perf(ci): use nix profile install instead of nix develop (#295)

ryoppippi · web-flow · commit 86bf01da9e78 · 2026-01-16T20:51:25.000Z
* ci(nix): use nix profile install instead of nix develop

- Replace nix develop --command with direct command execution
- Add tools input to setup-nix action for per-job tool selection
- Install only required tools per job (e.g., gitleaks job only installs gitleaks)
- Remove cache-nix-action as nixpkgs binary cache handles caching
- This should reduce CI setup time by avoiding devShell evaluation

* fix(ci): skip pnpm install for gitleaks job

gitleaks job only needs gitleaks binary, not node dependencies

* perf(ci): use --inputs-from . for nixpkgs resolution

Use flake.lock pinned nixpkgs revision to benefit from evaluation caching
diff --git a/.github/actions/setup-nix/action.yaml b/.github/actions/setup-nix/action.yaml
@@ -1,5 +1,14 @@
 name: 'Setup Nix'
 description: 'Install Nix and configure cache'
+inputs:
+  tools:
+    description: 'Space-separated list of nixpkgs packages to install (e.g., "nodejs_24 pnpm_10 oxlint")'
+    required: false
+    default: 'nodejs_24 pnpm_10'
+  skip-pnpm-install:
+    description: 'Skip pnpm install step (useful for jobs that do not need node dependencies)'
+    required: false
+    default: 'false'
 runs:
   using: 'composite'
   steps:
@@ -8,11 +17,17 @@ runs:
       with:
         github_access_token: ${{ github.token }}
 
-    - name: Cache Nix store
-      uses: nix-community/cache-nix-action@b426b118b6dc86d6952988d396aa7c6b09776d08 # v7.0.0
-      with:
-        primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', 'flake.lock', 'pnpm-lock.yaml') }}
+    - name: Install tools from nixpkgs
+      shell: bash
+      run: |
+        tools="${{ inputs.tools }}"
+        packages=""
+        for tool in $tools; do
+          packages="$packages nixpkgs#$tool"
+        done
+        nix profile install --inputs-from . $packages
 
-    - name: Load Nix development environment
+    - name: Install pnpm dependencies
+      if: inputs.skip-pnpm-install != 'true'
       shell: bash
-      run: nix develop --command true
+      run: pnpm install --frozen-lockfile
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -26,9 +26,12 @@ jobs:
 
       - name: Setup Nix
         uses: ./.github/actions/setup-nix
+        with:
+          tools: gitleaks
+          skip-pnpm-install: 'true'
 
       - name: Run Gitleaks
-        run: nix develop --command gitleaks detect --source . --config .gitleaks.toml
+        run: gitleaks detect --source . --config .gitleaks.toml
 
   lint:
     runs-on: ubuntu-latest
@@ -37,8 +40,10 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - name: Setup Nix
         uses: ./.github/actions/setup-nix
+        with:
+          tools: nodejs_24 pnpm_10 oxlint oxfmt similarity nixfmt tsgolint
       - name: Run Lint
-        run: nix develop --command pnpm run lint
+        run: pnpm run lint
 
   build-and-test:
     runs-on: ubuntu-latest
@@ -50,10 +55,10 @@ jobs:
         uses: ./.github/actions/setup-nix
 
       - name: Run Build
-        run: nix develop --command pnpm run build
+        run: pnpm run build
 
       - name: Run Tests
-        run: nix develop --command pnpm test
+        run: pnpm test
 
   coverage:
     runs-on: ubuntu-latest
@@ -64,7 +69,7 @@ jobs:
       - name: Setup Nix
         uses: ./.github/actions/setup-nix
       - name: Run Tests with Coverage
-        run: nix develop --command pnpm run coverage
+        run: pnpm run coverage
       - name: Create Coverage Badge
         uses: jaywcjlove/coverage-badges-cli@4e8975aa2628e3329126e7eee36724d07ed86fda # v2.2.0
         with:
