ci: Reduce runs of nix

Run only once nix files were changed.

Also add caching.

Author: edenreich

.github/workflows/nix-build.yml

@@ -1,23 +1,21 @@
 name: Nix Build Verification
 
+concurrency:
+  group: nix-build-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   pull_request:
     branches:
       - main
     paths:
       - 'nix/**'
-      - 'go.mod'
-      - 'go.sum'
-      - '**.go'
       - '.github/workflows/nix-build.yml'
   push:
     branches:
       - main
     paths:
       - 'nix/**'
-      - 'go.mod'
-      - 'go.sum'
-      - '**.go'
       - '.github/workflows/nix-build.yml'
   workflow_dispatch:
 
@@ -50,6 +48,9 @@ jobs:
             experimental-features = nix-command flakes
             accept-flake-config = true
 
+      - name: Set up Magic Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@v13
+
       - name: Build with Nix
         run: |
           nix-build nix/default.nix --show-trace
@@ -87,6 +88,9 @@ jobs:
           extra_nix_config: |
             experimental-features = nix-command flakes
 
+      - name: Set up Magic Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@v13
+
       - name: Check Nix formatting (nixfmt-rfc-style)
         run: |
           nix-shell -p nixfmt-rfc-style --run "nixfmt --check nix/package.nix nix/default.nix"

.github/workflows/nix-version-sync.yml

@@ -34,6 +34,9 @@ jobs:
           extra_nix_config: |
             experimental-features = nix-command flakes
 
+      - name: Set up Magic Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@v13
+
       - name: Determine version
         id: version
         run: |
@@ -96,14 +99,6 @@ jobs:
           sed -i "s|vendorHash = \"[^\"]*\";|vendorHash = \"sha256-$VENDOR_HASH\";|" nix/package.nix
           echo "Updated vendorHash in nix/package.nix"
 
-      - name: Verify build
-        run: |
-          echo "Building with updated hashes to verify..."
-          nix-build nix/default.nix --show-trace
-
-          echo "Verifying binary..."
-          result/bin/infer version
-
       - name: Format Nix file
         run: |
           nix-shell -p nixfmt-rfc-style --run "nixfmt nix/package.nix"
@@ -123,9 +118,11 @@ jobs:
             - ✅ Updated `version` to `${{ steps.version.outputs.version }}`
             - ✅ Updated source `hash` to `sha256-${{ steps.source-hash.outputs.hash }}`
             - ✅ Updated `vendorHash` to `sha256-${{ steps.vendor-hash.outputs.hash }}`
-            - ✅ Verified build succeeds
             - ✅ Formatted with nixfmt-rfc-style
 
+            The `Nix Build Verification` workflow runs on this PR and is the
+            authoritative gate for verifying the updated hashes build cleanly.
+
             ### Verification
             ```bash
             nix-build nix/default.nix