JIT cache implementation

discover/action.yml

@@ -2,6 +2,10 @@ name: "Standard Discovery"
 description: "Find out what to build & run in a Standard project."
 
 inputs:
+  cache:
+    description: "Nix cache to upload evaluation results to."
+    required: false
+    default: auto
   github_pat:
     description: "GitHub token for accessing private repos."
     required: false
@@ -14,18 +18,13 @@ outputs:
   nix_conf:
     description: "Nix configuration of the flake."
     value: ${{ steps.eval.outputs.nix_conf }}
+  cached:
+    description: "Boolean marking whether results are cached in inputs.cache."
+    value: ${{ steps.eval.outputs.cached }}
 
 runs:
   using: "composite"
   steps:
-    - name: Set Environment
-      run: |
-        delim=$RANDOM
-
-        cat << $delim >> "$GITHUB_ENV"
-        $delim
-      shell: bash
-
     - name: Cache Nix Store
       id: cache-nix
       uses: divnix/[email protected]
@@ -52,6 +51,7 @@ runs:
       id: eval
       env:
         FLAKE: "github:${{ github.repository }}/${{ github.sha }}"
+        CACHE: ${{ inputs.cache }}
       run: |
         ${{ github.action_path }}/eval.sh
       shell: bash

discover/eval.sh

@@ -2,15 +2,16 @@
 
 set -e
 
-declare JSON
+declare JSON result
 
 function eval() {
   echo "::group::Nix Evaluation"
 
   local system delim
 
   system="$(nix eval --raw --impure --expr 'builtins.currentSystem')"
-  JSON="$(nix eval "$FLAKE#__std.ci'.$system" --json | jq -c '
+  result=$(nix eval "$FLAKE#__std.ci'.$system" --json)
+  JSON="$(jq -c '
       group_by(.block)
       | map({
         key: .[0].block,
@@ -23,7 +24,7 @@ function eval() {
           | from_entries
         )
       })
-      | from_entries'
+      | from_entries' <<< "$result"
   )"
 
   nix_conf=("$(nix eval --raw "$FLAKE#__std.nixConfig")")
@@ -42,4 +43,33 @@ function eval() {
   echo "::endgroup::"
 }
 
+function cache() {
+  echo "::group::Cache Evaluation"
+
+  local drvs
+
+  drvs=$(jq -r '.[]|select(.targetDrv != null)|.targetDrv' <<< "$result")
+
+  if [[ $CACHE =~ ^s3:// && -f $NIX_KEY_PATH ]]; then
+    if [[ $CACHE =~ \? ]]; then
+      CACHE="$CACHE&secret-key=$NIX_KEY_PATH"
+    else
+      CACHE="$CACHE?secret-key=$NIX_KEY_PATH"
+    fi
+  fi
+
+  if [[ -n $drvs ]]; then
+    #shellcheck disable=SC2086
+    nix copy --derivation --to "$CACHE" $drvs
+
+    echo "cached=true" >> "$GITHUB_OUTPUT"
+  fi
+
+  echo "::endgroup::"
+}
+
 eval
+
+if [[ $CACHE != 'auto' ]]; then
+  cache
+fi

run/action.yaml

@@ -2,23 +2,10 @@ name: "Sandard Action Runner"
 description: "Build a target and run its action."
 
 inputs:
-  key_path:
-    description: "The path to place the Nix secret key."
-    required: false
-    default: "${{ runner.temp }}/.nix-key"
   github_pat:
     description: "GitHub token for accessing private repos."
     required: false
     default: ${{ github.token }}
-  nix_key:
-    description: "Secret key used for Nix package signing."
-    required: false
-  s3_key:
-    description: "Key to upload to S3 Buckets with Nix."
-    required: false
-  s3_id:
-    description: "ID to upload to S3 Buckets with Nix."
-    required: false
   cache:
     description: "Nix cache to optionally upload artifacts to"
     # auto refers to the local nix store, so nothing is uploaded by default
@@ -31,13 +18,8 @@ inputs:
   json:
     description: "JSON describing the action, found in the discovery phase."
     required: true
-  nix_ssh_key:
-    description: "SSH private key to send builds to a remote Nix builder."
-    default: none
-    required: false
-  ssh_known_hosts:
-    description: "SSH known host keys for Nix builders"
-    default: none
+  cached:
+    description: "Boolean marking whether to pull discovery artifacts from the Nix cache."
     required: false
   extra_nix_config:
     description: "Configuration to append to the nix.conf."
@@ -53,8 +35,6 @@ runs:
         cat << $delim >> "$GITHUB_ENV"
         DISC_PATH=${{ runner.temp }}/discovery
         DISC_ARC_PATH=${{ runner.temp }}/discovery.tar.zstd
-        SSH_AUTH_SOCK=${{ runner.temp }}/ssh_agent.sock
-        NIX_KEY_PATH=${{ inputs.key_path }}
         BUILDER=${{ inputs.builder }}
         CACHE=${{ inputs.cache }}
         $delim
@@ -64,16 +44,8 @@ runs:
         echo "$delim" >> $GITHUB_ENV
       shell: bash
 
-    - name: Emplace Secrets
-      if: inputs.nix_key != '' || inputs.s3_id != '' || inputs.s3_key != ''
-      run: ${{ github.action_path }}/secrets.sh
-      shell: bash
-      env:
-        NIX_SECRET_KEY: ${{ inputs.nix_key }}
-        AWS_ACCESS_KEY_ID: ${{ inputs.s3_id }}
-        AWS_SECRET_ACCESS_KEY: ${{ inputs.s3_key }}
-
     - name: Restore Cache & Discovery Results
+      if: inputs.cached != 'true' || inputs.cache == 'auto'
       id: restore-cache
       uses: divnix/[email protected]
       with:
@@ -93,18 +65,9 @@ runs:
           secret-key-files = ${{ env.NIX_KEY_PATH }}
           ${{ inputs.extra_nix_config }}
 
-    - name: Setup SSH Keys
-      if: inputs.nix_ssh_key != 'none' && inputs.builder != 'auto'
-      run: |
-        ssh-agent -a "$SSH_AUTH_SOCK" > /dev/null
-        ssh-add - <<< "${{ inputs.nix_ssh_key }}"
-      shell: bash
-
-    - name: Setup SSH Known Hosts
-      if: inputs.nix_ssh_key != 'none' && inputs.ssh_known_hosts != 'none' && inputs.builder != 'auto'
-      run: |
-        sudo sh -c 'echo "${{ inputs.ssh_known_hosts }}" >> /etc/ssh/ssh_known_hosts'
-        sudo chmod 0644 /etc/ssh/ssh_known_hosts
+    - name: Pull Target from Nix Cache
+      if: inputs.cached == 'true' && inputs.cache != 'auto'
+      run: nix copy --derivation --from ${{ inputs.cache }} ${{ fromJSON(env.JSON).targetDrv }}
       shell: bash
 
     - name: Build ${{ fromJSON(env.JSON).name }}
@@ -124,7 +87,7 @@ runs:
     - name: Populate Cache
       env:
         UNCACHED: ${{ steps.build.outputs.uncached }}
-      if: always() && env.CACHE != 'auto' && inputs.nix_key != '' && env.UNCACHED != '' && steps.build.conclusion == 'success'
+      if: always() && env.CACHE != 'auto' && env.NIX_KEY_PATH != '' && env.UNCACHED != '' && steps.build.conclusion == 'success'
       run: |
         ${{ github.action_path }}/cache.sh
       shell: bash

secrets/action.yaml

@@ -0,0 +1,61 @@
+name: "Sandard Action Secrets"
+description: "Setup common Nix secrets."
+
+inputs:
+  key_path:
+    description: "The path to place the Nix secret key."
+    required: false
+    default: "${{ runner.temp }}/.nix-key"
+  nix_key:
+    description: "Secret key used for Nix package signing."
+    required: false
+  s3_key:
+    description: "Key to upload to S3 Buckets with Nix."
+    required: false
+  s3_id:
+    description: "ID to upload to S3 Buckets with Nix."
+    required: false
+  nix_ssh_key:
+    description: "SSH private key to send builds to a remote Nix builder."
+    default: none
+    required: false
+  ssh_known_hosts:
+    description: "SSH known host keys for Nix builders"
+    default: none
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Set Environment
+      run: |
+        delim=$RANDOM
+
+        cat << $delim >> "$GITHUB_ENV"
+        SSH_AUTH_SOCK=${{ runner.temp }}/ssh_agent.sock
+        NIX_KEY_PATH=${{ inputs.key_path }}
+        $delim
+      shell: bash
+
+    - name: Emplace Secrets
+      if: inputs.nix_key != '' || inputs.s3_id != '' || inputs.s3_key != ''
+      run: ${{ github.action_path }}/secrets.sh
+      shell: bash
+      env:
+        NIX_SECRET_KEY: ${{ inputs.nix_key }}
+        AWS_ACCESS_KEY_ID: ${{ inputs.s3_id }}
+        AWS_SECRET_ACCESS_KEY: ${{ inputs.s3_key }}
+
+    - name: Setup SSH Keys
+      if: inputs.nix_ssh_key != 'none'
+      run: |
+        ssh-agent -a "$SSH_AUTH_SOCK" > /dev/null
+        ssh-add - <<< "${{ inputs.nix_ssh_key }}"
+      shell: bash
+
+    - name: Setup SSH Known Hosts
+      if: inputs.nix_ssh_key != 'none' && inputs.ssh_known_hosts != 'none'
+      run: |
+        sudo sh -c 'echo "${{ inputs.ssh_known_hosts }}" >> /etc/ssh/ssh_known_hosts'
+        sudo chmod 0644 /etc/ssh/ssh_known_hosts
+      shell: bash