nixsgx/.github/workflows/nix.yml

name: nix

on:
  pull_request:
    branches: [ "main" ]
  push:
    branches: [ "main" ]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  fmt:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
      - uses: cachix/install-nix-action@v27
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
      - uses: cachix/cachix-action@v15
        with:
          name: nixsgx
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      - name: Enable magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main

      - run: nix fmt . -- --check

  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
      - uses: cachix/install-nix-action@v27
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
      - uses: cachix/cachix-action@v15
        with:
          name: nixsgx
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      - name: Enable magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main

      - run: nix flake check -L --show-trace --keep-going

  build:
    needs: check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
      - uses: cachix/install-nix-action@v27
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
      - uses: cachix/cachix-action@v15
        with:
          name: nixsgx
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      - name: Enable magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main

      - name: nix build
        run: nix run github:nixos/nixpkgs/nixos-23.11#nixci

      - name: integration check
        run: |
          nix build --accept-flake-config -L .#nixsgx-test-sgx-azure
          docker load -i result
          docker run -i --env GRAMINE_DIRECT=1 --privileged --init --rm nixsgx-test-sgx-azure:latest | grep -q -F 'Hello, world!'