We recently made generally available garnix actions, which allow you to run arbitrary Nix flake apps - for deploying, or suggesting lints, or running impure tests, for example. More on this and why you might want it instead of GitHub Actions on the blog.
Do these come with an OIDC token in the env like GitHub actions do? That’d be useful for things like container push and triggering deploys without needing static secrets