# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# This workflow does double duty: it runs checks against PRs/pushes, and it
# updates flake.lock (run from a schedule or manually).
#
# This approach seems simpler than having a separate lockfile-updating workflow
# that creates a PR that gets the normal check workflow ran against it before
# merging, especially since (according to
# https://github.com/DeterminateSystems/update-flake-lock) GitHub Actions does
# not run workflows against PRs created by a GitHub Action.

name: CI

on:
  push:
  pull_request:
  workflow_dispatch:
    inputs:
      updateFlakeLock:
        description: 'Update flake.lock'
        default: false
        type: boolean
# To enable once confirmed working.
# schedule:
#   - cron: '23 8 * * *' # runs daily at a randomly selected time

jobs:
  check:
    runs-on: ubuntu-latest
    permissions:
      id-token: "write"
      contents: "read"
    steps:
      - name: Check out repository
        uses: actions/checkout@v4
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@main
      - name: Enable Magic Nix Cache
        uses: DeterminateSystems/magic-nix-cache-action@main
      - name: Update flake.lock
        if: github.event_name == 'schedule' || ( github.event_name == 'workflow_dispatch' && inputs.updateFlakeLock )
        run: |
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git config user.name "github-actions[bot]"
          nix flake update --commit-lock-file
      - name: Check flake.lock
        uses: DeterminateSystems/flake-checker-action@main
        with:
          nixpkgs-keys: ""  # TODO: check nixpkgs used for cached builds
      - name: Cache git checkouts
        uses: actions/cache@v4
        with:
          path: ~/.cache/nix/gitv3
          key: nix-gitv3-cache-${{ hashFiles('flake.lock') }}
          restore-keys: nix-gitv3-cache-
      - name: nix flake check
        run: nix flake check -L --show-trace
      - name: Push changes
        if: github.event_name == 'schedule' || ( github.event_name == 'workflow_dispatch' && inputs.updateFlakeLock )
        run: git push

# TODO: try to improve caching.
#
# We spend a lot of time fetching sources. Caching all of ~/.cache/nix/gitv3 is
# not ideal: it is too large (3GiB) and we don't expire individual checkouts.
# https://github.com/DeterminateSystems/magic-nix-cache/issues/28 may help.
#
# The "magic" nix cache hits usage limits:
#
#   2024-05-18T06:45:19.165515Z ERROR magic_nix_cache::gha: Upload of path '/nix/store/fpq1vaw8vr88a67lc2jspskf2fa7zbvj-emacs-treepy-20230715.2154' failed: GitHub API error: API error (429 Too Many Requests): StructuredApiError { message: "Request was blocked due to exceeding usage of resource 'Count' in namespace ''." }
#
# This might get better as the cache populates, as long as I don't hit size
# limits.