ci: add nix-cache

.github/workflows/nix-cache.yml

@@ -0,0 +1,94 @@
+name: nix-cache
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+env:
+  S3_ENDPOINT: ${{ vars.S3_ENDPOINT }}
+  S3_BUCKET_NAME: ${{ vars.S3_BUCKET_NAME }}
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  AWS_SHARED_CREDENTIALS_FILE: /tmp/aws-credentials
+
+jobs:
+  build:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-latest
+            system: x86_64-linux
+            subflake: ROOT
+          - os: macos-latest
+            system: aarch64-darwin
+            subflake: ROOT
+      fail-fast: false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup cache credentials and signing key
+        if: vars.S3_BUCKET_NAME != ''
+        run: |
+          # Setup Nix cache signing key
+          echo "${{ secrets.NIX_CACHE_PRIVATE_KEY }}" > /tmp/cache-priv-key.pem
+          chmod 600 /tmp/cache-priv-key.pem
+
+          # Setup AWS credentials in /tmp (accessible to all users on both platforms)
+          cat > /tmp/aws-credentials << EOF
+          [default]
+          aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          EOF
+          chmod 644 /tmp/aws-credentials
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+        with:
+          extra-conf: |
+            extra-substituters = s3://${{ env.S3_BUCKET_NAME }}?endpoint=${{ env.S3_ENDPOINT }}
+            extra-trusted-public-keys = ${{ vars.NIX_CACHE_PUBLIC_KEY }}
+            secret-key-files = /tmp/cache-priv-key.pem
+
+
+      - name: Install Omnix
+        run: nix profile add nixpkgs#omnix
+
+      - name: Build all flake outputs
+        run: |
+          echo "Building flake output for ${{ matrix.system }}: ${{ matrix.subflake }}"
+          om ci run --systems "${{ matrix.system }}" ".#${{ matrix.subflake }}"
+
+      - name: Push to S3 cache
+        run: |
+          set -euo pipefail
+          echo "Pushing to S3 cache with all dependencies..."
+
+          echo "Using bucket: ${{ env.S3_BUCKET_NAME }}"
+          echo "Using S3 endpoint: ${{ env.S3_ENDPOINT }}"
+
+          # Get all store paths from om ci result
+          if [ -f result ]; then
+            STORE_PATHS=$(jq -r '.[] | select(.success == true) | .outputs[]' result | sort -u)
+
+            if [ -n "$STORE_PATHS" ]; then
+              echo "Build outputs to cache:"
+              echo "$STORE_PATHS" | sed 's/^/  /'
+
+              # Use nix copy to include all dependencies
+              echo "Pushing outputs and ALL dependencies to S3 cache..."
+              echo "$STORE_PATHS" | xargs nix copy --to "s3://${{ env.S3_BUCKET_NAME }}?endpoint=${{ env.S3_ENDPOINT }}"
+              echo "Successfully pushed to S3 cache with full closures"
+            else
+              echo "No store paths found to cache"
+            fi
+          else
+            echo "No result file found from om ci"
+          fi