From a8e0e936fc96fba2d30360f776b70088b292edfb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christopher=20M=C3=BChl?= <toki@toph.so>
Date: Mon, 16 Feb 2026 15:37:49 +0100
Subject: [PATCH] Fix binary cache secret key handling

Write NIX_SIGNING_KEY to temp file since --secret-key expects a path.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 deploy-nix-site/action.yaml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/deploy-nix-site/action.yaml b/deploy-nix-site/action.yaml
index 4c9af70..d0a62d5 100644
--- a/deploy-nix-site/action.yaml
+++ b/deploy-nix-site/action.yaml
@@ -60,12 +60,19 @@ runs:
         export AWS_ACCESS_KEY_ID="${{ env.S3_ACCESS_KEY }}"
         export AWS_SECRET_ACCESS_KEY="${{ env.S3_SECRET_KEY }}"
 
+        # Write signing key to temporary file
+        echo "${{ env.NIX_SIGNING_KEY }}" > /tmp/nix-signing-key.pem
+        chmod 600 /tmp/nix-signing-key.pem
+
         # Push entire closure (derivation + all dependencies) to cache
         nix copy \
-          --to "s3://nix-cache?endpoint=${{ inputs.s3-endpoint }}&scheme=https&secret-key=${{ env.NIX_SIGNING_KEY }}" \
+          --to "s3://nix-cache?endpoint=${{ inputs.s3-endpoint }}&scheme=https&secret-key=/tmp/nix-signing-key.pem" \
           --derivation \
           "$STORE_PATH"
 
+        # Clean up key file
+        rm -f /tmp/nix-signing-key.pem
+
         echo "✅ Pushed to binary cache: $STORE_HASH (with all dependencies)"
 
     - name: Deploy via Nomad