Introduce development Nix binary cache (#3911)

* Desktop: Introduce development Nix binary cache * Configure caches in CI * Cache nix shell * Fix
2026-04-04 13:12:57 +02:00 · 2026-04-04 13:12:57 +02:00 · bf269d7693
parent a99b2806ff
commit bf269d7693
3 changed files with 62 additions and 11 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -20,9 +20,6 @@ on:
      linux:
        description: "Linux"
        type: boolean
-      push_to_nix_cache:
-        description: "Linux: push to Nix cache"
-        type: boolean
      debug:
        description: "Debug build"
        type: boolean
@ -36,8 +33,6 @@ on:
        type: boolean
      linux:
        type: boolean
-      push_to_nix_cache:
-        type: boolean
      debug:
        type: boolean
      checkout_repo:
@ -639,6 +634,10 @@ jobs:

      - name: ❄ Install Nix
        uses: DeterminateSystems/nix-installer-action@main
+        with:
+          extra-conf: |
+            extra-substituters = https://graphite.cachix.org https://graphite-dev.cachix.org
+            extra-trusted-public-keys = graphite.cachix.org-1:B7Il1yMpkquN/dXM+5GRmz+4Xmu2aaCS1GcWNfFhsOo= graphite-dev.cachix.org-1:RppXYpiV1qO2TYKTkXXGHsAEQDOB5G51b3VlrN9QmbI=

      - name: 🗑 Free disk space
        run: sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc /opt/hostedtoolcache
@ -647,12 +646,12 @@ jobs:
        run: nix build .#graphite${{ inputs.debug && '-dev' || '' }} --no-link --print-out-paths

      - name: 📤 Push to Nix cache
-        if: (github.event_name == 'push' || inputs.push_to_nix_cache) && !inputs.debug
        env:
-          NIX_CACHE_AUTH_TOKEN: ${{ secrets.NIX_CACHE_AUTH_TOKEN }}
+          NIX_CACHE_AUTH_TOKEN: ${{ (!inputs.debug && github.ref == 'refs/heads/master') && secrets.NIX_CACHE_AUTH_TOKEN || secrets.NIX_CACHE_AUTH_TOKEN_DEV }}
+          NIX_CACHE_NAME: ${{ (!inputs.debug && github.ref == 'refs/heads/master') && 'graphite' || 'graphite-dev' }}
        run: |
          nix run nixpkgs#cachix -- authtoken $NIX_CACHE_AUTH_TOKEN
-          nix build --no-link --print-out-paths | nix run nixpkgs#cachix -- push graphite
+          nix build .#graphite${{ inputs.debug && '-dev' || '' }} --no-link --print-out-paths | nix run nixpkgs#cachix -- push $NIX_CACHE_NAME

      - name: 🏗 Build Linux bundle
        run: nix build .#graphite${{ inputs.debug && '-dev' || '' }}-bundle.tar.xz && cp ./result ./graphite-linux-bundle.tar.xz
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@ -0,0 +1,51 @@
+name: "Nix Housekeeping"
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch: {}
+
+jobs:
+  cache-dev-shell:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: 📥 Clone repository
+        uses: actions/checkout@v6
+        with:
+          repository: ${{ inputs.checkout_repo || github.repository }}
+          ref: ${{ inputs.checkout_ref || '' }}
+
+      - name: ❄ Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+        with:
+          extra-conf: |
+            extra-substituters = https://graphite.cachix.org https://graphite-dev.cachix.org
+            extra-trusted-public-keys = graphite.cachix.org-1:B7Il1yMpkquN/dXM+5GRmz+4Xmu2aaCS1GcWNfFhsOo= graphite-dev.cachix.org-1:RppXYpiV1qO2TYKTkXXGHsAEQDOB5G51b3VlrN9QmbI=
+
+      - name: 🔎 Check whether development shell is already in binary cache
+        id: cache-check
+        run: |
+          out_path="$(nix eval --raw .#devShells.x86_64-linux.default.outPath)"
+          if nix path-info --store https://graphite-dev.cachix.org "$out_path" &>/dev/null; then
+            echo "cached=true" >> "$GITHUB_OUTPUT"
+            echo "Development shell is already cached at $out_path"
+          else
+            echo "cached=false" >> "$GITHUB_OUTPUT"
+            echo "Development shell is not cached"
+          fi
+
+      - name: 📦 Build Nix development shell
+        if: steps.cache-check.outputs.cached == 'false'
+        run: nix build .#devShells.x86_64-linux.default --no-link --print-out-paths
+
+      - name: 📤 Push Nix development shell to binary cache
+        if: steps.cache-check.outputs.cached == 'false'
+        env:
+          NIX_CACHE_AUTH_TOKEN: ${{ secrets.NIX_CACHE_AUTH_TOKEN_DEV }}
+        run: |
+          nix run nixpkgs#cachix -- authtoken $NIX_CACHE_AUTH_TOKEN
+          nix build .#devShells.x86_64-linux.default --no-link --print-out-paths | nix run nixpkgs#cachix -- push graphite-dev
--- a/.github/workflows/provide-shaders.yml
+++ b/.github/workflows/provide-shaders.yml
@ -17,9 +17,10 @@ jobs:

      - name: ❄ Install Nix
        uses: DeterminateSystems/nix-installer-action@main
-
-      - name: 💾 Set up Nix cache
-        uses: DeterminateSystems/magic-nix-cache-action@main
+        with:
+          extra-conf: |
+            extra-substituters = https://graphite.cachix.org https://graphite-dev.cachix.org
+            extra-trusted-public-keys = graphite.cachix.org-1:B7Il1yMpkquN/dXM+5GRmz+4Xmu2aaCS1GcWNfFhsOo= graphite-dev.cachix.org-1:RppXYpiV1qO2TYKTkXXGHsAEQDOB5G51b3VlrN9QmbI=

      - name: 🏗 Build graphene raster nodes shaders
        run: nix build .#graphite-raster-nodes-shaders && cp result raster_nodes_shaders_entrypoint.wgsl