name: "CI"

on:
  pull_request:
  push:

permissions: read-all

jobs:

  tests:
    needs: [check_secrets]
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest]
    runs-on: ${{ matrix.os }}
    timeout-minutes: 60
    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - uses: cachix/install-nix-action@v24
      with:
        # The sandbox would otherwise be disabled by default on Darwin
        extra_nix_config: "sandbox = true"
    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
    - uses: cachix/cachix-action@v13
      if: needs.check_secrets.outputs.cachix == 'true'
      with:
        name: '${{ env.CACHIX_NAME }}'
        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
    - run: nix --experimental-features 'nix-command flakes' flake check -L

  check_secrets:
    permissions:
      contents: none
    name: Check Cachix and Docker secrets present for installer tests
    runs-on: ubuntu-latest
    outputs:
      cachix: ${{ steps.secret.outputs.cachix }}
      docker: ${{ steps.secret.outputs.docker }}
    steps:
      - name: Check for secrets
        id: secret
        env:
          _CACHIX_SECRETS: ${{ secrets.CACHIX_SIGNING_KEY }}${{ secrets.CACHIX_AUTH_TOKEN }}
          _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
        run: |
          echo "::set-output name=cachix::${{ env._CACHIX_SECRETS != '' }}"
          echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"

  installer:
    needs: [tests, check_secrets]
    if: github.event_name == 'push' && needs.check_secrets.outputs.cachix == 'true'
    runs-on: ubuntu-latest
    outputs:
      installerURL: ${{ steps.prepare-installer.outputs.installerURL }}
    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
    - uses: cachix/install-nix-action@v24
      with:
        install_url: https://releases.nixos.org/nix/nix-2.13.3/install
    - uses: cachix/cachix-action@v13
      with:
        name: '${{ env.CACHIX_NAME }}'
        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
    - id: prepare-installer
      run: scripts/prepare-installer-for-github-actions

  installer_test:
    needs: [installer, check_secrets]
    if: github.event_name == 'push' && needs.check_secrets.outputs.cachix == 'true'
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest]
    runs-on: ${{ matrix.os }}
    steps:
    - uses: actions/checkout@v4
    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
    - uses: cachix/install-nix-action@v24
      with:
        install_url: '${{needs.installer.outputs.installerURL}}'
        install_options: "--tarball-url-prefix https://${{ env.CACHIX_NAME }}.cachix.org/serve"
    - run: sudo apt install fish zsh
      if: matrix.os == 'ubuntu-latest'
    - run: brew install fish
      if: matrix.os == 'macos-latest'
    - run: exec bash -c "nix-instantiate -E 'builtins.currentTime' --eval"
    - run: exec sh -c "nix-instantiate -E 'builtins.currentTime' --eval"
    - run: exec zsh -c "nix-instantiate -E 'builtins.currentTime' --eval"
    - run: exec fish -c "nix-instantiate -E 'builtins.currentTime' --eval"
    - run: exec bash -c "nix-channel --add https://releases.nixos.org/nixos/unstable/nixos-23.05pre466020.60c1d71f2ba nixpkgs"
    - run: exec bash -c "nix-channel --update && nix-env -iA nixpkgs.hello && hello"

  docker_push_image:
    needs: [check_secrets, tests]
    permissions:
      contents: read
      packages: write
    if: >-
      github.event_name == 'push' &&
      github.ref_name == 'master' &&
      needs.check_secrets.outputs.cachix == 'true' &&
      needs.check_secrets.outputs.docker == 'true'
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - uses: cachix/install-nix-action@v24
      with:
        install_url: https://releases.nixos.org/nix/nix-2.13.3/install
    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
    - run: echo NIX_VERSION="$(nix --experimental-features 'nix-command flakes' eval .\#default.version | tr -d \")" >> $GITHUB_ENV
    - uses: cachix/cachix-action@v13
      if: needs.check_secrets.outputs.cachix == 'true'
      with:
        name: '${{ env.CACHIX_NAME }}'
        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
    - run: nix --experimental-features 'nix-command flakes' build .#dockerImage -L
    - run: docker load -i ./result/image.tar.gz
    - run: docker tag nix:$NIX_VERSION nixos/nix:$NIX_VERSION
    - run: docker tag nix:$NIX_VERSION nixos/nix:master
    # We'll deploy the newly built image to both Docker Hub and Github Container Registry.
    #
    # Push to Docker Hub first
    - name: Login to Docker Hub
      uses: docker/login-action@v3
      with:
        username: ${{ secrets.DOCKERHUB_USERNAME }}
        password: ${{ secrets.DOCKERHUB_TOKEN }}
    - run: docker push nixos/nix:$NIX_VERSION
    - run: docker push nixos/nix:master
    # Push to GitHub Container Registry as well
    - name: Login to GitHub Container Registry
      uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
    - name: Push image
      run: |
        IMAGE_ID=ghcr.io/${{ github.repository_owner }}/nix
        # Change all uppercase to lowercase
        IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')

        docker tag nix:$NIX_VERSION $IMAGE_ID:$NIX_VERSION
        docker tag nix:$NIX_VERSION $IMAGE_ID:master
        docker push $IMAGE_ID:$NIX_VERSION
        docker push $IMAGE_ID:master