CI: break up "CI" workflow

Break the single job into four stages: `nix flake update`, checks,
cachix, push to main.

The benefit is that checks and cachix can use a matrix strategy in the
future (to test / build for different OSes and nixpkgs releases). Also,
the cachix build can run in parallel with checks.

The downside is that we need to push to a temporary branch before we can
run checks. Do that the simplest possible way (just hardcode the branch
name).

.github/workflows/ci.yml

@@ -12,80 +12,29 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# This workflow does double duty: it runs checks against PRs/pushes, and it
-# updates flake.lock (run from a schedule or manually).
-#
-# This approach seems simpler than having a separate lockfile-updating workflow
-# that creates a PR that gets the normal check workflow ran against it before
-# merging, especially since (according to
-# https://github.com/DeterminateSystems/update-flake-lock) GitHub Actions does
-# not run workflows against PRs created by a GitHub Action.
-
 name: CI
 
 on:
   workflow_dispatch:
-    inputs:
-      updateFlakeLock:
-        description: 'Update flake.lock'
-        default: false
-        type: boolean
   schedule:
     - cron: '23 8 * * *' # runs daily at a randomly selected time
 
 jobs:
+  flake-update:
+    uses: ./.github/workflows/flake-update.yml
   check:
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: "write"
-      contents: "write"
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@main
-      - name: Enable Magic Nix Cache
-        uses: DeterminateSystems/magic-nix-cache-action@main
-        with:
-          use-flakehub: false
-      - name: Update flake.lock
-        if: github.event_name == 'schedule' || ( github.event_name == 'workflow_dispatch' && inputs.updateFlakeLock )
-        run: |
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git config user.name "github-actions[bot]"
-          nix flake update --commit-lock-file
-      - name: Check flake.lock
-        uses: DeterminateSystems/flake-checker-action@main
-      - name: Cache downloads
-        uses: ./.github/actions/cache-downloads
-      - name: nix flake check
-        run: nix flake check -L --show-trace
-      - name: Build packages for Cachix
-        if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
-        run: nix build .#cachix-packages -L
-      # Intentionally install Cachix late: build artifacts are cached by Magic
-      # Nix Cache, only the runtime closure of cachix-packages goes to the
-      # public Cachix cache.
-      - name: Install Cachix
-        if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
-        uses: cachix/cachix-action@v15
-        with:
-          name: doom-emacs-unstraightened
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-      - name: Push to Cachix
-        if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
-        run: readlink result | cachix push doom-emacs-unstraightened
-      - name: Push changes
-        if: github.event_name == 'schedule' || ( github.event_name == 'workflow_dispatch' && inputs.updateFlakeLock )
-        run: git push
-        # `git push` only works because branch protection is not enabled.
-        #
-        # Currently branch protection is not effective anyway, since the only
-        # contributor (marienz) has admin permissions, and applying branch
-        # protection to administrators seems to be an "organization" feature.
-        #
-        # The supported path seems to be "create a PR and use the API to merge
-        # it", but that's more work to implement (see above): revisit later.
+    uses: ./.github/workflows/check.yml
+    with:
+      ref: flake-update
+    needs: [flake-update]
+  cachix:
+    uses: ./.github/workflows/cachix.yml
+    with:
+      ref: flake-update
+    needs: [flake-update]
+  push:
+    uses: ./.github/workflows/push-flake-update.yml
+    needs: [check, cachix]
 
 # TODO: try to improve caching.
 #

.github/workflows/flake-update.yml

@@ -16,9 +16,10 @@ name: nix flake update
 
 on:
   workflow_dispatch:
+  workflow_call:
 
 jobs:
-  check:
+  update:
     runs-on: ubuntu-latest
     permissions:
       contents: "write"

.github/workflows/push-flake-update.yml

@@ -0,0 +1,40 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Push flake-update
+
+on:
+  workflow_dispatch:
+  workflow_call:
+
+jobs:
+  commit:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: "write"
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+        with:
+          ref: flake-update
+      - name: Push changes
+        run: git push origin HEAD:main
+        # `git push` only works because branch protection is not enabled.
+        #
+        # Currently branch protection is not effective anyway, since the only
+        # contributor (marienz) has admin permissions, and applying branch
+        # protection to administrators seems to be an "organization" feature.
+        #
+        # The supported path seems to be "create a PR and use the API to merge
+        # it", but that's more work to implement: revisit later if needed.