ci: replace deprecated magic-nix-cache with cache-nix-action

cpcwood · cpcwood · commit 9d96d247ff4d · 2026-06-08T23:45:34.000+01:00
magic-nix-cache (deprecated) uploaded the IaC closure path-by-path every run,
adding a ~6min tail to each nix job. cache-nix-action restores by exact key and
only saves on a miss (flake change), so unchanged-flake runs skip the upload.
auto-optimise-store=false avoids the hardlink-restore bug; nix6 key for a clean
cold build.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -91,9 +91,21 @@ jobs:
       - uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22
         with:
           determinate: false
-      # Substitutes individual store paths instead of tarring the whole
-      # /nix/store, so store-optimisation hardlinks can't break a restore.
-      - uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # v14
+          # cache-nix-action tars and restores /nix/store verbatim; auto-optimise
+          # hardlinks (/nix/store/.links) hit the tar's skip-list and fail to
+          # relink on restore → partial store → missing-drv in nix-develop.
+          extra-conf: |
+            auto-optimise-store = false
+      # Exact-key restore; saves (uploads) only on a miss — i.e. only when the
+      # flake changes. Unchanged-flake runs restore and skip the upload entirely.
+      - uses: nix-community/cache-nix-action@7df957e333c1e5da7721f60227dbba6d06080569 # v7
+        with:
+          primary-key: nix6-${{ runner.os }}-${{ hashFiles('infrastructure/flake.nix', 'infrastructure/flake.lock') }}
+          purge: true
+          purge-prefixes: nix6-${{ runner.os }}-
+          purge-created: 0
+          purge-last-accessed: 604800
+          purge-primary-key: never
       - uses: nicknovitski/nix-develop@9be7cfb4b10451d3390a75dc18ad0465bed4932a # v1
         with:
           arguments: ./infrastructure
@@ -121,9 +133,21 @@ jobs:
       - uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22
         with:
           determinate: false
-      # Substitutes individual store paths instead of tarring the whole
-      # /nix/store, so store-optimisation hardlinks can't break a restore.
-      - uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # v14
+          # cache-nix-action tars and restores /nix/store verbatim; auto-optimise
+          # hardlinks (/nix/store/.links) hit the tar's skip-list and fail to
+          # relink on restore → partial store → missing-drv in nix-develop.
+          extra-conf: |
+            auto-optimise-store = false
+      # Exact-key restore; saves (uploads) only on a miss — i.e. only when the
+      # flake changes. Unchanged-flake runs restore and skip the upload entirely.
+      - uses: nix-community/cache-nix-action@7df957e333c1e5da7721f60227dbba6d06080569 # v7
+        with:
+          primary-key: nix6-${{ runner.os }}-${{ hashFiles('infrastructure/flake.nix', 'infrastructure/flake.lock') }}
+          purge: true
+          purge-prefixes: nix6-${{ runner.os }}-
+          purge-created: 0
+          purge-last-accessed: 604800
+          purge-primary-key: never
       - uses: nicknovitski/nix-develop@9be7cfb4b10451d3390a75dc18ad0465bed4932a # v1
         with:
           arguments: ./infrastructure
@@ -150,9 +174,21 @@ jobs:
       - uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22
         with:
           determinate: false
-      # Substitutes individual store paths instead of tarring the whole
-      # /nix/store, so store-optimisation hardlinks can't break a restore.
-      - uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # v14
+          # cache-nix-action tars and restores /nix/store verbatim; auto-optimise
+          # hardlinks (/nix/store/.links) hit the tar's skip-list and fail to
+          # relink on restore → partial store → missing-drv in nix-develop.
+          extra-conf: |
+            auto-optimise-store = false
+      # Exact-key restore; saves (uploads) only on a miss — i.e. only when the
+      # flake changes. Unchanged-flake runs restore and skip the upload entirely.
+      - uses: nix-community/cache-nix-action@7df957e333c1e5da7721f60227dbba6d06080569 # v7
+        with:
+          primary-key: nix6-${{ runner.os }}-${{ hashFiles('infrastructure/flake.nix', 'infrastructure/flake.lock') }}
+          purge: true
+          purge-prefixes: nix6-${{ runner.os }}-
+          purge-created: 0
+          purge-last-accessed: 604800
+          purge-primary-key: never
       - uses: nicknovitski/nix-develop@9be7cfb4b10451d3390a75dc18ad0465bed4932a # v1
         with:
           arguments: ./infrastructure
@@ -268,9 +304,21 @@ jobs:
       - uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22
         with:
           determinate: false
-      # Substitutes individual store paths instead of tarring the whole
-      # /nix/store, so store-optimisation hardlinks can't break a restore.
-      - uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # v14
+          # cache-nix-action tars and restores /nix/store verbatim; auto-optimise
+          # hardlinks (/nix/store/.links) hit the tar's skip-list and fail to
+          # relink on restore → partial store → missing-drv in nix-develop.
+          extra-conf: |
+            auto-optimise-store = false
+      # Exact-key restore; saves (uploads) only on a miss — i.e. only when the
+      # flake changes. Unchanged-flake runs restore and skip the upload entirely.
+      - uses: nix-community/cache-nix-action@7df957e333c1e5da7721f60227dbba6d06080569 # v7
+        with:
+          primary-key: nix6-${{ runner.os }}-${{ hashFiles('infrastructure/flake.nix', 'infrastructure/flake.lock') }}
+          purge: true
+          purge-prefixes: nix6-${{ runner.os }}-
+          purge-created: 0
+          purge-last-accessed: 604800
+          purge-primary-key: never
       - uses: nicknovitski/nix-develop@9be7cfb4b10451d3390a75dc18ad0465bed4932a # v1
         with:
           arguments: ./infrastructure
@@ -333,8 +381,17 @@ jobs:
         if: matrix.image.needs_build_secrets
         with:
           determinate: false
-      - uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # v14
+          extra-conf: |
+            auto-optimise-store = false
+      - uses: nix-community/cache-nix-action@7df957e333c1e5da7721f60227dbba6d06080569 # v7
         if: matrix.image.needs_build_secrets
+        with:
+          primary-key: nix6-${{ runner.os }}-${{ hashFiles('infrastructure/flake.nix', 'infrastructure/flake.lock') }}
+          purge: true
+          purge-prefixes: nix6-${{ runner.os }}-
+          purge-created: 0
+          purge-last-accessed: 604800
+          purge-primary-key: never
       - uses: nicknovitski/nix-develop@9be7cfb4b10451d3390a75dc18ad0465bed4932a # v1
         if: matrix.image.needs_build_secrets
         with:
@@ -402,9 +459,21 @@ jobs:
       - uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22
         with:
           determinate: false
-      # Substitutes individual store paths instead of tarring the whole
-      # /nix/store, so store-optimisation hardlinks can't break a restore.
-      - uses: DeterminateSystems/magic-nix-cache-action@908b263ff629f4cc17666315b7fd3ec127c6244d # v14
+          # cache-nix-action tars and restores /nix/store verbatim; auto-optimise
+          # hardlinks (/nix/store/.links) hit the tar's skip-list and fail to
+          # relink on restore → partial store → missing-drv in nix-develop.
+          extra-conf: |
+            auto-optimise-store = false
+      # Exact-key restore; saves (uploads) only on a miss — i.e. only when the
+      # flake changes. Unchanged-flake runs restore and skip the upload entirely.
+      - uses: nix-community/cache-nix-action@7df957e333c1e5da7721f60227dbba6d06080569 # v7
+        with:
+          primary-key: nix6-${{ runner.os }}-${{ hashFiles('infrastructure/flake.nix', 'infrastructure/flake.lock') }}
+          purge: true
+          purge-prefixes: nix6-${{ runner.os }}-
+          purge-created: 0
+          purge-last-accessed: 604800
+          purge-primary-key: never
       - uses: nicknovitski/nix-develop@9be7cfb4b10451d3390a75dc18ad0465bed4932a # v1
         with:
           arguments: ./infrastructure
