teepot/.github/workflows/nix.yml

name: nix

on:
  pull_request:
    branches: [ "main" ]
  push:
    branches: [ "main" ]
    tags: [ "*-sgx-*" ]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
      - uses: cachix/install-nix-action@v27
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
      - uses: cachix/cachix-action@v15
        with:
          name: nixsgx
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
          extraPullNames: vault-auth-tee
      - name: Enable magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main

      - run: nix flake check -L --show-trace --keep-going

  build:
    needs: check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
      - uses: cachix/install-nix-action@v27
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
      - uses: cachix/cachix-action@v15
        with:
          name: nixsgx
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
          extraPullNames: vault-auth-tee
      - name: Enable magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main

      - name: nix build
        run: nix run github:nixos/nixpkgs/nixos-23.11#nixci

  push_to_docker:
    needs: build
    runs-on: ubuntu-latest
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.config.nixpackage }}
      cancel-in-progress: true
    strategy:
      fail-fast: false
      matrix:
        config:
          - { nixpackage: 'container-vault-sgx-azure' }
          - { nixpackage: 'container-vault-unseal-sgx-azure' }
          - { nixpackage: 'container-vault-admin-sgx-azure' }
          - { nixpackage: 'container-vault-unseal' }
          - { nixpackage: 'container-vault-admin' }
          - { nixpackage: 'container-self-attestation-test-sgx-dcap' }
          - { nixpackage: 'container-self-attestation-test-sgx-azure' }
          - { nixpackage: 'container-verify-attestation-sgx' }
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v27
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
      - uses: cachix/cachix-action@v15
        with:
          name: nixsgx
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
          extraPullNames: vault-auth-tee
      - name: Enable magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main

      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Load container
        id: build
        run: |
          nix build --accept-flake-config -L .#${{ matrix.config.nixpackage }}
          export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*')
          echo "IMAGE_TAG=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
          echo "IMAGE_NAME=${IMAGE_TAG%:*}" >> "$GITHUB_OUTPUT"

      - name: Push container
        run: |
          echo "Pushing image ${{ steps.build.outputs.IMAGE_TAG }} to Docker Hub"
          docker tag "${{ steps.build.outputs.IMAGE_TAG }}" matterlabsrobot/"${{ steps.build.outputs.IMAGE_TAG }}"
          docker push matterlabsrobot/"${{ steps.build.outputs.IMAGE_TAG }}"

      - name: Tag container as latest
        if: ${{ github.event_name == 'push' }}
        run: |
          docker tag "${{ steps.build.outputs.IMAGE_TAG }}" matterlabsrobot/"${{ steps.build.outputs.IMAGE_NAME }}:latest"
          docker push matterlabsrobot/"${{ steps.build.outputs.IMAGE_NAME }}:latest"

      - name: Generate build ID for Flux Image Automation
        id: flux
        if: ${{ github.event_name == 'push' && !startsWith(github.ref, 'refs/tags') }}
        run: |
          sha=$(git rev-parse --short HEAD)
          ts=$(date +%s%N | cut -b1-13)
          echo "BUILD_ID=${sha}-${ts}" >> "$GITHUB_OUTPUT"

      - name: Generate build ID for Flux Image Automation
        id: tag
        if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags') }}
        run: |
          echo "BUILD_ID=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"

      - name: Auth to google artifact registry
        if: ${{ github.event_name == 'push' }}
        run: |
          gcloud auth configure-docker us-docker.pkg.dev -q

      - name: Push Docker image to matterlabs-infra
        if: ${{ github.event_name == 'push' && !startsWith(github.ref, 'refs/tags') }}
        run: |
          docker tag "${{ steps.build.outputs.IMAGE_TAG }}" "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/${{ steps.build.outputs.IMAGE_NAME }}:${{ steps.flux.outputs.BUILD_ID }}"
          docker push "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/${{ steps.build.outputs.IMAGE_NAME }}:${{ steps.flux.outputs.BUILD_ID }}"

      - name: Push Docker image to matterlabs-infra
        if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags') }}
        run: |
          docker tag "${{ steps.build.outputs.IMAGE_TAG }}" "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/${{ steps.build.outputs.IMAGE_NAME }}:${{ steps.tag.outputs.BUILD_ID }}"
          docker push "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/${{ steps.build.outputs.IMAGE_NAME }}:${{ steps.tag.outputs.BUILD_ID }}"