diff --git a/.gitea/workflows/check.yaml b/.gitea/workflows/check.yaml
index 73083a8e..47dae993 100644
--- a/.gitea/workflows/check.yaml
+++ b/.gitea/workflows/check.yaml
@@ -8,4 +8,4 @@ jobs:
runs-on: nix
steps:
- uses: actions/checkout@v3
- - run: nix flake check --keep-going -L
+ - run: bash ./scripts/ci
diff --git a/docs/secrets-management.md b/docs/secrets-management.md
new file mode 100644
index 00000000..2171713f
--- /dev/null
+++ b/docs/secrets-management.md
@@ -0,0 +1,4 @@
+The clan cli provides a workflowq
+
+$ clan secrets users add joerg age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+$ clan secrets machines add web01 age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct
diff --git a/scripts/ci b/scripts/ci
new file mode 100755
index 00000000..c39be836
--- /dev/null
+++ b/scripts/ci
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+args=(
+ "$@"
+ --accept-flake-config
+ --gc-roots-dir gc-root
+ --option allow-import-from-derivation false
+ --show-trace
+ --force-recurse
+ --workers "$(nproc)"
+ --flake ".#checks.x86_64-linux"
+)
+
+summary=summary.log
+
+if [[ -n "${GITHUB_STEP_SUMMARY-}" ]]; then
+ log() {
+ echo "$*" >> "$GITHUB_STEP_SUMMARY"
+ }
+else
+ log() {
+ echo "$*" > "$summary"
+ }
+fi
+
+rc=0
+
+for job in $(nix shell --inputs-from '.#' "nixpkgs#nix-eval-jobs" -c nix-eval-jobs "${args[@]}" | jq -r '. | @base64'); do
+ job=$(echo "$job" | base64 -d)
+ attr=$(echo "$job" | jq -r .attr)
+ echo "### $attr"
+ error=$(echo "$job" | jq -r .error)
+ if [[ $error != null ]]; then
+ log "### ❌ $attr"
+ log
+ log "Eval error:
"
+ log "$error"
+ log "
Build error:
last 50 lines:"
+ log "$(tail -n 50 build-log.txt)"
+ log "