ci: use crane flake to build with nix

This enables to add cargo `fmt`, `clippy` and `deny` to nix, using cached results.

Move the `teepot` crate to the `crates` subdir to make the life easier for
the `crane` flake.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>

.github/workflows/lint.yml

@@ -16,18 +16,38 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
-      - name: Setup Rust toolchain
-        run: rustup show
-      - run: cargo fmt --all -- --check
+      - uses: cachix/install-nix-action@v26
+        with:
+          extra_nix_config: |
+            access-tokens = github.com=${{ github.token }}
+      - uses: cachix/cachix-action@v14
+        with:
+          name: nixsgx
+          extraPullNames: vault-auth-tee
+      - name: Enable magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: cargo fmt
+        run: nix build -L .#cargoFmt
 
   deny:
     name: cargo deny
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
-      - uses: EmbarkStudios/cargo-deny-action@v1
+      - uses: cachix/install-nix-action@v26
         with:
-          arguments: --workspace
+          extra_nix_config: |
+            access-tokens = github.com=${{ github.token }}
+      - uses: cachix/cachix-action@v14
+        with:
+          name: nixsgx
+          extraPullNames: vault-auth-tee
+      - name: Enable magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: cargo deny
+        run: nix build -L .#cargoDeny
 
   check-spdx-headers:
     runs-on: ubuntu-latest

.github/workflows/nix.yml

@@ -11,21 +11,6 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  check:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
-      - uses: cachix/install-nix-action@v26
-        with:
-          extra_nix_config: |
-            access-tokens = github.com=${{ github.token }}
-      - uses: cachix/cachix-action@v14
-        with:
-          name: nixsgx
-          extraPullNames: vault-auth-tee
-
-      - run: nix flake check -L --show-trace --keep-going
-
   fmt:
     runs-on: ubuntu-latest
     steps:
@@ -37,7 +22,10 @@ jobs:
       - uses: cachix/cachix-action@v14
         with:
           name: nixsgx
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
           extraPullNames: vault-auth-tee
+      - name: Enable magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
 
       - run: nix fmt . -- --check
 
@@ -52,14 +40,35 @@ jobs:
       - uses: cachix/cachix-action@v14
         with:
           name: nixsgx
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
           extraPullNames: vault-auth-tee
       - name: Enable magic Nix cache
         uses: DeterminateSystems/magic-nix-cache-action@main
 
       - name: cargo clippy
-        run: nix develop -L --ignore-environment -c cargo clippy --all
+        run: nix build -L .#cargoClippy
+
+  check:
+    needs: clippy
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - uses: cachix/install-nix-action@v26
+        with:
+          extra_nix_config: |
+            access-tokens = github.com=${{ github.token }}
+      - uses: cachix/cachix-action@v14
+        with:
+          name: nixsgx
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+          extraPullNames: vault-auth-tee
+      - name: Enable magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - run: nix flake check -L --show-trace --keep-going
 
   build:
+    needs: check
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4