feat: add ephemeral Nix install action for GitHub runners

Author: jfroche

.github/actions/nix-install-ephemeral/action.yml

@@ -0,0 +1,43 @@
+name: 'Install Nix on ephemeral runners'
+description: 'Installs Nix and sets up AWS credentials for pushing to Nix binary cache'
+inputs:
+  push-to-cache:
+    description: 'Whether to push build outputs to the Nix binary cache'
+    required: false
+    default: 'true'
+runs:
+  using: 'composite'
+  steps:
+    - name: aws-creds
+      uses: aws-actions/configure-aws-credentials@v4
+      if: ${{ inputs.push-to-cache == 'true' }}
+      with:
+        role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
+        aws-region: "us-east-1"
+        output-credentials: true
+        role-duration-seconds: 18000
+    - name: Setup AWS credentials for Nix
+      if: ${{ inputs.push-to-cache == 'true' }}
+      run: |
+        sudo -H aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
+        sudo -H aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
+        sudo -H aws configure set aws_session_token $AWS_SESSION_TOKEN
+        sudo mkdir -p /etc/nix
+        sudo -E python -c "import os; file = open('/etc/nix/nix-secret-key', 'w'); file.write(os.environ['NIX_SIGN_SECRET_KEY']); file.close()"
+        cat << 'EOF' | sudo tee /etc/nix/upload-to-cache.sh > /dev/null
+        #!/usr/bin/env bash
+        set -euf
+        export IFS=' '
+        /nix/var/nix/profiles/default/bin/nix copy --to 's3://nix-postgres-artifacts?secret-key=/etc/nix/nix-secret-key' $OUT_PATHS
+        EOF
+        sudo chmod +x /etc/nix/upload-to-cache.sh
+      env:
+        NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+    - name: Install nix
+      uses: cachix/install-nix-action@v31
+      with:
+        install_url: https://releases.nixos.org/nix/nix-2.31.2/install
+        extra_nix_config: |
+          substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
+          trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+          ${{ inputs.push-to-cache == 'true' && 'post-build-hook = /etc/nix/upload-to-cache.sh' || '' }}

.github/workflows/nix-build.yml

@@ -23,14 +23,12 @@ jobs:
       - name: Checkout Repo
         uses: actions/checkout@v4
       - name: Install nix
-        uses: cachix/install-nix-action@v31
-        with:
-          install_url: https://releases.nixos.org/nix/nix-2.31.2/install
+        uses: ./.github/actions/nix-install-ephemeral
       - id: set-matrix
         name: Generate Nix Matrix
         run: |
           set -Eeu
-          echo matrix="$(nix shell nixpkgs/405fc615369e0ea1b9c284c107ca4c3e1bc15774#nix-eval-jobs --command scripts/github-matrix.py checks legacyPackages)" >> "$GITHUB_OUTPUT"
+          echo matrix="$(nix shell github:nix-community/nix-eval-jobs --command scripts/github-matrix.py checks legacyPackages)" >> "$GITHUB_OUTPUT"
 
   nix-build-aarch64-linux:
     name: ${{ matrix.name }} (aarch64-linux)
@@ -97,7 +95,7 @@ jobs:
   run-tests:
     needs: [nix-build-aarch64-linux, nix-build-aarch64-darwin] #, nix-build-x86_64-linux]
     if: |
-      !cancelled() &&
+      !cancelled() && 
       (needs.nix-build-aarch64-linux.result == 'skipped' || needs.nix-build-aarch64-linux.result == 'success') &&
       (needs.nix-build-aarch64-darwin.result == 'skipped' || needs.nix-build-aarch64-darwin.result == 'success')
     uses: ./.github/workflows/test.yml