# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# This workflow does double duty: it runs checks against PRs/pushes, and it
# updates flake.lock (run from a schedule or manually).
#
# This approach seems simpler than having a separate lockfile-updating workflow
# that creates a PR that gets the normal check workflow ran against it before
# merging, especially since (according to
# https://github.com/DeterminateSystems/update-flake-lock) GitHub Actions does
# not run workflows against PRs created by a GitHub Action.

name: CI

on:
  push:
  pull_request:
  workflow_dispatch:
    inputs:
      updateFlakeLock:
        description: 'Update flake.lock'
        default: false
        type: boolean
  schedule:
    - cron: '23 8 * * *' # runs daily at a randomly selected time

jobs:
  check:
    runs-on: ubuntu-latest
    permissions:
      id-token: "write"
      contents: "write"
    steps:
      - name: Check out repository
        uses: actions/checkout@v4
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@main
      - name: Enable Magic Nix Cache
        uses: DeterminateSystems/magic-nix-cache-action@main
        with:
          use-flakehub: false
      - name: Update flake.lock
        if: github.event_name == 'schedule' || ( github.event_name == 'workflow_dispatch' && inputs.updateFlakeLock )
        run: |
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git config user.name "github-actions[bot]"
          nix flake update --commit-lock-file
      - name: Check flake.lock
        uses: DeterminateSystems/flake-checker-action@main
      # Update the caches daily, flush the cache monthly.
      - name: Set cache keys
        id: cache-keys
        run: |
          {
            echo "key=$(date +'%Y-%m-%d')"
            echo "restore=$(date +'%Y-%m-')"
          } >> "$GITHUB_OUTPUT"
      - name: Cache git checkouts
        uses: actions/cache@v4
        with:
          path: ~/.cache/nix/gitv3
          key: nix-gitv3-cache-${{ steps.cache-keys.outputs.key }}
          restore-keys: nix-gitv3-cache-${{ steps.cache-keys.outputs.restore }}
      - name: Cache tarballs
        uses: actions/cache@v4
        with:
          path: ~/.cache/nix/tarball-cache
          key: nix-tarball-cache-${{ steps.cache-keys.outputs.key }}
          restore-keys: nix-tarball-cache-${{ steps.cache-keys.outputs.restore }}
      - name: nix flake check
        run: nix flake check -L --show-trace
      - name: Build packages for Cachix
        if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
        run: nix build .#cachix-packages -L
      # Intentionally install Cachix late: build artifacts are cached by Magic
      # Nix Cache, only the runtime closure of cachix-packages goes to the
      # public Cachix cache.
      - name: Install Cachix
        if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
        uses: cachix/cachix-action@v15
        with:
          name: doom-emacs-unstraightened
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      - name: Push to Cachix
        if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
        run: readlink result | cachix push doom-emacs-unstraightened
      - name: Push changes
        if: github.event_name == 'schedule' || ( github.event_name == 'workflow_dispatch' && inputs.updateFlakeLock )
        run: git push
        # `git push` only works because branch protection is not enabled.
        #
        # Currently branch protection is not effective anyway, since the only
        # contributor (marienz) has admin permissions, and applying branch
        # protection to administrators seems to be an "organization" feature.
        #
        # The supported path seems to be "create a PR and use the API to merge
        # it", but that's more work to implement (see above): revisit later.

# TODO: try to improve caching.
#
# We spend a lot of time fetching sources. Caching all of ~/.cache/nix/gitv3 is
# not ideal: it is too large (3GiB) and we don't expire individual checkouts.
# https://github.com/DeterminateSystems/magic-nix-cache/issues/28 may help.
#
# The "magic" nix cache hits usage limits:
#
#   2024-05-18T06:45:19.165515Z ERROR magic_nix_cache::gha: Upload of path '/nix/store/fpq1vaw8vr88a67lc2jspskf2fa7zbvj-emacs-treepy-20230715.2154' failed: GitHub API error: API error (429 Too Many Requests): StructuredApiError { message: "Request was blocked due to exceeding usage of resource 'Count' in namespace ''." }
#
# This might get better as the cache populates, as long as I don't hit size
# limits.