name: build
on:
  workflow_dispatch:
  push:
  pull_request:

env:
  TERM: ansi
  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets. AWS_SECRET_ACCESS_KEY }}
  AWS_ENDPOINT: https://s3.cy7.sh

jobs:
  build-packages:
    strategy:
      fail-fast: false
      matrix:
        os:
          - ubuntu-latest
          - ubuntu-24.04-arm
          - macos-latest # arm64
          - macos-13 # x86

    runs-on: ${{ matrix.os }}

    steps:
      - name: setup binary cache key
        run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem

      - name: Install Nix
        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641
        with:
          enable_kvm: true
          extra_nix_config: |
            show-trace = true
            experimental-features = nix-command flakes
            secret-key-files = ${{ runner.temp }}/cache-priv-key.pem
            extra-substituters = https://nixcache.cy7.sh
            extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=

      - uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
        with:
          persist-credentials: false

      - run: nix build -L .

      - name: cache
        run: |
          nix run \
            github:cything/nixcp/test-in-ci -- push \
            --bucket nixcache \
            --signing-key ${{ runner.temp }}/cache-priv-key.pem \
            result

      - name: prepare tarball to upload
        run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result

      - name: upload result
        uses: actions/upload-artifact@6027e3dd177782cd8ab9af838c04fd81a07f1d47
        with:
          name: ${{ matrix.os }}.tar
          path: result.tar
          if-no-files-found: error