name: nix

on:
  pull_request:
    branches: [ "main" ]
  push:
    branches: [ "main" ]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  check:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
    - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
      with:
        extra_nix_config: |
          access-tokens = github.com=${{ github.token }}
    - run: nix flake check -L --show-trace --keep-going

  fmt:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
    - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
      with:
        extra_nix_config: |
          access-tokens = github.com=${{ github.token }}
    - run: nix fmt

  clippy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
    - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
      with:
        extra_nix_config: |
          access-tokens = github.com=${{ github.token }}
    - uses: cachix/cachix-action@v14
      continue-on-error: true
      with:
        name: nixsgx
        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
    - name: cargo clippy
      run: nix develop -L --ignore-environment -c cargo clippy --all --locked

  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
      - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
      - uses: cachix/cachix-action@v14
        continue-on-error: true
        with:
          name: nixsgx
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'

      # Cache any artifacts that aren't already cached at https://cache.nixos.org
      - name: Enable magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main

      - name: nix build
        run: nix run nixpkgs#nixci

      - name: Log in to Docker Hub
        if: ${{ github.event_name == 'push' }}
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Load and push
        if: ${{ github.event_name == 'push' }}
        run: |
          nix build  -L .#container-verify-attestation
          export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*')
          echo "Pushing image ${IMAGE_TAG} to Docker Hub"
          echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV
          docker push "${IMAGE_TAG}"
          docker push "${IMAGE_TAG%:*}:latest"