refactor(ci): extract nix eval into reusable workflow

Author: jfroche

.github/workflows/nix-build.yml

@@ -16,19 +16,10 @@ permissions:
 
 jobs:
   nix-eval:
-    runs-on: blacksmith-32vcpu-ubuntu-2404
-    outputs:
-      matrix: ${{ steps.set-matrix.outputs.matrix }}
-    steps:
-      - name: Checkout Repo
-        uses: actions/checkout@v4
-      - name: Install nix
-        uses: ./.github/actions/nix-install-ephemeral
-      - id: set-matrix
-        name: Generate Nix Matrix
-        run: |
-          set -Eeu
-          echo matrix="$(nix shell github:nix-community/nix-eval-jobs --command scripts/github-matrix.py checks legacyPackages)" >> "$GITHUB_OUTPUT"
+    uses: ./.github/workflows/nix-eval.yml
+    secrets:
+      DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+      NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
 
   nix-build-aarch64-linux:
     name: ${{ matrix.name }} (aarch64-linux)

.github/workflows/nix-eval.yml

@@ -0,0 +1,32 @@
+name: Nix Eval
+
+on:
+  workflow_call:
+    outputs:
+      matrix:
+        description: 'Generated build matrix'
+        value: ${{ jobs.eval.outputs.matrix }}
+    secrets:
+      DEV_AWS_ROLE:
+        required: false
+      NIX_SIGN_SECRET_KEY:
+        required: false
+
+jobs:
+  eval:
+    runs-on: blacksmith-32vcpu-ubuntu-2404
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+      - name: Install nix
+        uses: ./.github/actions/nix-install-ephemeral
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+      - id: set-matrix
+        name: Generate Nix Matrix
+        run: |
+          set -Eeu
+          echo matrix="$(nix shell github:nix-community/nix-eval-jobs/v2.31.0 --command scripts/github-matrix.py checks legacyPackages)" >> "$GITHUB_OUTPUT"