workflows/eval: add cachix

At this stage, this only allows faster iteration when working on CI in
forks.

.github/workflows/eval.yml

@@ -16,6 +16,8 @@ on:
         default: false
         type: boolean
     secrets:
+      CACHIX_AUTH_TOKEN:
+        required: true
       OWNER_APP_PRIVATE_KEY:
         required: false
 
@@ -97,6 +99,14 @@ jobs:
       - name: Install Nix
         uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
 
+      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+        with:
+          # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
+          name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
+          extraPullNames: nixpkgs-ci
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          pushFilter: '(-source|-single-chunk)$'
+
       - name: Evaluate the ${{ matrix.system }} output paths for all derivation attributes
         env:
           MATRIX_SYSTEM: ${{ matrix.system }}

.github/workflows/pr.yml

@@ -114,6 +114,7 @@ jobs:
       # compare
       statuses: write
     secrets:
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
       OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
     with:
       mergedSha: ${{ needs.prepare.outputs.mergedSha }}

.github/workflows/push.yml

@@ -43,6 +43,8 @@ jobs:
       issues: write
       pull-requests: write
       statuses: write
+    secrets:
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
     with:
       mergedSha: ${{ github.sha }}
       systems: ${{ needs.prepare.outputs.systems }}