diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a26d532..947e168 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -29,7 +29,7 @@ jobs:
       run: nix-shell --pure --run "golangci-lint run"
       if: matrix.nixPath == 'nixpkgs=channel:nixpkgs-unstable'
     - name: Build nix packages
-      run: nix run nixpkgs.nix-build-uncached -c nix-build-uncached default.nix
+      run: nix-build release.nix
     - name: Run sops-pgp-hook tests
       run: nix-shell --pure --run "NIX_PATH=nixpkgs=$(nix-instantiate --find-file nixpkgs) go test ./pkgs/sops-pgp-hook"
     - name: Add keys group (needed for go tests)
diff --git a/release.nix b/release.nix
new file mode 100644
index 0000000..451d933
--- /dev/null
+++ b/release.nix
@@ -0,0 +1,13 @@
+# This file filters out all the broken packages from your package set.
+# It's what gets built by CI, so if you correctly mark broken packages as
+# broken your CI will not try to build them and the non-broken packages will
+# be added to the cache.
+{ pkgs ? import <nixpkgs> {} }:
+
+pkgs.lib.filter (p:
+  (builtins.isAttrs p)
+  && !((builtins.hasAttr "meta" p)
+    && (((builtins.hasAttr "broken" p.meta) && (p.meta.broken))
+      || (builtins.hasAttr "available" p.meta && !p.meta.available))
+  && !((builtins.hasAttr "disabled" p) && (p.disabled))))
+  (pkgs.lib.collect (pkgs.lib.isDerivation) (import ./default.nix { inherit pkgs; }))