL0GXjvmPXM-Scc1Lkeow&s=19
Should also be able to do <flake>.url = "git+ssh://git@github.com/owner/repo";. Similar to builtins.fetchGit, it will use your user’s ssh credentials.