feat(ci): migrate to gitleaks and optimize docs deployments

.github/actions/cached-ci-job/action.yaml

@@ -0,0 +1,157 @@
+name: Cached CI Job
+description: Execute job only if not already successful for this commit SHA
+
+inputs:
+  check-name:
+    description: Full check run name (defaults to github.job, include matrix values for matrix jobs)
+    required: false
+    default: ${{ github.job }}
+  path-filters:
+    description: Regex pattern for relevant file paths (empty means always relevant)
+    required: false
+    default: ''
+  force-run:
+    description: Force execution even if already successful
+    required: false
+    default: 'false'
+
+outputs:
+  should-run:
+    description: Whether job should execute (true/false)
+    value: ${{ steps.decide.outputs.should-run }}
+  previously-succeeded:
+    description: Whether this job previously succeeded for this commit
+    value: ${{ steps.check-history.outputs.previously-succeeded }}
+  relevant-changes:
+    description: Whether relevant file changes were detected
+    value: ${{ steps.check-paths.outputs.relevant-changes }}
+
+runs:
+  using: composite
+  steps:
+    - name: Query GitHub Checks API for execution history
+      id: check-history
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # ratchet:actions/github-script@v7
+      env:
+        CHECK_NAME: ${{ inputs.check-name }}
+      with:
+        script: |
+          const checkName = process.env.CHECK_NAME;
+          const commit = context.sha;
+
+          core.info(`Querying execution history for: "${checkName}" @ ${commit}`);
+
+          try {
+            const { data: checks } = await github.rest.checks.listForRef({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: commit,
+              check_name: checkName,
+            });
+
+            core.info(`Found ${checks.check_runs.length} check run(s) for this commit`);
+
+            // Find any completed successful run
+            const successfulRun = checks.check_runs.find(run =>
+              run.conclusion === 'success' &&
+              run.status === 'completed'
+            );
+
+            if (successfulRun) {
+              core.info(`✓ Job already succeeded: ${successfulRun.html_url}`);
+              core.setOutput('previously-succeeded', 'true');
+            } else {
+              const failedRuns = checks.check_runs.filter(run =>
+                run.conclusion === 'failure' &&
+                run.status === 'completed'
+              );
+              if (failedRuns.length > 0) {
+                core.info(`✗ Found ${failedRuns.length} previous failed run(s)`);
+              } else {
+                core.info(`✗ No previous runs found`);
+              }
+              core.setOutput('previously-succeeded', 'false');
+            }
+          } catch (error) {
+            core.warning(`API query failed: ${error.message}`);
+            core.setOutput('previously-succeeded', 'false');
+          }
+
+    - name: Check for relevant file changes
+      id: check-paths
+      if: |
+        steps.check-history.outputs.previously-succeeded != 'true' &&
+        inputs.path-filters != ''
+      shell: bash
+      env:
+        PATH_FILTERS: ${{ inputs.path-filters }}
+      run: |
+        # Determine base ref for comparison
+        if [ "${{ github.event_name }}" = "pull_request" ]; then
+          BASE_REF="${{ github.event.pull_request.base.sha }}"
+        else
+          BASE_REF="HEAD^"
+        fi
+
+        echo "Checking for changes matching: $PATH_FILTERS"
+        echo "Comparing $BASE_REF...HEAD"
+
+        # Workflow changes always trigger all jobs
+        if git diff --name-only "$BASE_REF" HEAD | grep -qE '\.github/workflows/'; then
+          echo "relevant-changes=true" >> $GITHUB_OUTPUT
+          echo "✓ Workflow changes detected - job is relevant"
+          exit 0
+        fi
+
+        # Check if any relevant files changed
+        if git diff --name-only "$BASE_REF" HEAD | grep -qE "$PATH_FILTERS"; then
+          echo "relevant-changes=true" >> $GITHUB_OUTPUT
+          echo "✓ Relevant file changes detected"
+        else
+          echo "relevant-changes=false" >> $GITHUB_OUTPUT
+          echo "✗ No relevant file changes"
+        fi
+
+    - name: Make execution decision
+      id: decide
+      shell: bash
+      env:
+        FORCE: ${{ inputs.force-run }}
+        PREV_SUCCESS: ${{ steps.check-history.outputs.previously-succeeded }}
+        HAS_CHANGES: ${{ steps.check-paths.outputs.relevant-changes }}
+        HAS_FILTERS: ${{ inputs.path-filters != '' }}
+      run: |
+        echo "=== Execution Decision ==="
+        echo "Force run: $FORCE"
+        echo "Previously succeeded: $PREV_SUCCESS"
+        echo "Has path filters: $HAS_FILTERS"
+        echo "Relevant changes: $HAS_CHANGES"
+        echo ""
+
+        # Force run overrides everything
+        if [ "$FORCE" = "true" ]; then
+          echo "should-run=true" >> $GITHUB_OUTPUT
+          echo "Decision: RUN (forced by input)"
+          exit 0
+        fi
+
+        # If already succeeded for this commit, skip
+        if [ "$PREV_SUCCESS" = "true" ]; then
+          echo "should-run=false" >> $GITHUB_OUTPUT
+          echo "Decision: SKIP (already succeeded for this commit)"
+          exit 0
+        fi
+
+        # If we have path filters, honor them
+        if [ "$HAS_FILTERS" = "true" ]; then
+          echo "should-run=${HAS_CHANGES}" >> $GITHUB_OUTPUT
+          if [ "$HAS_CHANGES" = "true" ]; then
+            echo "Decision: RUN (relevant file changes detected)"
+          else
+            echo "Decision: SKIP (no relevant file changes)"
+          fi
+        else
+          # No filters means always run if not already succeeded
+          echo "should-run=true" >> $GITHUB_OUTPUT
+          echo "Decision: RUN (no path filters specified)"
+        fi

.github/actions/setup-nix/action.yml

@@ -1,61 +1,86 @@
 name: setup-nix
-description: Setup Nix with optional disk space optimization and cachix binary cache configuration
+description: setup nix using nothing-but-nix pattern with space reclamation and github actions cache
 
 inputs:
   installer:
     description: |
-      Nix installation strategy:
-      - 'full' (default): Aggressive disk cleanup + DeterminateSystems installer
-      - 'quick': Lightweight install with nixbuild/nix-quick-install-action
+      nix installation strategy:
+      - 'full' (default): space reclamation + cache + cachix for builds
+      - 'quick': minimal install for simple tasks (no space reclamation, no caching overhead)
     type: string
     required: false
     default: full
   system:
-    description: Nix system to configure (e.g., x86_64-linux, aarch64-darwin)
+    description: nix system to configure (e.g., x86_64-linux, aarch64-darwin)
     type: string
-    required: false
-    default: x86_64-linux
-  extra-conf:
-    description: Additional nix.conf configuration
+    required: true
+  sandbox:
+    description: enable nix sandbox builds
+    type: string
+    default: "true"
+  cache-key:
+    description: primary cache key (auto-generated from nix files if not provided)
     type: string
     required: false
-    default: system-features = nixos-test benchmark big-parallel kvm
-  setup-cachix:
-    description: Setup cachix binary cache after Nix installation (requires SOPS_AGE_KEY in env)
+    default: ""
+  gc-max-store-size-linux:
+    description: max nix store size on linux before garbage collection (e.g., 5G, 10G)
+    type: string
+    default: "5G"
+  gc-max-store-size-macos:
+    description: max nix store size on macos before garbage collection (e.g., 5G, 10G)
+    type: string
+    default: "5G"
+  enable-cachix:
+    description: enable cachix binary cache
     type: boolean
-    required: false
     default: false
-  cachix-auth:
-    description: Authenticate with cachix for pushing (requires setup-cachix=true)
-    type: boolean
+  cachix-name:
+    description: cachix cache name
+    type: string
+    required: false
+  cachix-auth-token:
+    description: cachix auth token
+    type: string
     required: false
+  cachix-skip-push:
+    description: skip pushing to cachix (read-only)
+    type: boolean
     default: false
 
+outputs:
+  cache-hit:
+    description: whether the primary cache key was hit
+    value: ${{ steps.cache.outputs.hit-primary-key }}
+  cache-key:
+    description: the cache key that was used
+    value: ${{ steps.cache.outputs.primary-key }}
+
 runs:
   using: composite
   steps:
-    # Full installer: Aggressive disk cleanup + DeterminateSystems
-    - name: Reclaim disk space (Linux)
+    - name: reclaim space (linux)
       if: runner.os == 'Linux' && inputs.installer == 'full'
-      uses: wimpysworld/nothing-but-nix@main
+      uses: wimpysworld/nothing-but-nix@10c936d9e46521bf923f75458e0cbd4fa309300d # ratchet:wimpysworld/nothing-but-nix@main
       with:
-        hatchet-protocol: rampage
+        hatchet-protocol: carve
+        nix-permission-edict: true
 
-    - name: Reclaim disk space (macOS)
+    - name: reclaim space (darwin)
       if: runner.os == 'macOS' && inputs.installer == 'full'
       shell: bash
       run: |
-        echo "::group::Disk space before cleanup"
+        echo "::group::disk space (before)"
         sudo df -h
         echo "::endgroup::"
 
-        echo "::group::Disable Spotlight indexing"
+        echo "::group::disable mds"
         sudo mdutil -i off -a || echo "mdutil failed"
         sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist \
-          || echo "launchctl unload failed"
+         || echo "launchctl unload failed"
         echo "::endgroup::"
 
-        echo "Starting background cleanup to reclaim disk space..."
+        echo "Background space expansion started. /nix will grow as space becomes available."
         sudo rm -rf \
           /Applications/Xcode_* \
           /Library/Developer/CoreSimulator \
@@ -67,44 +92,45 @@ runs:
           /Users/runner/Library/Developer/CoreSimulator \
           /Users/runner/hostedtoolcache &
 
-    - name: Install Nix (DeterminateSystems)
-      if: inputs.installer == 'full'
-      uses: DeterminateSystems/nix-installer-action@main
+    - name: install nix
+      uses: nixbuild/nix-quick-install-action@2c9db80fb984ceb1bcaa77cdda3fdf8cfba92035 # ratchet:nixbuild/nix-quick-install-action@v34
       with:
-        extra-conf: |
+        nix_conf: |
+          sandbox = ${{ inputs.sandbox }}
           system = ${{ inputs.system }}
-          ${{ inputs.extra-conf }}
+          keep-env-derivations = true
+          keep-outputs = true
 
-    # Quick installer: Lightweight nixbuild/nix-quick-install-action
-    - name: Install Nix (Quick Install)
-      if: inputs.installer == 'quick'
-      uses: nixbuild/nix-quick-install-action@master
+    - name: setup cache
+      if: runner.os == 'Linux' && inputs.installer == 'full'
+      id: cache
+      uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # ratchet:nix-community/cache-nix-action@v6
+      with:
+        primary-key: ${{ inputs.cache-key != '' && inputs.cache-key || format('nix-{0}-{1}', runner.os, hashFiles('**/*.nix', '**/flake.lock')) }}
+        restore-prefixes-first-match: ${{ format('nix-{0}-', runner.os) }}
+        gc-max-store-size-linux: ${{ inputs.gc-max-store-size-linux }}
+        gc-max-store-size-macos: ${{ inputs.gc-max-store-size-macos }}
+        purge: true
+        purge-prefixes: ${{ format('nix-{0}-', runner.os) }}
+        purge-created: 0
+        purge-last-accessed: 0
+        purge-primary-key: never
 
-    - name: Report disk space (macOS post-cleanup)
+    - name: setup cachix
+      if: inputs.enable-cachix
+      uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # ratchet:cachix/cachix-action@v16
+      continue-on-error: true
+      with:
+        name: ${{ inputs.cachix-name }}
+        authToken: ${{ inputs.cachix-auth-token }}
+        skipPush: ${{ inputs.cachix-skip-push }}
+
+    - name: post setup-nix
       if: runner.os == 'macOS' && inputs.installer == 'full'
-      uses: srz-zumix/post-run-action@v2
+      uses: srz-zumix/post-run-action@2bf288bc024acd0341914f792a811080ebd0f252 # ratchet:srz-zumix/post-run-action@v2
       with:
         shell: bash -e {0}
         post-run: |
-          echo "::group::Disk space after workflow"
+          echo "::group::disk space (after)"
           sudo df -h
           echo "::endgroup::"
-
-    - name: Setup and authenticate cachix
-      if: inputs.setup-cachix == 'true' && inputs.cachix-auth == 'true'
-      shell: bash
-      run: |
-        nix develop -c sops exec-env vars/shared.yaml '
-          cachix authtoken "$CACHIX_AUTH_TOKEN"
-          cachix use "$CACHIX_CACHE_NAME"
-          cachix use nix-community
-        '
-
-    - name: Setup cachix for binary cache
-      if: inputs.setup-cachix == 'true' && inputs.cachix-auth != 'true'
-      shell: bash
-      run: |
-        nix develop -c sops exec-env vars/shared.yaml '
-          cachix use "$CACHIX_CACHE_NAME"
-          cachix use nix-community
-        '

.github/mergify.yml

@@ -8,19 +8,38 @@ pull_request_rules:
       assign:
         add_users:
           - "{{ author }}"
-  - name: automatic merge when not WIP, CI passes, and at least 1 approving review
+  - name: automatic merge to queue
     conditions:
       - "#approved-reviews-by>=1"
-      - check-success=scan
-      - check-success=nix (ubuntu-latest)
-      - check-success=test (docs)
-      - base=main
       - label!=work-in-progress
+      - -draft
+      - -conflict
+      - check-success=skip-check
+      - check-success=gitleaks
+      - check-success=set-variables
+      - or:
+        - check-success=nix
+        - check-skipped=nix
+      - or:
+        - check-success=test (docs)
+        - check-skipped=test (docs)
+      - check-success=PR Check Fast-forward
     actions:
       queue:
         name: default
+
 queue_rules:
   - name: default
     merge_method: fast-forward
     update_method: rebase
     update_bot_account: cameronraysmith
+    batch_size: 1
+    checks_timeout: 3600
+    queue_conditions:
+      - check-success=skip-check
+    merge_conditions:
+      - check-success=skip-check
+    commit_message_template: |
+      {{ title }} (#{{ number }})
+
+      {{ body }}