feat: make NIX_SIGNING_KEY optional, skip Nix cache push if unset

deploy-static-site/action.yaml

@@ -1,10 +1,8 @@
 name: Deploy Static Site
 description: Build site with Nix, push tarball to S3, deploy via Nomad with shared static-server image
 
-# Expected env vars (set by calling workflow from secrets):
-#   AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
-#   NIX_SIGNING_KEY
-#   NOMAD_TOKEN
+# Required env vars: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, NOMAD_TOKEN
+# Optional env vars: NIX_SIGNING_KEY (if set, signs and pushes Nix closure to S3 binary cache)
 
 inputs:
   domain:
@@ -58,6 +56,7 @@ runs:
       run: nix build ".#${{ inputs.flake-output }}" --out-link result-site
 
     - name: Sign and push Nix closure to S3 cache
+      if: env.NIX_SIGNING_KEY != ''
       shell: bash
       run: |
         echo "${NIX_SIGNING_KEY}" > /tmp/nix-key