feat: add push-nix-cache action, wire into deploy-static-site and build-static-server

Extracts sign+push logic into a reusable push-nix-cache action.
Both the site deploy and the image build now use it.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

.forgejo/workflows/build-static-server.yaml

@@ -21,6 +21,16 @@ jobs:
       - name: Build static-server image
         run: nix build ./deploy-static-site/images#staticServer --out-link result-static-server
 
+      - name: Push Nix closure to S3 cache
+        if: env.NIX_SIGNING_KEY != ''
+        uses: https://git.toph.so/toph/ci-actions/push-nix-cache@main
+        with:
+          store-path: ./result-static-server
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.S3_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.S3_SECRET_KEY }}
+          NIX_SIGNING_KEY: ${{ secrets.NIX_SIGNING_KEY }}
+
       - name: Push to registry
         run: |
           nix shell nixpkgs#skopeo -c skopeo copy \

deploy-static-site/action.yaml

@@ -57,14 +57,11 @@ runs:
 
     - name: Sign and push Nix closure to S3 cache
       if: env.NIX_SIGNING_KEY != ''
-      shell: bash
+      uses: https://git.toph.so/toph/ci-actions/push-nix-cache@main
-      run: |
+      with:
-        echo "${NIX_SIGNING_KEY}" > /tmp/nix-key
+        store-path: ./result-site
-        nix store sign -k /tmp/nix-key --recursive ./result-site
+        s3-endpoint: ${{ inputs.s3-endpoint }}
-        nix copy \
+        s3-bucket: ${{ inputs.s3-bucket }}
-          --to "s3://${{ inputs.s3-bucket }}?endpoint=${{ inputs.s3-endpoint }}&access-key-id=${AWS_ACCESS_KEY_ID}&secret-access-key=${AWS_SECRET_ACCESS_KEY}" \
-          ./result-site
-        rm /tmp/nix-key
 
     - name: Upload site tarball to S3
       shell: bash

push-nix-cache/action.yaml

@@ -0,0 +1,32 @@
+name: Push Nix Cache
+description: Sign a Nix store path and push it to the S3 binary cache
+
+# Required env vars: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, NIX_SIGNING_KEY
+
+inputs:
+  store-path:
+    description: 'Path to the Nix store symlink or derivation to push (e.g. ./result)'
+    required: true
+
+  s3-endpoint:
+    description: 'S3 endpoint URL'
+    required: false
+    default: 'https://s3.toph.so'
+
+  s3-bucket:
+    description: 'S3 bucket used as the Nix binary cache'
+    required: false
+    default: 'nix-cache'
+
+runs:
+  using: composite
+  steps:
+    - name: Sign and push Nix closure
+      shell: bash
+      run: |
+        echo "${NIX_SIGNING_KEY}" > /tmp/nix-key
+        nix store sign -k /tmp/nix-key --recursive "${{ inputs.store-path }}"
+        nix copy \
+          --to "s3://${{ inputs.s3-bucket }}?endpoint=${{ inputs.s3-endpoint }}&access-key-id=${AWS_ACCESS_KEY_ID}&secret-access-key=${AWS_SECRET_ACCESS_KEY}" \
+          "${{ inputs.store-path }}"
+        rm /tmp/nix-key