fix(nix): replace magic-nix-cache with Cachix (#17928)

* fix(nix): replace magic-nix-cache with Cachix magic-nix-cache caused recurring CI failures (TwirpErrorResponse ResourceExhausted) by hitting GitHub Actions Cache's 10 GB limit and 200 req/min rate limit. This was flagged as 'unfixable infra flake' in #17836 but is actually a fixable architecture choice. Switch to Cachix (dedicated binary cache, no GHA quota dependency): - Replace DeterminateSystems/magic-nix-cache-action with cachix/cachix-action - Add cachix-auth-token input to nix-setup composite action - Pass CACHIX_AUTH_TOKEN secret through all three nix workflows - continue-on-error: true so cache failures never block CI Cache 'hermes-agent' is public at hermes-agent.cachix.org. Devs can pull locally with: cachix use hermes-agent * fix: correct cachix-action commit SHA pin --------- Co-authored-by: Hermes Agent <hermes@nousresearch.com>
2026-05-04 09:47:54 +08:00 · 2026-04-30 17:38:58 +05:30
parent ae8930afa5
commit 9a14540603
4 changed files with 20 additions and 2 deletions
--- a/.github/actions/nix-setup/action.yml
+++ b/.github/actions/nix-setup/action.yml
@@ -1,8 +1,18 @@
 name: 'Setup Nix'
-description: 'Install Nix with DeterminateSystems and enable magic-nix-cache'
+description: 'Install Nix and configure Cachix binary cache'
+
+inputs:
+  cachix-auth-token:
+    description: 'Cachix auth token (enables push). Omit for read-only.'
+    required: false
+    default: ''

 runs:
  using: composite
  steps:
    - uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22
-    - uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
+    - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17
+      with:
+        name: hermes-agent
+        authToken: ${{ inputs.cachix-auth-token }}
+      continue-on-error: true
--- a/.github/workflows/nix-lockfile-check.yml
+++ b/.github/workflows/nix-lockfile-check.yml
@@ -20,6 +20,8 @@ jobs:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4

      - uses: ./.github/actions/nix-setup
+        with:
+          cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }}

      - name: Resolve head SHA
        id: sha
--- a/.github/workflows/nix-lockfile-fix.yml
+++ b/.github/workflows/nix-lockfile-fix.yml
@@ -62,6 +62,8 @@ jobs:
          token: ${{ steps.app-token.outputs.token }}

      - uses: ./.github/actions/nix-setup
+        with:
+          cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }}

      - name: Apply lockfile hashes
        id: apply
@@ -200,6 +202,8 @@ jobs:
          fetch-depth: 0

      - uses: ./.github/actions/nix-setup
+        with:
+          cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }}

      - name: Apply lockfile hashes
        id: apply
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@@ -22,6 +22,8 @@ jobs:
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
      - uses: ./.github/actions/nix-setup
+        with:
+          cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Check flake
        if: runner.os == 'Linux'
        run: nix flake check --print-build-logs