From 6ee40e79314d07ffc58537fbe33ad27373748353 Mon Sep 17 00:00:00 2001
From: Wolfgang Walther <walther@technowledgy.de>
Date: Wed, 20 Aug 2025 12:20:01 +0200
Subject: [PATCH] workflows/lint: add cachix

For PRs targeting a fast moving branch like master, it might not
actually help because the merge commit will still be different on each
run. But on slower moving branches or when testing in a fork, it can
speed things up.

Since each of these build results is only a few hundred bytes without
any dependencies, it has essentially no cost.

Not adding this to `treefmt`, because this looks at *all* the files in
the repo, so needs to re-run even when iterating on CI only.
---
 .github/workflows/lint.yml        | 23 +++++++++++++++++++++++
 .github/workflows/merge-group.yml |  2 ++
 .github/workflows/pr.yml          |  2 ++
 3 files changed, 27 insertions(+)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 44cb7fe7bada..d9168c4210d0 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -9,6 +9,9 @@ on:
       targetSha:
         required: true
         type: string
+    secrets:
+      CACHIX_AUTH_TOKEN:
+        required: true
 
 permissions: {}
 
@@ -33,6 +36,10 @@ jobs:
 
       - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
 
+      # TODO: Figure out how to best enable caching for the treefmt job. Cachix won't work well,
+      # because the cache would be invalidated on every commit - treefmt checks every file.
+      # Maybe we can cache treefmt's eval-cache somehow.
+
       - name: Check that files are formatted
         run: |
           # Note that it's fine to run this on untrusted code because:
@@ -65,6 +72,14 @@ jobs:
 
       - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
 
+      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+        with:
+          # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
+          name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
+          extraPullNames: nixpkgs-ci
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          pushFilter: -source$
+
       - name: Parse all nix files
         run: |
           # Tests multiple versions at once, let's make sure all of them run, so keep-going.
@@ -88,6 +103,14 @@ jobs:
 
       - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
 
+      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+        with:
+          # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
+          name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
+          extraPullNames: nixpkgs-ci
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          pushFilter: -source$
+
       - name: Running nixpkgs-vet
         env:
           # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
diff --git a/.github/workflows/merge-group.yml b/.github/workflows/merge-group.yml
index 72b8deeb2dbc..9ed7125c76d2 100644
--- a/.github/workflows/merge-group.yml
+++ b/.github/workflows/merge-group.yml
@@ -9,6 +9,8 @@ jobs:
   lint:
     name: Lint
     uses: ./.github/workflows/lint.yml
+    secrets:
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
     with:
       mergedSha: ${{ github.event.merge_group.head_sha }}
       targetSha: ${{ github.event.merge_group.base_sha }}
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 1de7d6614c9c..e7535378b734 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -100,6 +100,8 @@ jobs:
     name: Lint
     needs: [prepare]
     uses: ./.github/workflows/lint.yml
+    secrets:
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
     with:
       mergedSha: ${{ needs.prepare.outputs.mergedSha }}
       targetSha: ${{ needs.prepare.outputs.targetSha }}