diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 58467c78ec..7cf9f9a96f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -18,9 +18,6 @@ on:
       linux:
         description: "Linux"
         type: boolean
-      push_to_nix_cache:
-        description: "Linux: push to Nix cache"
-        type: boolean
       debug:
         description: "Debug build"
         type: boolean
@@ -34,8 +31,6 @@ on:
         type: boolean
       linux:
         type: boolean
-      push_to_nix_cache:
-        type: boolean
       debug:
         type: boolean
       checkout_repo:
@@ -569,6 +564,10 @@ jobs:
 
       - name: ❄ Install Nix
         uses: DeterminateSystems/nix-installer-action@main
+        with:
+          extra-conf: |
+            extra-substituters = https://graphite.cachix.org https://graphite-dev.cachix.org
+            extra-trusted-public-keys = graphite.cachix.org-1:B7Il1yMpkquN/dXM+5GRmz+4Xmu2aaCS1GcWNfFhsOo= graphite-dev.cachix.org-1:RppXYpiV1qO2TYKTkXXGHsAEQDOB5G51b3VlrN9QmbI=
 
       - name: 🗑 Free disk space
         run: sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc /opt/hostedtoolcache
@@ -577,12 +576,12 @@ jobs:
         run: nix build .#graphite${{ inputs.debug && '-dev' || '' }} --no-link --print-out-paths
 
       - name: 📤 Push to Nix cache
-        if: (github.event_name == 'push' || inputs.push_to_nix_cache) && !inputs.debug
         env:
-          NIX_CACHE_AUTH_TOKEN: ${{ secrets.NIX_CACHE_AUTH_TOKEN }}
+          NIX_CACHE_AUTH_TOKEN: ${{ (!inputs.debug && github.ref == 'refs/heads/master') && secrets.NIX_CACHE_AUTH_TOKEN || secrets.NIX_CACHE_AUTH_TOKEN_DEV }}
+          NIX_CACHE_NAME: ${{ (!inputs.debug && github.ref == 'refs/heads/master') && 'graphite' || 'graphite-dev' }}
         run: |
           nix run nixpkgs#cachix -- authtoken $NIX_CACHE_AUTH_TOKEN
-          nix build --no-link --print-out-paths | nix run nixpkgs#cachix -- push graphite
+          nix build .#graphite${{ inputs.debug && '-dev' || '' }} --no-link --print-out-paths | nix run nixpkgs#cachix -- push $NIX_CACHE_NAME
 
       - name: 🏗 Build Linux bundle
         run: nix build .#graphite${{ inputs.debug && '-dev' || '' }}-bundle.tar.xz && cp ./result ./graphite-linux-bundle.tar.xz
diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
new file mode 100644
index 0000000000..d295a4543e
--- /dev/null
+++ b/.github/workflows/nix.yml
@@ -0,0 +1,51 @@
+name: "Nix Housekeeping"
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch: {}
+
+jobs:
+  cache-dev-shell:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: 📥 Clone repository
+        uses: actions/checkout@v6
+        with:
+          repository: ${{ inputs.checkout_repo || github.repository }}
+          ref: ${{ inputs.checkout_ref || '' }}
+
+      - name: ❄ Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+        with:
+          extra-conf: |
+            extra-substituters = https://graphite.cachix.org https://graphite-dev.cachix.org
+            extra-trusted-public-keys = graphite.cachix.org-1:B7Il1yMpkquN/dXM+5GRmz+4Xmu2aaCS1GcWNfFhsOo= graphite-dev.cachix.org-1:RppXYpiV1qO2TYKTkXXGHsAEQDOB5G51b3VlrN9QmbI=
+
+      - name: 🔎 Check whether development shell is already in binary cache
+        id: cache-check
+        run: |
+          out_path="$(nix eval --raw .#devShells.x86_64-linux.default.outPath)"
+          if nix path-info --store https://graphite-dev.cachix.org "$out_path" &>/dev/null; then
+            echo "cached=true" >> "$GITHUB_OUTPUT"
+            echo "Development shell is already cached at $out_path"
+          else
+            echo "cached=false" >> "$GITHUB_OUTPUT"
+            echo "Development shell is not cached"
+          fi
+
+      - name: 📦 Build Nix development shell
+        if: steps.cache-check.outputs.cached == 'false'
+        run: nix build .#devShells.x86_64-linux.default --no-link --print-out-paths
+
+      - name: 📤 Push Nix development shell to binary cache
+        if: steps.cache-check.outputs.cached == 'false'
+        env:
+          NIX_CACHE_AUTH_TOKEN: ${{ secrets.NIX_CACHE_AUTH_TOKEN_DEV }}
+        run: |
+          nix run nixpkgs#cachix -- authtoken $NIX_CACHE_AUTH_TOKEN
+          nix build .#devShells.x86_64-linux.default --no-link --print-out-paths | nix run nixpkgs#cachix -- push graphite-dev
diff --git a/.github/workflows/provide-shaders.yml b/.github/workflows/provide-shaders.yml
index 647878cefe..3bc86d330b 100644
--- a/.github/workflows/provide-shaders.yml
+++ b/.github/workflows/provide-shaders.yml
@@ -17,9 +17,10 @@ jobs:
 
       - name: ❄ Install Nix
         uses: DeterminateSystems/nix-installer-action@main
-
-      - name: 💾 Set up Nix cache
-        uses: DeterminateSystems/magic-nix-cache-action@main
+        with:
+          extra-conf: |
+            extra-substituters = https://graphite.cachix.org https://graphite-dev.cachix.org
+            extra-trusted-public-keys = graphite.cachix.org-1:B7Il1yMpkquN/dXM+5GRmz+4Xmu2aaCS1GcWNfFhsOo= graphite-dev.cachix.org-1:RppXYpiV1qO2TYKTkXXGHsAEQDOB5G51b3VlrN9QmbI=
 
       - name: 🏗 Build graphene raster nodes shaders
         run: nix build .#graphite-raster-nodes-shaders && cp result raster_nodes_shaders_entrypoint.wgsl