name: Check Flake

on: [push]

env:
  DEBIAN_FRONTEND: noninteractive
  PATH: /run/current-system/sw/bin/

jobs:
  check-flake:
    runs-on: nixos
    steps:
      - name: Checkout the repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Check Flake
        run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace

      - name: Build all systems
        run: |
          nix eval .#nixosConfigurations --apply 'cs: builtins.attrNames cs' --json \
            | jq -r '.[]' \
            | xargs -I{} nix build ".#nixosConfigurations.{}.config.system.build.toplevel" --no-link --print-build-logs --log-format raw

      - name: Push to cache
        env:
          XDG_CONFIG_HOME: ${{ runner.temp }}/.config
        run: |
          set -euo pipefail
          attic login local "${{ vars.ATTIC_ENDPOINT }}" "${{ secrets.ATTIC_TOKEN }}"
          # Get all system toplevel store paths
          toplevels=$(nix eval .#nixosConfigurations --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' --json | jq -r '.[]')
          echo "Found $(echo "$toplevels" | wc -l) system toplevels"
          # Expand to full closures, deduplicate, and filter out paths already
          # signed by cache.nixos.org — only our custom builds need caching
          paths=$(echo "$toplevels" \
            | xargs nix path-info -r --json \
            | jq -r '[to_entries[] | select(.value.signatures | all(startswith("cache.nixos.org") | not)) | .key] | unique[]')
          echo "Pushing $(echo "$paths" | wc -l) unique paths to cache"
          echo "$paths" | xargs attic push local:nixos