Add support for pushing to Attic (#1)

* Add support for pushing to Attic

* fmt/clippy

* Fix attic dependency

* Pass ssh private key

* Try to inherit secrets

* Fix static build

* Fix default package

* Fix daemonizing

* Fix clippy

* Update nix.conf

* Add --use-attic flag

* --use-attic -> --use-flakehub

* Handle project not existing

* Handle Attic init failure

* Skip .chroot paths

* Update netrc

* Downgrade to Nixpkgs 23.05 to fix static builds

* Use rust 1.70

We need 1.70, but 1.69 is the default in Nixpkgs 23.05.

* Rename stuff

* Use magic-nix-cache-priv

* Hack

Author: edolstra

.github/workflows/build.yaml

@@ -11,6 +11,10 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
+      - uses: webfactory/ssh-agent@v0.7.0
+        with:
+          ssh-private-key: ${{ secrets.LOL_DETSYS_CI_SSH_PRIVATE_KEY }}
+
       - uses: DeterminateSystems/nix-installer-action@main
 
       - uses: DeterminateSystems/magic-nix-cache-action@main
@@ -32,6 +36,10 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
+      - uses: webfactory/ssh-agent@v0.7.0
+        with:
+          ssh-private-key: ${{ secrets.LOL_DETSYS_CI_SSH_PRIVATE_KEY }}
+
       - uses: DeterminateSystems/flake-checker-action@main
 
       - uses: DeterminateSystems/nix-installer-action@main
@@ -55,11 +63,15 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
+      - uses: webfactory/ssh-agent@v0.7.0
+        with:
+          ssh-private-key: ${{ secrets.LOL_DETSYS_CI_SSH_PRIVATE_KEY }}
+
       - uses: DeterminateSystems/flake-checker-action@main
 
       - uses: DeterminateSystems/nix-installer-action@main
 
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action-priv@attic-v2
 
       - name: Build package
         run: "nix build .# -L --fallback"

.github/workflows/checks.yaml

@@ -11,6 +11,10 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
+      - uses: webfactory/ssh-agent@v0.7.0
+        with:
+          ssh-private-key: ${{ secrets.LOL_DETSYS_CI_SSH_PRIVATE_KEY }}
+
       - name: Install Nix
         uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main

.github/workflows/release-prs.yml

@@ -11,6 +11,7 @@ on:
 jobs:
   build:
     uses: ./.github/workflows/build.yaml
+    secrets: inherit
 
   release:
     needs: build
@@ -19,7 +20,7 @@ jobs:
     # Only intra-repo PRs are allowed to have PR artifacts uploaded
     # We only want to trigger once the upload once in the case the upload label is added, not when any label is added
     if: |
-      github.event.pull_request.head.repo.full_name == 'DeterminateSystems/magic-nix-cache'
+      github.event.pull_request.head.repo.full_name == 'DeterminateSystems/magic-nix-cache-priv'
       && (
         (github.event.action == 'labeled' && github.event.label.name == 'upload to s3')
         || (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3'))