chore: Update nix workflow and flake.lock (#92)

- Add setup for Attic cache and enable magic Nix cache in the workflow - Update `flake.lock` - Remove container build and push
2025-07-21 15:53:55 +02:00 · 2024-07-01 13:08:17 +02:00 · 2024-07-01 13:08:17 +02:00 · 8dfb89bad9
commit 8dfb89bad9
parent da3092895b c301e57b63
4 changed files with 35 additions and 54 deletions
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@ -15,50 +15,59 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: cachix/install-nix-action@v27
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
+            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=
+            substituters = https://cache.nixos.org/ https://attic.teepot.org/tee-pot
+      - name: Setup Attic cache
+        uses: ryanccn/attic-action@v0
+        with:
+          endpoint: https://attic.teepot.org/
+          cache: tee-pot
+          token: ${{ secrets.ATTIC_TOKEN }}
+      - name: Enable magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
      - run: nix flake check -L --show-trace --keep-going

  fmt:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: cachix/install-nix-action@v27
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
+            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=
+            substituters = https://cache.nixos.org/ https://attic.teepot.org/tee-pot
+      - name: Setup Attic cache
+        uses: ryanccn/attic-action@v0
+        with:
+          endpoint: https://attic.teepot.org/
+          cache: tee-pot
+          token: ${{ secrets.ATTIC_TOKEN }}
+      - name: Enable magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
      - run: nix fmt

  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: cachix/install-nix-action@v27
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
-      - uses: cachix/cachix-action@v15
-        continue-on-error: true
+            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=
+            substituters = https://cache.nixos.org/ https://attic.teepot.org/tee-pot
+      - name: Setup Attic cache
+        uses: ryanccn/attic-action@v0
        with:
-          name: vault-auth-tee
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-          extraPullNames: nixsgx
+          endpoint: https://attic.teepot.org/
+          cache: tee-pot
+          token: ${{ secrets.ATTIC_TOKEN }}
+      - name: Enable magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
      - name: nix build
        run: nix run github:nixos/nixpkgs/nixos-23.11#nixci
-      - name: nix docker image
-        run: |
-          nix build .#container-vault-auth-tee
-          docker load -i result
-      - name: Log in to Docker Hub
-        if: ${{ github.event_name == 'push' ||  github.event_name == 'schedule' }}
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Build and Push Container
-        uses: docker/build-push-action@v6
-        with:
-          tags: matterlabsrobot/vault-auth-tee:latest
-          push: ${{ github.event_name == 'push' ||  github.event_name == 'schedule' }}
--- a/flake.lock
+++ b/flake.lock
@ -93,11 +93,11 @@
        "snowfall-lib": "snowfall-lib"
      },
      "locked": {
-        "lastModified": 1717758565,
-        "narHash": "sha256-yscuZ3ixjwTkqS6ew5cB3Uvy9e807szRlMoPSyQuRJM=",
+        "lastModified": 1719403531,
+        "narHash": "sha256-JYqPdAB393YZIndGs5om7EsLUha3fpLckb9RKjKN7Fg=",
        "owner": "matter-labs",
        "repo": "nixsgx",
-        "rev": "49a1ae79d92ccb6ed7cabfe5c5042b1399e3cd3e",
+        "rev": "3a272950fa21601f31e8ca8b4e4897975069a00a",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -20,14 +20,12 @@
            config.allowUnfree = true;
          };
          vault-auth-tee = pkgs.callPackage ./packages/vault-auth-tee.nix { };
-          container-vault-auth-tee = pkgs.callPackage ./packages/container-vault-auth-tee.nix { };
        in
        {
          formatter = pkgs.nixpkgs-fmt;

          packages = {
            inherit vault-auth-tee;
-            inherit container-vault-auth-tee;
            default = vault-auth-tee;
          };

--- a/packages/container-vault-auth-tee.nix
+++ b/packages/container-vault-auth-tee.nix
@ -1,26 +0,0 @@
-{ pkgs
-, vat
-, vault
-, ...
-}:
-pkgs.dockerTools.buildLayeredImage {
-  name = "vault-auth-tee";
-  tag = "test";
-
-  config.Entrypoint = [ "/bin/sh" ];
-
-  contents = pkgs.buildEnv {
-    name = "image-root";
-
-    paths = with pkgs.dockerTools; [
-      vat.vault-auth-tee
-      vat.vault-auth-tee.sha
-      vault
-      usrBinEnv
-      binSh
-      caCertificates
-      fakeNss
-    ];
-    pathsToLink = [ "/bin" "/etc" "/share" ];
-  };
-}