name: nix

on:
  pull_request:
    branches: [ "main" ]
  push:
    branches: [ "main" ]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  fmt:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
      - uses: cachix/install-nix-action@v30
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=
            substituters = https://cache.nixos.org/ https://attic.teepot.org/tee-pot
            sandbox = true
      - name: Setup Attic cache
        uses: ryanccn/attic-action@v0
        with:
          endpoint: https://attic.teepot.org/
          cache: tee-pot
          token: ${{ secrets.ATTIC_TOKEN }}
      - name: Enable magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main

      - run: nix fmt . -- --check

  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
      - uses: cachix/install-nix-action@v30
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=
            substituters = https://cache.nixos.org/ https://attic.teepot.org/tee-pot
            sandbox = true
      - name: Setup Attic cache
        uses: ryanccn/attic-action@v0
        with:
          endpoint: https://attic.teepot.org/
          cache: tee-pot
          token: ${{ secrets.ATTIC_TOKEN }}
      - name: Enable magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main

      - run: nix flake check -L --show-trace --keep-going

  build:
    needs: check
    runs-on: [ matterlabs-default-infra-runners ]
    steps:
      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
      - uses: cachix/install-nix-action@v30
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=
            substituters = https://cache.nixos.org/ https://attic.teepot.org/tee-pot
            sandbox = true
      - name: Setup Attic cache
        uses: ryanccn/attic-action@v0
        with:
          endpoint: https://attic.teepot.org/
          cache: tee-pot
          token: ${{ secrets.ATTIC_TOKEN }}
      - name: Enable magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main

      - name: nix build
        run: nix run github:nixos/nixpkgs/nixos-23.11#nixci

      - name: integration check
        run: |
          nix build --accept-flake-config -L .#nixsgx-test-sgx-azure
          docker load -i result
          docker run -i --env GRAMINE_DIRECT=1 --privileged --init --rm nixsgx-test-sgx-azure:latest | grep -q -F 'Hello, world!'