diff --git a/.gitea/workflows/check-flake.yaml b/.gitea/workflows/check-flake.yaml
index 7b0d614..318308e 100644
--- a/.gitea/workflows/check-flake.yaml
+++ b/.gitea/workflows/check-flake.yaml
@@ -22,13 +22,17 @@ jobs:
         env:
           XDG_CONFIG_HOME: ${{ runner.temp }}/.config
         run: |
+          set -euxo pipefail
+          export XDG_CONFIG_HOME="$(mktemp -d)"
           mkdir -p "$XDG_CONFIG_HOME/attic"
           attic login local "${{ vars.ATTIC_ENDPOINT }}" "${{ secrets.ATTIC_TOKEN }}"
           # Get all system toplevel store paths
           toplevels=$(nix eval .#nixosConfigurations --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' --json | jq -r '.[]')
+          echo "Found $(echo "$toplevels" | wc -l) system toplevels"
           # Expand to full closures, deduplicate, and filter out paths already
           # signed by cache.nixos.org — only our custom builds need caching
-          echo "$toplevels" \
+          paths=$(echo "$toplevels" \
             | xargs nix path-info -r --json \
-            | jq -r '[.[] | select((.signatures // []) | all(startswith("cache.nixos.org") | not)) | .path] | unique[]' \
-            | xargs attic push local:nixos 1>/dev/null
+            | jq -r '[.[] | select((.signatures // []) | all(startswith("cache.nixos.org") | not)) | .path] | unique[]')
+          echo "Pushing $(echo "$paths" | wc -l) unique paths to cache"
+          echo "$paths" | xargs attic push local:nixos