.github/workflows/nix.yml

name: nix

on:
  pull_request:
    branches: [ "main" ]
  push:
    branches: [ "main" ]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
      - uses: cachix/install-nix-action@v26
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
      - uses: cachix/cachix-action@v14
        with:
          name: nixsgx
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
          extraPullNames: vault-auth-tee
      - name: Enable magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main

      - run: nix flake check -L --show-trace --keep-going

  build:
    needs: check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
      - uses: cachix/install-nix-action@v26
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
      - uses: cachix/cachix-action@v14
        with:
          name: nixsgx
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
          extraPullNames: vault-auth-tee
      - name: Enable magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main

      - name: nix build
        run: nix run nixpkgs#nixci

  push_to_docker:
    needs: build
    if: ${{ github.event_name == 'push' }}
    runs-on: ubuntu-latest
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.config.nixpackage }}
      cancel-in-progress: true
    strategy:
      fail-fast: false
      matrix:
        config:
          - { nixpackage: 'container-vault-sgx-azure', dockerfile: 'packages/container-vault-sgx-azure/Dockerfile', repository: 'teepot-vault' }
          - { nixpackage: 'container-vault-unseal-sgx-azure', dockerfile: 'packages/container-vault-unseal-sgx-azure/Dockerfile', repository: 'teepot-tvu' }
          - { nixpackage: 'container-vault-admin-sgx-azure', dockerfile: 'packages/container-vault-admin-sgx-azure/Dockerfile', repository: 'teepot-tva' }
          - { nixpackage: 'container-self-attestation-test-sgx-dcap', dockerfile: 'packages/container-self-attestation-test-sgx-dcap/Dockerfile', repository: 'teepot-self-attestation-test-sgx-dcap' }
          - { nixpackage: 'container-self-attestation-test-sgx-azure', dockerfile: 'packages/container-self-attestation-test-sgx-azure/Dockerfile', repository: 'teepot-self-attestation-test-sgx-azure' }
          - { nixpackage: 'container-verify-attestation-sgx-dcap' }
          - { nixpackage: 'container-verify-attestation-sgx-azure' }
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v26
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
      - uses: cachix/cachix-action@v14
        with:
          name: nixsgx
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
          extraPullNames: vault-auth-tee
      - name: Enable magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@main

      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Load and Push nix container
        run: |
          nix build  -L .#${{ matrix.config.nixpackage }}
          export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*')
          echo "Pushing image ${IMAGE_TAG} to Docker Hub"
          docker tag "${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG}"
          docker push matterlabsrobot/"${IMAGE_TAG}"
          docker tag matterlabsrobot/"${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG%:*}:latest"
          docker push matterlabsrobot/"${IMAGE_TAG%:*}:latest"

      - name: Generate build ID for Flux Image Automation
        if: ${{ matrix.config.dockerfile }}
        id: buildid
        run: |
          sha=$(git rev-parse --short HEAD)
          ts=$(date +%s%N | cut -b1-13)
          echo "BUILD_ID=${sha}-${ts}" >> "$GITHUB_OUTPUT"

      - name: Build and Push Container
        if: ${{ matrix.config.dockerfile }}
        uses: docker/build-push-action@v5
        with:
          file: ${{ matrix.config.dockerfile }}
          tags: |
            "matterlabsrobot/${{ matrix.config.repository }}:latest"
            "matterlabsrobot/${{ matrix.config.repository }}:${{ steps.buildid.outputs.BUILD_ID }}"
          push: ${{ github.event_name == 'push' ||  github.event_name == 'schedule' }}