ci: move Nix workflows to the self-hosted ARM runner + warm cache for aarch64-linux (#1793)

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

Author: kixelated

.github/actionlint.yaml

@@ -0,0 +1,5 @@
+# Custom labels for the moq-dev self-hosted A1 runner, so actionlint accepts
+# `runs-on: [self-hosted, nix]`. `self-hosted` is built in; `nix` is ours.
+self-hosted-runner:
+  labels:
+    - nix

.github/workflows/cachix.yml

@@ -15,15 +15,23 @@ jobs:
   # (e.g. moq-relay) maps 1:1 to a flake attribute.
   release:
     name: Release (${{ matrix.os }})
-    runs-on: ${{ matrix.os }}
+    runs-on: ${{ matrix.runs-on }}
     permissions:
       contents: read
     strategy:
       fail-fast: false
       matrix:
-        os:
-          - ubuntu-latest
-          - macos-latest
+        include:
+          # `os` is just the cache pin label; keep the existing values stable so
+          # old pins aren't orphaned.
+          - os: ubuntu-latest # x86_64-linux
+            runs-on: ubuntu-latest
+          - os: macos-latest # aarch64-darwin
+            runs-on: macos-latest
+          # aarch64-linux on the moq-dev self-hosted A1 (warm /nix/store). Tag
+          # pushes are trusted, so no fork concern.
+          - os: aarch64-linux
+            runs-on: [self-hosted, nix]
 
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
@@ -45,14 +53,29 @@ jobs:
           fi
           echo "name=${BASH_REMATCH[1]}" >> "$GITHUB_OUTPUT"
 
-      - uses: DeterminateSystems/nix-installer-action@1d87d45818068401a10cf16bdc5f00b24994a83f # main
+      # The cachix action and `nix build` below run `nix` directly, so put it on
+      # PATH. A login shell resolves it via /etc/profile.d regardless of the
+      # box's install path. Self-hosted only; the hosted runners get Nix from
+      # the installer step.
+      - name: Add Nix to PATH
+        if: runner.environment == 'self-hosted'
+        shell: bash -leo pipefail {0}
+        run: dirname "$(command -v nix)" >> "$GITHUB_PATH"
+
+      - if: runner.environment == 'github-hosted'
+        uses: DeterminateSystems/nix-installer-action@1d87d45818068401a10cf16bdc5f00b24994a83f # main
         with:
           determinate: false
 
       - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
         with:
           name: kixelated
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          # The self-hosted box's runner user isn't a Nix trusted-user and the
+          # box deliberately substitutes only from its warm local store, so
+          # don't let `cachix use` rewrite nix.conf there. Push auth (above)
+          # still works; this leg only pushes.
+          skipAddingSubstituter: ${{ runner.environment == 'self-hosted' }}
 
       - name: Build and cache
         env:

.github/workflows/release-js.yml

@@ -18,25 +18,26 @@ concurrency:
 jobs:
   release:
     name: Release JS Packages
-    runs-on: ubuntu-latest
+    # Trusted push to main, so run on the moq-dev self-hosted A1 runner (warm
+    # /nix/store).
+    runs-on: [self-hosted, nix]
     if: github.repository_owner == 'moq-dev'
 
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
 
-      - uses: DeterminateSystems/nix-installer-action@1d87d45818068401a10cf16bdc5f00b24994a83f # main
-        with:
-          determinate: false
-
       - name: Setup npm registry
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           registry-url: 'https://registry.npmjs.org'
 
+      # Login shell so /etc/profile.d puts Nix on PATH; Actions shells don't by
+      # default.
       - name: Install dependencies
         run: nix develop --command bun install --frozen-lockfile
+        shell: bash -leo pipefail {0}
 
       - name: Release packages
         # Web-component packages register custom elements via global type
@@ -45,3 +46,4 @@ jobs:
         env:
           JSR_ALLOW_SLOW_TYPES: "true"
         run: nix develop --command bun --filter '*' release
+        shell: bash -leo pipefail {0}

.github/workflows/release-py.yml

@@ -31,7 +31,10 @@ concurrency:
 jobs:
   build:
     name: Build wheel + sdist
-    runs-on: ubuntu-latest
+    # Trusted push to main and the wrapper wheel is pure-python (arch
+    # independent), so run on the moq-dev self-hosted A1 runner (warm
+    # /nix/store).
+    runs-on: [self-hosted, nix]
     if: ${{ github.repository_owner == 'moq-dev' }}
     outputs:
       version: ${{ steps.version.outputs.version }}
@@ -56,12 +59,11 @@ jobs:
           VERSION: ${{ steps.version.outputs.version }}
         run: .github/scripts/release.sh pypi-exists moq-rs "$VERSION"
 
-      - uses: DeterminateSystems/nix-installer-action@1d87d45818068401a10cf16bdc5f00b24994a83f # main
-        with:
-          determinate: false
-
+      # Login shell so /etc/profile.d puts Nix on PATH; Actions shells don't by
+      # default.
       - name: Build
         run: nix develop --command just py package
+        shell: bash -leo pipefail {0}
 
       - name: Upload artifacts
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7

.github/workflows/release-rs.yml

@@ -18,7 +18,9 @@ jobs:
   release:
     name: Plz
 
-    runs-on: ubuntu-latest
+    # Trusted push to main, so run on the moq-dev self-hosted A1 runner (warm
+    # /nix/store + persistent CARGO_TARGET_DIR).
+    runs-on: [self-hosted, nix]
     if: ${{ github.repository_owner == 'moq-dev' }}
 
     steps:
@@ -37,13 +39,16 @@ jobs:
           fetch-depth: 0
           token: ${{ steps.generate-token.outputs.token }}
 
-      # Install Nix for system dependencies (e.g. ffmpeg)
-      - uses: DeterminateSystems/nix-installer-action@1d87d45818068401a10cf16bdc5f00b24994a83f # main
-        with:
-          determinate: false
+      # Persist the cargo target outside the workspace (checkout clean wipes the
+      # workspace, not $HOME). Scope per runner so a second service on the box
+      # gets its own dir instead of racing on a shared one.
+      - run: echo "CARGO_TARGET_DIR=$HOME/cargo-target/moq-$RUNNER_NAME" >> "$GITHUB_ENV"
 
+      # Login shell so /etc/profile.d puts Nix on PATH; Actions shells don't by
+      # default.
       - name: Release
         run: nix develop --command just rs release
+        shell: bash -leo pipefail {0}
         env:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
           CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}

.github/workflows/update-flake.yml

@@ -12,16 +12,21 @@ on:
 jobs:
   update-flake:
     name: Update flake.lock
-    runs-on: ubuntu-latest
+    # Run on the moq-dev self-hosted A1 runner (already has Nix); fork dispatches
+    # have no such runner, so guard on the owner to avoid queueing forever.
+    runs-on: [self-hosted, nix]
+    if: ${{ github.repository_owner == 'moq-dev' }}
 
     steps:
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
-      - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@1d87d45818068401a10cf16bdc5f00b24994a83f # main
-        with:
-          determinate: false
+      # The update-flake-lock action runs `nix` directly (not through a shell),
+      # so put Nix on GITHUB_PATH. A login shell resolves it via /etc/profile.d
+      # regardless of the box's install path.
+      - name: Add Nix to PATH
+        shell: bash -leo pipefail {0}
+        run: dirname "$(command -v nix)" >> "$GITHUB_PATH"
 
       - name: Update flake.lock
         uses: DeterminateSystems/update-flake-lock@b83e0671a67dfd774680fb1beaa1497ef7e58bfc # main