ci: use gha & attic for building/caching

11 files changed, 205 insertions, 73 deletions

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000..cf2ccbc
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,124 @@
+name: CI
+
+on:
+  pull_request:
+  workflow_dispatch:
+  workflow_call:
+    secrets:
+      ATTIC_TOKEN:
+        required: false
+
+jobs:
+  eval:
+    name: Evaluate flake
+
+    runs-on: ubuntu-latest
+
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v9
+
+      - name: Generate matrix
+        id: generate
+        run: |
+          set -Eeu
+          echo "matrix=$(nix eval --show-trace --json .#githubWorkflow.matrix)" >> "$GITHUB_OUTPUT"
+
+  build:
+    needs: eval
+
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON(needs.eval.outputs.matrix) }}
+
+    runs-on: ${{ matrix.os }}
+
+    name: Build (${{matrix.attr}})
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Qemu
+        if: matrix.arch == 'aarch64'
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: "arm64"
+
+      - name: Install Nix
+        if: matrix.arch != 'aarch64'
+        uses: DeterminateSystems/nix-installer-action@v9
+
+      - name: Install Nix (with aarch64)
+        if: matrix.arch == 'aarch64'
+        uses: DeterminateSystems/nix-installer-action@v9
+        with:
+          extra-conf: "extra-platforms = aarch64-linux arm-linux"
+
+      - name: Setup Attic 
+        if: github.event_name != 'pull_request'
+        uses: ryanccn/attic-action@v0
+        with:
+          endpoint: https://cache.mydadleft.me
+          cache: getchoo
+          token: ${{ secrets.ATTIC_TOKEN }}
+
+      - name: Setup Magic Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@v2
+
+      - name: Build ${{ matrix.attr }}
+        run: nix build -L --accept-flake-config --fallback .#${{ matrix.attr }}
+
+  check:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [macos-latest, ubuntu-latest]
+
+    runs-on: ${{ matrix.os }}
+
+    name: Check flake (${{ matrix.os }})
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v9
+
+      - name: Setup Attic 
+        if: github.event_name != 'pull_request'
+        uses: ryanccn/attic-action@v0
+        with:
+          endpoint: https://cache.mydadleft.me
+          cache: getchoo
+          token: ${{ secrets.ATTIC_TOKEN }}
+
+      - name: Setup Magic Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@v2
+
+      - name: Run check
+        run: nix flake check -L --accept-flake-config --show-trace
+
+  # https://github.com/orgs/community/discussions/26822#discussioncomment-3305794
+  gate:
+    name: CI Gate
+    needs: [build, check]
+    runs-on: ubuntu-latest
+
+    if: always()
+
+    steps:
+      - name: Exit with result
+        run: |
+          buildResult="${{ needs.build.result }}"
+          checkResult="${{ needs.check.result }}"
+
+          results=("$buildResult" "$checkResult")
+
+          for result in "${results[@]}"; do [ "$result" != "success" ] && exit 1; done
+
+          exit 0
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 9caf2df..113a847 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -1,29 +1,30 @@
 name: Deploy systems
 
 on:
-  check_suite:
-    types: [completed]
+  push:
+    branches: [main]
   workflow_dispatch:
 
 jobs:
+  ci:
+    name: CI
+    uses: ./.github/workflows/ci.yaml
+    secrets: inherit
+
   deploy:
+    name: Deploy all
+    needs: ci
     runs-on: ubuntu-latest
 
     concurrency:
       group: deploy
       cancel-in-progress: true
 
-    # https://github.com/sellout/bash-strict-mode/commit/9bf1d65c2f786a9887facfcb81e06d8b8b5f4667
-    if: github.event.check_suite.app.name == 'Garnix CI'
-      && github.event.check_suite.conclusion == 'success'
-      && github.event.check_suite.latest_check_runs_count >= 12
-      && github.event.check_suite.head_branch == 'main'
-
     steps:
       - uses: actions/checkout@v4
 
       - name: Install Nix
-        uses: nixbuild/nix-quick-install-action@v26
+        uses: DeterminateSystems/nix-installer-action@v9
 
       - name: Setup local Nix cache
         uses: DeterminateSystems/magic-nix-cache-action@v2
diff --git a/.github/workflows/update-lock.yaml b/.github/workflows/update-lock.yaml
index f9cdfed..1f2063c 100644
--- a/.github/workflows/update-lock.yaml
+++ b/.github/workflows/update-lock.yaml
@@ -25,7 +25,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Install Nix
-        uses: nixbuild/nix-quick-install-action@v26
+        uses: DeterminateSystems/nix-installer-action@v9
 
       - name: Update lockfile & make PR
         uses: DeterminateSystems/update-flake-lock@v20
diff --git a/README.md b/README.md
index 7f07641..87f8edf 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 [![made with neovim](https://img.shields.io/static/v1?label=made%20with&message=neovim&color=00b952&style=flat-square&logo=neovim)](https://neovim.io/)
 [![nixos unstable](https://img.shields.io/static/v1?label=NixOS&message=unstable&color=5277c3&style=flat-square&logo=nixos)](https://nixos.org/)
-[![built with garnix](https://img.shields.io/endpoint?url=https%3A%2F%2Fgarnix.io%2Fapi%2Fbadges%2Fgetchoo%2Fflake%3Fbranch%3Dmain)](https://garnix.io)
+![build status](https://github.com/getchoo/flake/actions/workflows/deploy.yaml/badge.svg)
 
 greasy taco i love
 
@@ -34,7 +34,7 @@ my ampere arm server from oracle, services my miniflux instance.
 
 there are some amazing tools i use to make/manage this flake that i would highly recommend checking out:
 
-- [garnix](https://garnix.io)
+- [attic](https://github.com/zhaofengli/attic)
 - [home-manager](https://github.com/nix-community/home-manager)
 - [agenix](https://github.com/ryantm/agenix)
 - [flake-parts](https://github.com/hercules-ci/flake-parts)
diff --git a/ci.nix b/ci.nix
deleted file mode 100644
index f05fbed..0000000
--- a/ci.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{self, ...}: {
-  perSystem = {
-    lib,
-    pkgs,
-    system,
-    config,
-    ...
-  }: let
-    # get applicable system configurations
-    configurations = lib.getAttrs ["darwinConfigurations" "homeConfigurations" "nixosConfigurations"] self;
-
-    systems = lib.pipe (builtins.attrValues configurations) [
-      (builtins.foldl' (acc: attr: acc // attr) {})
-      (lib.filterAttrs (_: v: v.pkgs.system == system))
-      (lib.mapAttrsToList (_: v: v.config.system.build.toplevel or v.activationPackage))
-    ];
-  in {
-    checks = {
-      ciGate = pkgs.runCommand "ci-gate" {
-        nativeBuildInputs = lib.concatLists [
-          systems
-          # and other checks
-          (builtins.attrValues (builtins.removeAttrs config.checks ["ciGate"]))
-        ];
-      } "touch $out";
-    };
-  };
-}
diff --git a/flake.lock b/flake.lock
index 3089bed..768df48 100644
--- a/flake.lock
+++ b/flake.lock
@@ -417,6 +417,26 @@
         "type": "github"
       }
     },
+    "nix2workflow": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1699416125,
+        "narHash": "sha256-IQHjxELWK6DBWbqYwggO4Q9gJbOm0XS3aCgMRzQWwZU=",
+        "owner": "getchoo",
+        "repo": "nix2workflow",
+        "rev": "f1de38cfea711e9a788794b5a658298b4062defb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "getchoo",
+        "repo": "nix2workflow",
+        "type": "github"
+      }
+    },
     "nixinate": {
       "inputs": {
         "nixpkgs": [
@@ -604,6 +624,7 @@
         "hm": "hm",
         "lanzaboote": "lanzaboote",
         "nix-index-database": "nix-index-database",
+        "nix2workflow": "nix2workflow",
         "nixinate": "nixinate",
         "nixos-hardware": "nixos-hardware",
         "nixos-wsl": "nixos-wsl",
diff --git a/flake.nix b/flake.nix
index 7c1896d..2ab5ea7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,8 +2,8 @@
   description = "getchoo's flake for system configurations";
 
   nixConfig = {
-    extra-substituters = ["https://cache.garnix.io"];
-    extra-trusted-public-keys = ["cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="];
+    extra-substituters = ["https://cache.mydadleft.me/getchoo"];
+    extra-trusted-public-keys = ["getchoo:rH35+W+4SV7UV9RTr69LwkH7b24Djui2ZQIQvPxzJCg="];
   };
 
   inputs = {
@@ -95,6 +95,11 @@
       };
     };
 
+    nix2workflow = {
+      url = "github:getchoo/nix2workflow";
+      inputs.nixpkgs-lib.follows = "nixpkgs";
+    };
+
     nixinate = {
       url = "github:MatthewCroughan/nixinate";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -143,13 +148,14 @@
     parts.lib.mkFlake {inherit inputs;} {
       imports = [
         inputs.pre-commit.flakeModule
+        inputs.nix2workflow.flakeModule
 
         ./modules
         ./overlay
         ./systems
         ./users
-        ./ci.nix
         ./dev.nix
+        ./workflow.nix
       ];
 
       systems = [
diff --git a/garnix.yaml b/garnix.yaml
deleted file mode 100644
index b2afcef..0000000
--- a/garnix.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-builds:
-  exclude:
-    - "checks.x86_64-darwin.*"
-  include:
-    - "checks.*.*"
-    - "devShells.x86_64-linux.default"
-    - "nixosConfigurations.*"
-    - "homeConfigurations.seth"
diff --git a/modules/shared/nix.nix b/modules/shared/nix.nix
index 7ca3f1d..040cdc3 100644
--- a/modules/shared/nix.nix
+++ b/modules/shared/nix.nix
@@ -20,8 +20,8 @@
       auto-optimise-store = pkgs.stdenv.isLinux;
       experimental-features = lib.mkDefault ["nix-command" "flakes" "auto-allocate-uids" "repl-flake"];
 
-      trusted-substituters = lib.mkDefault ["https://cache.garnix.io"];
-      trusted-public-keys = lib.mkDefault ["cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="];
+      trusted-substituters = lib.mkDefault ["https://cache.mydadleft.me/getchoo"];
+      trusted-public-keys = lib.mkDefault ["getchoo:rH35+W+4SV7UV9RTr69LwkH7b24Djui2ZQIQvPxzJCg="];
       nix-path = config.nix.nixPath;
     };
 
diff --git a/users/seth/programs/default.nix b/users/seth/programs/default.nix
index 93249d2..ab5f3c4 100644
--- a/users/seth/programs/default.nix
+++ b/users/seth/programs/default.nix
@@ -13,26 +13,26 @@
     ./vim.nix
   ];
 
-  home.packages = with pkgs; [
-    fd
-    nurl
-    rclone
-    restic
-
-    inputs'.attic.packages.attic
-
-    (let
-      getchvim = inputs'.getchvim.packages.default;
-    in
-      # remove desktop file
-      symlinkJoin {
-        name = builtins.replaceStrings ["neovim"] ["neovim-nodesktop"] getchvim.name;
-        paths = [getchvim];
-        postBuild = ''
-          rm -rf $out/share/{applications,icons}
-        '';
-      })
-  ];
+  home.packages = with pkgs;
+    [
+      fd
+      nurl
+      rclone
+      restic
+
+      (let
+        getchvim = inputs'.getchvim.packages.default;
+      in
+        # remove desktop file
+        symlinkJoin {
+          name = builtins.replaceStrings ["neovim"] ["neovim-nodesktop"] getchvim.name;
+          paths = [getchvim];
+          postBuild = ''
+            rm -rf $out/share/{applications,icons}
+          '';
+        })
+    ]
+    ++ lib.optional stdenv.isLinux inputs'.attic.packages.attic;
 
   catppuccin.flavour = "mocha";
 
diff --git a/workflow.nix b/workflow.nix
new file mode 100644
index 0000000..e9cec5d
--- /dev/null
+++ b/workflow.nix
@@ -0,0 +1,16 @@
+{
+  githubWorkflowGenerator = {
+    outputs = [
+      "checks"
+      "devShells"
+      "darwinConfigurations"
+      "nixosConfigurations"
+      "homeConfigurations"
+    ];
+
+    overrides = {
+      checks.systems = ["x86_64-linux"];
+      devShells.systems = ["x86_64-linux" "x86_64-darwin"];
+    };
+  };
+}