name: Push Nix Cache
description: Sign a Nix store path and push it to the S3 binary cache

# Required env vars: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, NIX_SIGNING_KEY

inputs:
  store-path:
    description: 'Path to the Nix store symlink or derivation to push (e.g. ./result)'
    required: true

  s3-endpoint:
    description: 'S3 endpoint URL'
    required: false
    default: 'https://s3.toph.so'

  s3-bucket:
    description: 'S3 bucket used as the Nix binary cache'
    required: false
    default: 'nix-cache'

runs:
  using: composite
  steps:
    - name: Sign and push Nix closure
      shell: bash
      run: |
        echo "${NIX_SIGNING_KEY}" > /tmp/nix-key
        nix store sign -k /tmp/nix-key --recursive "${{ inputs.store-path }}"
        nix copy \
          --to "s3://${{ inputs.s3-bucket }}?endpoint=${{ inputs.s3-endpoint }}&access-key-id=${AWS_ACCESS_KEY_ID}&secret-access-key=${AWS_SECRET_ACCESS_KEY}" \
          "${{ inputs.store-path }}"
        rm /tmp/nix-key