From 62d3578d46d47b070a52f3572f6399d5f87f1bd9 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 31 May 2026 12:15:53 +0000
Subject: [PATCH] ci: add cache-nix-action for store-path caching across cold
 runs (#61)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Amortise the non-niri half of the desktop closure (Quickshell, Qt6,
matugen, DMS, xwayland-satellite, foot and transitive deps) that a
fresh GH Actions runner otherwise rebuilds every cold run.

Output-cache storage (actions/cache-shaped), orthogonal to the
niri.cachix.org substituter trust lines (#59). Keyed on os × arch ×
flake.lock hash; PR branches restore from the os×arch prefix seeded
on main. GC to 5G before save keeps both arch entries under the 10 GB
per-repo limit; a 7-day last-accessed purge sweeps dead prefixes
without evicting the run's own primary key.

cache-nix-action chosen over Cachix/FlakeHub/Attic per the issue's
trust-delegation reasoning; revisit only if hit rate stays below ~60%
over a month or a second major source-built dep arrives.

https://claude.ai/code/session_01R9nbBuTjy2rkiMYJ6NJ1G1
---
 .github/workflows/ci.yaml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 8e98cc1..474dc56 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -78,4 +78,36 @@ jobs:
             extra-substituters = https://niri.cachix.org
             extra-trusted-public-keys = niri.cachix.org-1:Wv0OmO7PsuocRKzfDoJ3mulSl7Z6oezYhGhR+3W2964=
 
+      # Store-path cache across cold runs (ADR-028 slice-3 follow-up, #61).
+      # This is `actions/cache`-shaped storage for build *outputs* — it is
+      # NOT a substituter, and is orthogonal to the niri.cachix.org trust
+      # lines above (#59). It amortises the non-niri half of the desktop
+      # closure that a fresh runner otherwise rebuilds every cold run:
+      # Quickshell + Qt6 + matugen + DMS + xwayland-satellite + foot and
+      # their transitive deps.
+      #
+      # Why this and not Cachix/FlakeHub/Attic: those are larger trust or
+      # operational delegations than a one-operator / three-host project
+      # warrants today. `cache-nix-action` first; revisit Cachix/Attic only
+      # if hit rate stays below ~60% over a month or a second major
+      # source-built dep arrives (#61 "Triggers to revisit").
+      #
+      # Key semantics: keyed on os × arch × flake.lock hash, so a lock bump
+      # invalidates cleanly. PR branches restore from the os×arch prefix
+      # seeded on main — the squash-auto-merge flow reseeds the cache after
+      # each PR lands. GC before save (5G ceiling) keeps x86_64 + aarch64
+      # entries coexisting under the 10 GB per-repo limit; a 7-day
+      # last-accessed purge sweeps dead prefix entries without ever purging
+      # the run's own primary key.
+      - uses: nix-community/cache-nix-action@v6
+        with:
+          primary-key: nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('flake.lock') }}
+          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}-
+          gc-max-store-size-linux: 5G
+          purge: true
+          purge-prefixes: nix-${{ runner.os }}-${{ runner.arch }}-
+          purge-created: 0 # no created-age gate; last-accessed is the real filter
+          purge-last-accessed: 604800
+          purge-primary-key: never
+
       - run: nix flake check --print-build-logs