name: CI

on:
  push:

env:
  ATTIC_AUTH_TOKEN: ${{ secrets.ATTIC_AUTH_TOKEN }}

jobs:
  build:
    runs-on: nix
    steps:
      - name: Debug
        run: |
          cat /etc/hosts
          nix run nixpkgs#curl -- -v https://heise.de
          nix run nixpkgs#curl -- -v https://fh2.ch
          nix run nixpkgs#curl -- -v https://git.qo.is
          git clone https://git.qo.is/qo.is/infrastructure-private.git /tmp/private

      - name: Initialize CI
        uses: https://git.qo.is/qo.is/actions-nix-init@main
        with:
          token: ${{ secrets.CI_TOKEN }}
          lfs: false

      - name: Add submodules to nix store to circumvent another nix bug
        run: |
          cat /etc/hosts
          curl -v https://heise.de
          curl -v https://fh2.ch
          curl -v https://git.qo.is
          git clone https://git.qo.is/qo.is/infrastructure-private.git /tmp/private
          cd /tmp/private
          nix flake prefetch

      - name: Use attic cache
        run: nix run .#cache use

      - name: Build
        run: |
          nix build --max-jobs 12 --cores 12
          nix run .#cache push

      - name: Run Checks
        run: nix flake check

      - name: Deploy Docs
        if: success() && github.ref == 'refs/heads/main'
        run: |
          mkdir ~/.ssh/
          echo -e "Host lindberg-webapps.backplane.net.qo.is\n    StrictHostKeyChecking no" >> ~/.ssh/config
          (umask 0077 && printf "%s\n" "${{ secrets.SSH_DEPLOY_KEY }}" > ~/.ssh/id_ed25519)
          # Remote build might be neccessary due to non-wheel nix users signing restrictions.
          # However, the build should come from the cache anyway.
          nix develop --command deploy --skip-checks --remote-build .#lindberg-webapps.\"docs-ops.qo.is\"