refactor(ci): align setup-nix action with infra reference implementation

Replace custom setup-nix action with standardized version from infra:
- Use nix-quick-install-action for all installs (removes DeterminateSystems dependency)
- Add nix-community/cache-nix-action for GitHub Actions caching on Linux
- Change hatchet-protocol from 'rampage' to 'carve' (less aggressive)
- Add pinned SHA commits for all actions (security best practice)
- Standardize input parameters and add cache outputs
- Simplify cachix integration with cachix-action instead of sops/shell scripts

Author: cameronraysmith

.github/actions/setup-nix/action.yml

@@ -1,61 +1,86 @@
 name: setup-nix
-description: Setup Nix with optional disk space optimization and cachix binary cache configuration
+description: setup nix using nothing-but-nix pattern with space reclamation and github actions cache
 
 inputs:
   installer:
     description: |
-      Nix installation strategy:
-      - 'full' (default): Aggressive disk cleanup + DeterminateSystems installer
-      - 'quick': Lightweight install with nixbuild/nix-quick-install-action
+      nix installation strategy:
+      - 'full' (default): space reclamation + cache + cachix for builds
+      - 'quick': minimal install for simple tasks (no space reclamation, no caching overhead)
     type: string
     required: false
     default: full
   system:
-    description: Nix system to configure (e.g., x86_64-linux, aarch64-darwin)
+    description: nix system to configure (e.g., x86_64-linux, aarch64-darwin)
     type: string
-    required: false
-    default: x86_64-linux
-  extra-conf:
-    description: Additional nix.conf configuration
+    required: true
+  sandbox:
+    description: enable nix sandbox builds
+    type: string
+    default: "true"
+  cache-key:
+    description: primary cache key (auto-generated from nix files if not provided)
     type: string
     required: false
-    default: system-features = nixos-test benchmark big-parallel kvm
-  setup-cachix:
-    description: Setup cachix binary cache after Nix installation (requires SOPS_AGE_KEY in env)
+    default: ""
+  gc-max-store-size-linux:
+    description: max nix store size on linux before garbage collection (e.g., 5G, 10G)
+    type: string
+    default: "5G"
+  gc-max-store-size-macos:
+    description: max nix store size on macos before garbage collection (e.g., 5G, 10G)
+    type: string
+    default: "5G"
+  enable-cachix:
+    description: enable cachix binary cache
     type: boolean
-    required: false
     default: false
-  cachix-auth:
-    description: Authenticate with cachix for pushing (requires setup-cachix=true)
-    type: boolean
+  cachix-name:
+    description: cachix cache name
+    type: string
+    required: false
+  cachix-auth-token:
+    description: cachix auth token
+    type: string
     required: false
+  cachix-skip-push:
+    description: skip pushing to cachix (read-only)
+    type: boolean
     default: false
 
+outputs:
+  cache-hit:
+    description: whether the primary cache key was hit
+    value: ${{ steps.cache.outputs.hit-primary-key }}
+  cache-key:
+    description: the cache key that was used
+    value: ${{ steps.cache.outputs.primary-key }}
+
 runs:
   using: composite
   steps:
-    # Full installer: Aggressive disk cleanup + DeterminateSystems
-    - name: Reclaim disk space (Linux)
+    - name: reclaim space (linux)
       if: runner.os == 'Linux' && inputs.installer == 'full'
-      uses: wimpysworld/nothing-but-nix@main
+      uses: wimpysworld/nothing-but-nix@10c936d9e46521bf923f75458e0cbd4fa309300d # ratchet:wimpysworld/nothing-but-nix@main
       with:
-        hatchet-protocol: rampage
+        hatchet-protocol: carve
+        nix-permission-edict: true
 
-    - name: Reclaim disk space (macOS)
+    - name: reclaim space (darwin)
       if: runner.os == 'macOS' && inputs.installer == 'full'
       shell: bash
       run: |
-        echo "::group::Disk space before cleanup"
+        echo "::group::disk space (before)"
         sudo df -h
         echo "::endgroup::"
 
-        echo "::group::Disable Spotlight indexing"
+        echo "::group::disable mds"
         sudo mdutil -i off -a || echo "mdutil failed"
         sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist \
-          || echo "launchctl unload failed"
+         || echo "launchctl unload failed"
         echo "::endgroup::"
 
-        echo "Starting background cleanup to reclaim disk space..."
+        echo "Background space expansion started. /nix will grow as space becomes available."
         sudo rm -rf \
           /Applications/Xcode_* \
           /Library/Developer/CoreSimulator \
@@ -67,44 +92,45 @@ runs:
           /Users/runner/Library/Developer/CoreSimulator \
           /Users/runner/hostedtoolcache &
 
-    - name: Install Nix (DeterminateSystems)
-      if: inputs.installer == 'full'
-      uses: DeterminateSystems/nix-installer-action@main
+    - name: install nix
+      uses: nixbuild/nix-quick-install-action@2c9db80fb984ceb1bcaa77cdda3fdf8cfba92035 # ratchet:nixbuild/nix-quick-install-action@v34
       with:
-        extra-conf: |
+        nix_conf: |
+          sandbox = ${{ inputs.sandbox }}
           system = ${{ inputs.system }}
-          ${{ inputs.extra-conf }}
+          keep-env-derivations = true
+          keep-outputs = true
 
-    # Quick installer: Lightweight nixbuild/nix-quick-install-action
-    - name: Install Nix (Quick Install)
-      if: inputs.installer == 'quick'
-      uses: nixbuild/nix-quick-install-action@master
+    - name: setup cache
+      if: runner.os == 'Linux' && inputs.installer == 'full'
+      id: cache
+      uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # ratchet:nix-community/cache-nix-action@v6
+      with:
+        primary-key: ${{ inputs.cache-key != '' && inputs.cache-key || format('nix-{0}-{1}', runner.os, hashFiles('**/*.nix', '**/flake.lock')) }}
+        restore-prefixes-first-match: ${{ format('nix-{0}-', runner.os) }}
+        gc-max-store-size-linux: ${{ inputs.gc-max-store-size-linux }}
+        gc-max-store-size-macos: ${{ inputs.gc-max-store-size-macos }}
+        purge: true
+        purge-prefixes: ${{ format('nix-{0}-', runner.os) }}
+        purge-created: 0
+        purge-last-accessed: 0
+        purge-primary-key: never
 
-    - name: Report disk space (macOS post-cleanup)
+    - name: setup cachix
+      if: inputs.enable-cachix
+      uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # ratchet:cachix/cachix-action@v16
+      continue-on-error: true
+      with:
+        name: ${{ inputs.cachix-name }}
+        authToken: ${{ inputs.cachix-auth-token }}
+        skipPush: ${{ inputs.cachix-skip-push }}
+
+    - name: post setup-nix
       if: runner.os == 'macOS' && inputs.installer == 'full'
-      uses: srz-zumix/post-run-action@v2
+      uses: srz-zumix/post-run-action@2bf288bc024acd0341914f792a811080ebd0f252 # ratchet:srz-zumix/post-run-action@v2
       with:
         shell: bash -e {0}
         post-run: |
-          echo "::group::Disk space after workflow"
+          echo "::group::disk space (after)"
           sudo df -h
           echo "::endgroup::"
-
-    - name: Setup and authenticate cachix
-      if: inputs.setup-cachix == 'true' && inputs.cachix-auth == 'true'
-      shell: bash
-      run: |
-        nix develop -c sops exec-env vars/shared.yaml '
-          cachix authtoken "$CACHIX_AUTH_TOKEN"
-          cachix use "$CACHIX_CACHE_NAME"
-          cachix use nix-community
-        '
-
-    - name: Setup cachix for binary cache
-      if: inputs.setup-cachix == 'true' && inputs.cachix-auth != 'true'
-      shell: bash
-      run: |
-        nix develop -c sops exec-env vars/shared.yaml '
-          cachix use "$CACHIX_CACHE_NAME"
-          cachix use nix-community
-        '