refactor(ci): extract nix eval into reusable workflow

Author: jfroche

.github/actions/nix-install-ephemeral/action.yml

@@ -12,12 +12,13 @@ runs:
       uses: aws-actions/configure-aws-credentials@v4
       if: ${{ inputs.push-to-cache == 'true' }}
       with:
-        role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
+        role-to-assume: ${{ env.DEV_AWS_ROLE }}
         aws-region: "us-east-1"
         output-credentials: true
-        role-duration-seconds: 18000
+        role-duration-seconds: 7200
     - name: Setup AWS credentials for Nix
       if: ${{ inputs.push-to-cache == 'true' }}
+      shell: bash
       run: |
         sudo -H aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
         sudo -H aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
@@ -32,7 +33,7 @@ runs:
         EOF
         sudo chmod +x /etc/nix/upload-to-cache.sh
       env:
-        NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+        NIX_SIGN_SECRET_KEY: ${{ env.NIX_SIGN_SECRET_KEY }}
     - name: Install nix
       uses: cachix/install-nix-action@v31
       with:

.github/workflows/nix-build.yml

@@ -16,19 +16,10 @@ permissions:
 
 jobs:
   nix-eval:
-    runs-on: blacksmith-32vcpu-ubuntu-2404
-    outputs:
-      matrix: ${{ steps.set-matrix.outputs.matrix }}
-    steps:
-      - name: Checkout Repo
-        uses: actions/checkout@v4
-      - name: Install nix
-        uses: ./.github/actions/nix-install-ephemeral
-      - id: set-matrix
-        name: Generate Nix Matrix
-        run: |
-          set -Eeu
-          echo matrix="$(nix shell github:nix-community/nix-eval-jobs --command scripts/github-matrix.py checks legacyPackages)" >> "$GITHUB_OUTPUT"
+    uses: ./.github/workflows/nix-eval.yml
+    secrets:
+      DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+      NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
 
   nix-build-aarch64-linux:
     name: ${{ matrix.name }} (aarch64-linux)

.github/workflows/nix-eval.yml

@@ -0,0 +1,32 @@
+name: Nix Eval
+
+on:
+  workflow_call:
+    outputs:
+      matrix:
+        description: 'Generated build matrix'
+        value: ${{ jobs.eval.outputs.matrix }}
+    secrets:
+      DEV_AWS_ROLE:
+        required: false
+      NIX_SIGN_SECRET_KEY:
+        required: false
+
+jobs:
+  eval:
+    runs-on: blacksmith-32vcpu-ubuntu-2404
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+      - name: Install nix
+        uses: ./.github/actions/nix-install-ephemeral
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+      - id: set-matrix
+        name: Generate Nix Matrix
+        run: |
+          set -Eeu
+          echo matrix="$(nix shell github:nix-community/nix-eval-jobs --command scripts/github-matrix.py checks legacyPackages)" >> "$GITHUB_OUTPUT"