workflows/lint: add cachix

For PRs targeting a fast moving branch like master, it might not actually help because the merge commit will still be different on each run. But on slower moving branches or when testing in a fork, it can speed things up. Since each of these build results is only a few hundred bytes without any dependencies, it has essentially no cost. Not adding this to `treefmt`, because this looks at *all* the files in the repo, so needs to re-run even when iterating on CI only. (cherry picked from commit 6ee40e7931)
2026-01-11 18:32:23 +08:00 · 2025-08-20 12:20:01 +02:00
parent e3ff0fab42
commit b431f97a1c
3 changed files with 27 additions and 0 deletions
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -9,6 +9,9 @@ on:
      targetSha:
        required: true
        type: string
+    secrets:
+      CACHIX_AUTH_TOKEN:
+        required: true

 permissions: {}

@@ -33,6 +36,10 @@ jobs:

      - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31

+      # TODO: Figure out how to best enable caching for the treefmt job. Cachix won't work well,
+      # because the cache would be invalidated on every commit - treefmt checks every file.
+      # Maybe we can cache treefmt's eval-cache somehow.
+
      - name: Check that files are formatted
        run: |
          # Note that it's fine to run this on untrusted code because:
@@ -65,6 +72,14 @@ jobs:

      - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31

+      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+        with:
+          # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
+          name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
+          extraPullNames: nixpkgs-ci
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          pushFilter: -source$
+
      - name: Parse all nix files
        run: |
          # Tests multiple versions at once, let's make sure all of them run, so keep-going.
@@ -88,6 +103,14 @@ jobs:

      - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31

+      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+        with:
+          # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
+          name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
+          extraPullNames: nixpkgs-ci
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          pushFilter: -source$
+
      - name: Running nixpkgs-vet
        env:
          # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
--- a/.github/workflows/merge-group.yml
+++ b/.github/workflows/merge-group.yml
@@ -9,6 +9,8 @@ jobs:
  lint:
    name: Lint
    uses: ./.github/workflows/lint.yml
+    secrets:
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
    with:
      mergedSha: ${{ github.event.merge_group.head_sha }}
      targetSha: ${{ github.event.merge_group.base_sha }}
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -100,6 +100,8 @@ jobs:
    name: Lint
    needs: [prepare]
    uses: ./.github/workflows/lint.yml
+    secrets:
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
    with:
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
      targetSha: ${{ needs.prepare.outputs.targetSha }}