2 files changed, 51 insertions, 11 deletions

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index c65186f..144e259 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,10 +1,12 @@
 name: CI
 
 on:
-  push:
-    branches: [main]
   pull_request:
   workflow_dispatch:
+  workflow_call:
+    secrets:
+      CACHIX_AUTH_TOKEN:
+        required: false
 
 jobs:
   eval:
@@ -20,17 +22,16 @@ jobs:
         uses: nixbuild/nix-quick-install-action@v26
 
       - name: setup cachix
-        uses: cachix/cachix-action@master
+        uses: cachix/cachix-action@v12
         with:
           name: getchoo
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
-          skipAddingSubstituter: 'true'
 
       - name: generate matrix
         id: generate
         run: |
           set -Eeu
-          echo "matrix=$(nix eval --accept-flake-config --show-trace --json .#githubWorkflow.matrix)" >> "$GITHUB_OUTPUT"
+          echo "matrix=$(nix eval --show-trace --json .#githubWorkflow.matrix)" >> "$GITHUB_OUTPUT"
 
   build:
     needs: eval
@@ -63,14 +64,13 @@ jobs:
           extra-conf: "extra-platforms = aarch64-linux arm-linux"
 
       - name: setup cachix
-        uses: cachix/cachix-action@master
+        uses: cachix/cachix-action@v12
         with:
           name: getchoo
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
-          skipAddingSubstituter: 'true'
 
       - name: build ${{ matrix.attr }}
-        run: nix build -L --accept-flake-config --fallback .#${{ matrix.attr }}
+        run: nix build -L --fallback .#${{ matrix.attr }}
 
   check:
     strategy:
@@ -87,14 +87,13 @@ jobs:
         uses: DeterminateSystems/nix-installer-action@v7
 
       - name: setup cachix
-        uses: cachix/cachix-action@master
+        uses: cachix/cachix-action@v12
         with:
           name: getchoo
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
-          skipAddingSubstituter: 'true'
 
       - name: run check
-        run: nix flake check --accept-flake-config --show-trace
+        run: nix flake check --show-trace
 
   # https://github.com/orgs/community/discussions/26822#discussioncomment-3305794
   gate:
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
new file mode 100644
index 0000000..1d2c3bd
--- /dev/null
+++ b/.github/workflows/deploy.yaml
@@ -0,0 +1,41 @@
+name: deploy systems
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  ci:
+    uses: ${{ github.repository }}/.github/workflows/ci.yaml@main
+    with:
+      secrets: inherit
+
+  deploy:
+    needs: ci
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: install nix
+        uses: nixbuild/nix-quick-install-action@v26
+
+      - name: setup cachix
+        uses: cachix/cachix-action@v12
+        with:
+          name: getchoo
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+
+      - name: connect to tailscale
+        uses: tailscale/github-action@v2
+        with:
+            oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+            oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
+            tags: tag:gha
+
+      - name: enter dev shell
+        run: nix develop
+
+      - name: deploy all systems
+        run: just da