Some might have concerns about the server being able to pull down source code and build the configuration.
Many prefer binaries being the only thing the servers are able to access, reasoning it with security.
There are many interesting points to unpack out of this question.
This discussion on serverfault.com is a recommended read that provides a lot of good discussion on this topic. The bottom line is that having gcc or ghc installed on the server does not put your server at any significant risk.
NixOS, being focused on pure builds adds extra security enforcing that builds are not accessing the internet, unless specifically built in impure mode. Even the Shipnix starters that requires impure mode, poses little to no added security risk.
The compiled application is more likely to have security risk than the build tools.
If an attacker should gain access to your server shell or database, you have far bigger things to worry about.
Your primary concern as a server manager should be to make sure that there are no unsafe access points to your server. Only allow private key access, and if you can, have your private key live in an encrypted hardware store like a Yubikey.
It's also important to not leak secrets into the Nix store, as it's meant to be "world-readable". All the Shipnix starter are built in a way that takes care of this.
Business security/complexity traps
While strong server security protects you from attacks and sensitive data, there are also other concerns this questions poses that can affect your business.
Shipnix is an alternative to wildly complex build systems you probably already know of. Such complex systems add high complexity with little other measurable value. Especially when including NixOS to the consideration.
Highly complex systems that complicates the build process is a great way to create indispensible technicians. This might add a feeling of security, but creates additional risks that affect your business.
How easy is it to replace your current developer if they quit? How easy would it be to sell your business and onboard new developers? Complexity adds cost, and puts your business at risk.
Server resource usage/premature optmizitation
Some valid points can however be that the build tools takes up resources on your server like RAM, CPU and disk space.
An important counter-question is: Is the extra work you spend on making a complex pipeline worth this? Are you making the correct optimization at this time?
Premature optimization is the enemy of getting your software out.
We advice you to monitor resources and check if building your software on your server actually is problematic.
Shipnix aims to aid in fast and secure shipping of your software.
There are several ways to optimize these steps later, when your software needs to scale because your paying users are using up all your resources.
There are several way to share builds from your local machine or a staging server.
NixOS has some great docs about Sharing packages between machines.
If you already have a staging server, it becomes very easy to barely use any resources for your production builds, and you get a CI server included.
Shipnix serves Nix stores via SSH from the staging server to production, freeing build resources up in production and signfificantly reducing build times.
The exact same method is described in detail in our documentation.