Setup Nix substituters in Flake an CI (#51)

.github/composites/setup-nix/action.yml

@@ -0,0 +1,27 @@
+---
+inputs:
+  githubAccessToken:
+    required: true
+  cachixAuthToken:
+    required: true
+
+runs:
+  using: composite
+
+  steps:
+    - name: Install Nix
+      uses: cachix/install-nix-action@v23
+      with:
+        extra_nix_config: |
+          ## Access token to avoid triggering GitHub's rate limiting.
+          access-tokens = github.com=${{ inputs.githubAccessToken }}
+          ## Accept arbitrary substituters from the flake.
+          accept-flake-config = true
+
+    - name: Setup Nix caches
+      uses: cachix/cachix-action@v12
+      with:
+        name: morsmall
+        ## This auth token will give write access to the cache, meaning that
+        ## everything that happens in CI will be pushed at the end of the job.
+        authToken: "${{ inputs.cachixAuthToken }}"

.github/workflows/ci.yml

@@ -26,12 +26,11 @@ jobs:
         with:
           submodules: true
 
-      - name: Install Nix
-        uses: cachix/install-nix-action@v23
+      - name: Setup Nix
+        uses: ./.github/composites/setup-nix
         with:
-          extra_nix_config: |
-            ## Access token to avoid triggering GitHub's rate limiting.
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+          githubAccessToken: ${{ secrets.GITHUB_TOKEN }}
+          cachixAuthToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
       - name: Install dependencies
         run: |
@@ -66,12 +65,11 @@ jobs:
         with:
           submodules: true
 
-      - name: Install Nix
-        uses: cachix/install-nix-action@v23
+      - name: Setup Nix
+        uses: ./.github/composites/setup-nix
         with:
-          extra_nix_config: |
-            ## Access token to avoid triggering GitHub's rate limiting.
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+          githubAccessToken: ${{ secrets.GITHUB_TOKEN }}
+          cachixAuthToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
       - name: Build
         run: |
@@ -85,12 +83,11 @@ jobs:
       - name: Check out repository code.
         uses: actions/checkout@v4
 
-      - name: Install Nix
-        uses: cachix/install-nix-action@v23
+      - name: Setup Nix
+        uses: ./.github/composites/setup-nix
         with:
-          extra_nix_config: |
-            ## Access token to avoid triggering GitHub's rate limiting.
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+          githubAccessToken: ${{ secrets.GITHUB_TOKEN }}
+          cachixAuthToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
       - name: Run flake checks
         run: |

flake.nix

@@ -34,7 +34,7 @@
         packages.default = self'.packages.with-nixpkgs;
 
         devShells.default = pkgs.mkShell {
-          buildInputs = (with pkgs; [ headache ])
+          buildInputs = (with pkgs; [ headache topiary ])
             ++ (with pkgs.ocamlPackages; [ ocaml-lsp ocp-indent ]);
           inputsFrom = [ self'.packages.default ];
           shellHook = config.pre-commit.installationScript;
@@ -47,6 +47,7 @@
           dune-opam-sync.enable = true;
           opam-lint.enable = true;
           checkmake.enable = true;
+          topiary.enable = true;
         };
       };
 
@@ -55,4 +56,19 @@
       perInput = system: flake:
         if flake ? lib.${system} then { lib = flake.lib.${system}; } else { };
     };
+
+  nixConfig = {
+    extra-trusted-substituters = [
+      "https://pre-commit-hooks.cachix.org/"
+      "https://tweag-topiary.cachix.org"
+      "https://morbig.cachix.org/"
+      "https://morsmall.cachix.org/"
+    ];
+    extra-trusted-public-keys = [
+      "pre-commit-hooks.cachix.org-1:Pkk3Panw5AW24TOv6kz3PvLhlH8puAsJTBbOPmBo7Rc="
+      "tweag-topiary.cachix.org-1:8TKqya43LAfj4qNHnljLpuBnxAY/YwEBfzo3kzXxNY0="
+      "morbig.cachix.org-1:l6jrpCfkt03SwhxnK7VNDgrnMDW9OA92BTcuZTNw60I="
+      "morsmall.cachix.org-1:3/pcLgvBMI1hkxOLsY5+NLsRyueJZTkULnQwvjhzThY="
+    ];
+  };
 }