Nix: speed up gateway builds and enforce cache-only CI consumers

.github/workflows/cache-only.yml

@@ -1,4 +1,4 @@
-name: Cache Only
+name: Cache Pipeline
 
 on:
   pull_request:
@@ -9,8 +9,8 @@ on:
     types: [ completed ]
 
 jobs:
-  cache-only:
-    if: ${{ github.event_name != 'workflow_run' || (github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main') }}
+  producer-cache-ready:
+    if: ${{ github.event_name == 'push' || (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main') }}
     runs-on: ubuntu-latest
     env:
       TARGET_SHA: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
@@ -68,9 +68,12 @@ jobs:
             packages.x86_64-linux.openclaw-gateway
             packages.x86_64-linux.openclaw-tools
             checks.aarch64-darwin.gateway
+            checks.aarch64-darwin.gateway-smoke
             checks.x86_64-linux.gateway
+            checks.x86_64-linux.gateway-smoke
             checks.x86_64-linux.gateway-tests
             checks.x86_64-linux.config-options
+            checks.x86_64-linux.hm-activation
           )
 
           deadline=$(( $(date +%s) + WAIT_MINUTES * 60 ))
@@ -98,3 +101,74 @@ jobs:
             echo "Cache still missing (${#missing[@]}). Retrying in 30s..."
             sleep 30
           done
+
+  consumer-cache-only:
+    if: ${{ github.event_name == 'pull_request' || github.event_name == 'push' }}
+    runs-on: ubuntu-latest
+    env:
+      TARGET_SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.TARGET_SHA }}
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v13
+
+      - name: Wait for Garnix checks
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const waitMinutes = 30
+            const intervalMs = 30_000
+            const deadline = Date.now() + waitMinutes * 60 * 1000
+            const targetSha = process.env.TARGET_SHA || context.sha
+
+            while (true) {
+              const { data } = await github.rest.checks.listForRef({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                ref: targetSha,
+              })
+              const garnix = data.check_runs.find((run) => run.name === 'All Garnix checks')
+              if (garnix && garnix.status === 'completed') {
+                if (garnix.conclusion !== 'success') {
+                  core.setFailed(`Garnix checks not successful: ${garnix.conclusion}`)
+                }
+                break
+              }
+              if (Date.now() > deadline) {
+                core.setFailed('Timed out waiting for Garnix checks')
+                break
+              }
+              await new Promise((resolve) => setTimeout(resolve, intervalMs))
+            }
+
+      - name: Consume Linux checks from cache only
+        run: |
+          nix build --extra-experimental-features 'nix-command flakes' \
+            --accept-flake-config \
+            --max-jobs 0 \
+            .#checks.x86_64-linux.ci \
+            --print-build-logs
+
+      - name: Consume Darwin artifacts from cache only
+        env:
+          STORE_URL: https://cache.garnix.io
+        run: |
+          set -euo pipefail
+
+          targets=(
+            packages.aarch64-darwin.openclaw
+            packages.aarch64-darwin.openclaw-gateway
+            packages.aarch64-darwin.openclaw-tools
+            packages.aarch64-darwin.openclaw-app
+            checks.aarch64-darwin.gateway
+            checks.aarch64-darwin.gateway-smoke
+          )
+
+          for target in "${targets[@]}"; do
+            out_path=$(nix --extra-experimental-features 'nix-command flakes' eval --accept-flake-config --raw ".#${target}.outPath")
+            nix path-info --store "$STORE_URL" "$out_path" >/dev/null
+          done

.github/workflows/config-options-check.yml

@@ -26,5 +26,39 @@ jobs:
       - name: Install Nix
         uses: DeterminateSystems/nix-installer-action@v13
 
+      - name: Wait for Garnix checks
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const waitMinutes = 30
+            const intervalMs = 30_000
+            const deadline = Date.now() + waitMinutes * 60 * 1000
+            const targetSha = process.env.TARGET_SHA || context.sha
+
+            while (true) {
+              const { data } = await github.rest.checks.listForRef({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                ref: targetSha,
+              })
+              const garnix = data.check_runs.find((run) => run.name === 'All Garnix checks')
+              if (garnix && garnix.status === 'completed') {
+                if (garnix.conclusion !== 'success') {
+                  core.setFailed(`Garnix checks not successful: ${garnix.conclusion}`)
+                }
+                break
+              }
+              if (Date.now() > deadline) {
+                core.setFailed('Timed out waiting for Garnix checks')
+                break
+              }
+              await new Promise((resolve) => setTimeout(resolve, intervalMs))
+            }
+
       - name: Verify config options are up to date
-        run: nix build .#checks.x86_64-linux.config-options --print-build-logs
+        run: |
+          nix build --extra-experimental-features 'nix-command flakes' \
+            --accept-flake-config \
+            --max-jobs 0 \
+            .#checks.x86_64-linux.config-options \
+            --print-build-logs

.github/workflows/hm-activation-linux.yml

@@ -23,5 +23,39 @@ jobs:
       - name: Install Nix
         uses: DeterminateSystems/nix-installer-action@v13
 
+      - name: Wait for Garnix checks
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const waitMinutes = 30
+            const intervalMs = 30_000
+            const deadline = Date.now() + waitMinutes * 60 * 1000
+            const targetSha = process.env.TARGET_SHA || context.sha
+
+            while (true) {
+              const { data } = await github.rest.checks.listForRef({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                ref: targetSha,
+              })
+              const garnix = data.check_runs.find((run) => run.name === 'All Garnix checks')
+              if (garnix && garnix.status === 'completed') {
+                if (garnix.conclusion !== 'success') {
+                  core.setFailed(`Garnix checks not successful: ${garnix.conclusion}`)
+                }
+                break
+              }
+              if (Date.now() > deadline) {
+                core.setFailed('Timed out waiting for Garnix checks')
+                break
+              }
+              await new Promise((resolve) => setTimeout(resolve, intervalMs))
+            }
+
       - name: Run HM activation
-        run: nix build .#checks.x86_64-linux.hm-activation --print-build-logs
+        run: |
+          nix build --extra-experimental-features 'nix-command flakes' \
+            --accept-flake-config \
+            --max-jobs 0 \
+            .#checks.x86_64-linux.hm-activation \
+            --print-build-logs

flake.nix

@@ -69,6 +69,9 @@
           let
             baseChecks = {
               gateway = packageSetStable.openclaw-gateway;
+              gateway-smoke = pkgs.callPackage ./nix/checks/openclaw-gateway-smoke.nix {
+                openclawGateway = packageSetStable.openclaw-gateway;
+              };
               package-contents = pkgs.callPackage ./nix/checks/openclaw-package-contents.nix {
                 openclawGateway = packageSetStable.openclaw-gateway;
               };

nix/checks/openclaw-gateway-smoke.nix

@@ -0,0 +1,22 @@
+{
+  lib,
+  stdenv,
+  openclawGateway,
+}:
+
+stdenv.mkDerivation {
+  pname = "openclaw-gateway-smoke";
+  version = lib.getVersion openclawGateway;
+
+  dontUnpack = true;
+  dontConfigure = true;
+  dontBuild = true;
+
+  env = {
+    OPENCLAW_GATEWAY = openclawGateway;
+  };
+
+  doCheck = true;
+  checkPhase = "${../scripts/check-gateway-smoke.sh}";
+  installPhase = "${../scripts/empty-install.sh}";
+}

nix/packages/openclaw-gateway.nix

@@ -83,6 +83,7 @@ stdenv.mkDerivation (finalAttrs: {
   postPatch = "${../scripts/gateway-postpatch.sh}";
   buildPhase = "${../scripts/gateway-build.sh}";
   installPhase = "${../scripts/gateway-install.sh}";
+  dontFixup = true;
   dontStrip = true;
   dontPatchShebangs = true;
 

nix/scripts/check-gateway-smoke.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+if [ -z "${OPENCLAW_GATEWAY:-}" ]; then
+  echo "OPENCLAW_GATEWAY is not set" >&2
+  exit 1
+fi
+
+export HOME="$(mktemp -d)"
+
+"$OPENCLAW_GATEWAY/bin/openclaw" --help >/dev/null

nix/scripts/gateway-install.sh

@@ -17,9 +17,27 @@ log_step() {
   printf '>> [timing] %s: %ss\n' "$name" "$((end - start))" >&2
 }
 
+check_no_broken_symlinks() {
+  root="$1"
+  if [ ! -d "$root" ]; then
+    return 0
+  fi
+
+  broken_tmp="$(mktemp)"
+  find "$root" -type l ! -exec test -e {} \; -print > "$broken_tmp"
+  if [ -s "$broken_tmp" ]; then
+    echo "dangling symlinks found under $root" >&2
+    cat "$broken_tmp" >&2
+    rm -f "$broken_tmp"
+    exit 1
+  fi
+  rm -f "$broken_tmp"
+}
+
 mkdir -p "$out/lib/openclaw" "$out/bin"
 
-log_step "copy build outputs" cp -r dist node_modules package.json "$out/lib/openclaw/"
+# Build dir is ephemeral in Nix; moving avoids an expensive deep copy of node_modules.
+log_step "move build outputs" mv dist node_modules package.json "$out/lib/openclaw/"
 if [ -d extensions ]; then
   log_step "copy extensions" cp -r extensions "$out/lib/openclaw/"
 fi
@@ -94,4 +112,6 @@ if [ -n "$hasown_src" ]; then
   fi
 fi
 
+log_step "validate node_modules symlinks" check_no_broken_symlinks "$out/lib/openclaw/node_modules"
+
 bash -e -c '. "$STDENV_SETUP"; makeWrapper "$NODE_BIN" "$out/bin/openclaw" --add-flags "$out/lib/openclaw/dist/index.js" --set-default OPENCLAW_NIX_MODE "1"'