name: build and cache packages
on:
  workflow_dispatch:
    inputs:
      package:
        description: "package to build"
        required: false
        type: string

env:
  ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
  NIX_CONFIG: |
    show-trace = true
    experimental-features = nix-command flakes
    accept-flake-config = true
    secret-key-files = /home/runner/cache-priv-key.pem
    extra-substituters = https://nixcache.cy7.sh
    extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
  TERM: ansi
  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets. AWS_SECRET_ACCESS_KEY }}

jobs:
  build-packages:
    strategy:
      fail-fast: false
      matrix:
        package:
          - ${{ inputs.package }}
        os:
          - ubuntu-latest
          - ubuntu-24.04-arm
          # - macos-latest
          # - macos-13
    runs-on: ${{ matrix.os }}

    steps:
      - name: setup binary cache key
        run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem

      - name: Install Nix
        uses: cachix/install-nix-action@v30

      - name: Install Lix
        run: |
          sudo --preserve-env=PATH $(which nix) run \
          --experimental-features "nix-command flakes" \
          --extra-substituters https://cache.lix.systems --extra-trusted-public-keys "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" \
          'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
          upgrade-nix \
          --extra-substituters https://cache.lix.systems --extra-trusted-public-keys "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
          nix --version

      - name: Sync repository
        uses: actions/checkout@v4
        with:
          persist-credentials: false

      - run: nix build -L ${{ matrix.package }}

      - name: cache result
        # https://stackoverflow.com/a/58859404
        if: '!cancelled()'
        run: |
          derivations=()
          while IFS=$'\n' read derivation; do
              derivations+=("$derivation")
          done < <(nix path-info --derivation "${{ matrix.package }}")

          for derivation in "${derivations[@]}"; do
              nix copy -j8 \
                --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem' \
                $(nix-store --query --requisites --include-outputs "$derivation")
          done

      - name: prepare tarball to upload
        run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result

      - name: upload result
        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.os }}
          path: result.tar
          if-no-files-found: error