Fix cachix module to push outputs, not just derivations

Problem

The cachix CI module was only pushing .drv (derivation) files to the cache, not the actual build outputs. This meant that built artifacts like ghc-9.2.8 were not being cached.

Example: https://gitlab.horizon-haskell.net/ghc/horizon-ghc/-/jobs/1500550 shows thousands of .drv files being pushed but not the actual /nix/store/v2rkg5zfflrayd9sxban2w8755kzcia3-ghc-9.2.8 output.

Root Cause

The previous implementation tried to pipe omnix output directly to cachix:

om ci run --include-all-dependencies | xargs cachix push

This failed because:

1. om ci run outputs only a JSON file path to stdout, not the actual store paths
2. The old nixci tool used to output paths directly to stdout, but omnix changed this behavior in September 2024
3. Piping the JSON file path to cachix doesn't work

Solution

Use the proper omnix + cachix-push workflow recommended in the omnix documentation:

om ci run --include-all-dependencies --results=om.json
nix run github:juspay/cachix-push -- --cache horizon --subflake ROOT < om.json

This works because:

• om ci run --results=om.json generates a JSON file containing actual store paths (not .drv files)
• cachix-push is designed to consume omnix JSON output and push the real build outputs
• The store paths are indexed by derivation name under the ROOT subflake in the JSON
• cachix-push isn't in nixpkgs but can be referenced as a flake

Changes

• nix/modules/cachix.nix - Updated cachix module to use two-step process
• nix/ci.nix - Updated test CI to match the new workflow
• ChangeLog.md - Added 0.9.0 release notes

Testing

The cachix job in this repository's CI now uses the updated workflow and will verify it works correctly on protected branches.

🤖 Generated with Claude Code