refactor(ci): extract nix eval into reusable workflow

jfroche · jfroche · commit 43e882b5cbd3 · 2025-10-04T02:25:25.000+02:00
diff --git a/.github/actions/nix-install-ephemeral/action.yml b/.github/actions/nix-install-ephemeral/action.yml
@@ -12,12 +12,13 @@ runs:
       uses: aws-actions/configure-aws-credentials@v4
       if: ${{ inputs.push-to-cache == 'true' }}
       with:
-        role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
+        role-to-assume: ${{ env.DEV_AWS_ROLE }}
         aws-region: "us-east-1"
         output-credentials: true
-        role-duration-seconds: 18000
+        role-duration-seconds: 7200
     - name: Setup AWS credentials for Nix
       if: ${{ inputs.push-to-cache == 'true' }}
+      shell: bash
       run: |
         sudo -H aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
         sudo -H aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
@@ -26,13 +27,15 @@ runs:
         sudo -E python -c "import os; file = open('/etc/nix/nix-secret-key', 'w'); file.write(os.environ['NIX_SIGN_SECRET_KEY']); file.close()"
         cat << 'EOF' | sudo tee /etc/nix/upload-to-cache.sh > /dev/null
         #!/usr/bin/env bash
-        set -euf
+        set -euo pipefail
+        set -f
+
         export IFS=' '
         /nix/var/nix/profiles/default/bin/nix copy --to 's3://nix-postgres-artifacts?secret-key=/etc/nix/nix-secret-key' $OUT_PATHS
         EOF
         sudo chmod +x /etc/nix/upload-to-cache.sh
       env:
-        NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+        NIX_SIGN_SECRET_KEY: ${{ env.NIX_SIGN_SECRET_KEY }}
     - name: Install nix
       uses: cachix/install-nix-action@v31
       with:
diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml
@@ -16,19 +16,10 @@ permissions:
 
 jobs:
   nix-eval:
-    runs-on: blacksmith-32vcpu-ubuntu-2404
-    outputs:
-      matrix: ${{ steps.set-matrix.outputs.matrix }}
-    steps:
-      - name: Checkout Repo
-        uses: actions/checkout@v4
-      - name: Install nix
-        uses: ./.github/actions/nix-install-ephemeral
-      - id: set-matrix
-        name: Generate Nix Matrix
-        run: |
-          set -Eeu
-          echo matrix="$(nix shell github:nix-community/nix-eval-jobs --command scripts/github-matrix.py checks legacyPackages)" >> "$GITHUB_OUTPUT"
+    uses: ./.github/workflows/nix-eval.yml
+    secrets:
+      DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+      NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
 
   nix-build-aarch64-linux:
     name: ${{ matrix.name }} (aarch64-linux)
diff --git a/.github/workflows/nix-eval.yml b/.github/workflows/nix-eval.yml
@@ -0,0 +1,32 @@
+name: Nix Eval
+
+on:
+  workflow_call:
+    outputs:
+      matrix:
+        description: 'Generated build matrix'
+        value: ${{ jobs.eval.outputs.matrix }}
+    secrets:
+      DEV_AWS_ROLE:
+        required: false
+      NIX_SIGN_SECRET_KEY:
+        required: false
+
+jobs:
+  eval:
+    runs-on: blacksmith-32vcpu-ubuntu-2404
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+      - name: Install nix
+        uses: ./.github/actions/nix-install-ephemeral
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+      - id: set-matrix
+        name: Generate Nix Matrix
+        run: |
+          set -Eeu
+          echo matrix="$(nix shell github:nix-community/nix-eval-jobs/v2.31.0 --command scripts/github-matrix.py checks legacyPackages)" >> "$GITHUB_OUTPUT"
