name: nix

on:
  pull_request:
    branches: [ "main" ]
  push:
    branches: [ "main" ]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  fmt:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
      - uses: cachix/install-nix-action@v26
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
      - uses: cachix/cachix-action@v15
        with:
          name: nixsgx
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      - name: Enable magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main

      - run: nix fmt . -- --check

  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
      - uses: cachix/install-nix-action@v26
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
      - uses: cachix/cachix-action@v15
        with:
          name: nixsgx
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      - name: Enable magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main

      - run: nix flake check -L --show-trace --keep-going

  build:
    needs: check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
      - uses: cachix/install-nix-action@v26
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
      - uses: cachix/cachix-action@v15
        with:
          name: nixsgx
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      - name: Enable magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main

      - name: nix build
        run: nix run github:nixos/nixpkgs/nixos-23.11#nixci