Nix

ci: use OIDC cache #20

	name: Nix
	on:
	push:
	branches:
	- main
	pull_request:
	workflow_dispatch:

	jobs:
	build:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	id-token: write
	steps:
	- uses: actions/checkout@v6

	- uses: cachix/install-nix-action@v31
	with:
	extra_nix_config: \|
	extra-substituters = https://cache.numtide.com
	extra-trusted-public-keys = niks3.numtide.com-1:DTx8wZduET09hRmMtKdQDxNNthLQETkc/yaX7M4qK0g=

	- name: Get OIDC token
	id: oidc
	run: \|
	token=$(curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
	"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=https://niks3.numtide.com" \| jq -r '.value')
	echo "::add-mask::$token"
	echo "token=$token" >> "$GITHUB_OUTPUT"

	- name: Build
	run: nix build --log-format bar-with-logs

	- name: Push to cache
	run: \|
	nix build -o niks3 github:Mic92/niks3
	niks3/bin/niks3 push \
	--server-url https://niks3.numtide.com \
	--auth-token "${{ steps.oidc.outputs.token }}" \
	./result ./niks3

	- name: Run lint
	run: nix develop -c just lint

	- name: Flake check
	run: nix flake check --log-format bar-with-logs

Provide feedback