From 4b1bbce9af76abe64f9e3cfa1866868728988d21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christopher=20M=C3=BChl?= <toki@toph.so>
Date: Wed, 18 Feb 2026 13:18:11 +0100
Subject: [PATCH] feat: make NIX_SIGNING_KEY optional, skip Nix cache push if
 unset

---
 deploy-static-site/action.yaml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/deploy-static-site/action.yaml b/deploy-static-site/action.yaml
index ab11aa4..008faab 100644
--- a/deploy-static-site/action.yaml
+++ b/deploy-static-site/action.yaml
@@ -1,10 +1,8 @@
 name: Deploy Static Site
 description: Build site with Nix, push tarball to S3, deploy via Nomad with shared static-server image
 
-# Expected env vars (set by calling workflow from secrets):
-#   AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
-#   NIX_SIGNING_KEY
-#   NOMAD_TOKEN
+# Required env vars: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, NOMAD_TOKEN
+# Optional env vars: NIX_SIGNING_KEY (if set, signs and pushes Nix closure to S3 binary cache)
 
 inputs:
   domain:
@@ -58,6 +56,7 @@ runs:
       run: nix build ".#${{ inputs.flake-output }}" --out-link result-site
 
     - name: Sign and push Nix closure to S3 cache
+      if: env.NIX_SIGNING_KEY != ''
       shell: bash
       run: |
         echo "${NIX_SIGNING_KEY}" > /tmp/nix-key