name: Build and Push Cachix (NixOS)

on:
  push:
    branches: [master]
    paths:
      - "nixos/**"
      - "org-agenda-api/**"
      - ".github/workflows/cachix.yml"
  pull_request:
    branches: [master]
    paths:
      - "nixos/**"
      - "org-agenda-api/**"
      - ".github/workflows/cachix.yml"
  workflow_dispatch: {}

jobs:
  nixos-strixi-minaj:
    runs-on: ubuntu-latest

    permissions:
      contents: read

    env:
      # Avoid flaky/stalled CI due to unreachable substituters referenced in flake config
      # (e.g. LAN caches). We keep this list explicit for CI reliability.
      NIX_CONFIG: |
        experimental-features = nix-command flakes
        connect-timeout = 5
        substituters = https://cache.nixos.org https://colonelpanic8-dotfiles.cachix.org https://org-agenda-api.cachix.org https://taffybar.cachix.org https://codex-cli.cachix.org https://claude-code.cachix.org
        trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= colonelpanic8-dotfiles.cachix.org-1:O6GF3nptpeMFapX29okzO92eSWXR36zqW6ZF2C8P0eQ= org-agenda-api.cachix.org-1:liKFemKkOLV/rJt2txDNcpDjRsqLuBneBjkSw/UVXKA= taffybar.cachix.org-1:beZotJ1nVEsAnJxa3lWn0zwzZM7oeXmGh4ADRpHeeIo= codex-cli.cachix.org-1:1Br3H1hHoRYG22n//cGKJOk3cQXgYobUel6O8DgSing= claude-code.cachix.org-1:YeXf2aNu7UTX8Vwrze0za1WEDS+4DuI2kVeWEE4fsRk=

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Free disk space
        run: |
          set -euxo pipefail
          df -h
          sudo rm -rf /usr/share/dotnet || true
          sudo rm -rf /usr/local/lib/android || true
          sudo rm -rf /opt/ghc || true
          sudo rm -rf /usr/local/share/boost || true
          sudo apt-get clean || true
          df -h

      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v16

      - name: Use GitHub Actions Cache for /nix/store
        uses: DeterminateSystems/magic-nix-cache-action@v7

      - name: Require Cachix config (push only)
        if: github.event_name == 'push'
        env:
          CACHIX_CACHE_NAME: ${{ vars.CACHIX_CACHE_NAME }}
          CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
        run: |
          set -euo pipefail
          if [ -z "${CACHIX_CACHE_NAME:-}" ]; then
            echo "Missing repo variable CACHIX_CACHE_NAME (Settings -> Secrets and variables -> Actions -> Variables)." >&2
            exit 1
          fi
          if [ -z "${CACHIX_AUTH_TOKEN:-}" ]; then
            echo "Missing repo secret CACHIX_AUTH_TOKEN (Settings -> Secrets and variables -> Actions -> Secrets)." >&2
            exit 1
          fi

      - name: Setup Cachix (push)
        if: github.event_name == 'push'
        uses: cachix/cachix-action@v15
        with:
          name: ${{ vars.CACHIX_CACHE_NAME }}
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
          skipPush: false

      - name: Setup Cachix (PR, no push)
        if: github.event_name == 'pull_request' && vars.CACHIX_CACHE_NAME != ''
        uses: cachix/cachix-action@v15
        with:
          name: ${{ vars.CACHIX_CACHE_NAME }}
          skipPush: true

      - name: Build NixOS system (strixi-minaj)
        run: |
          set -euxo pipefail
          nix build \
            --no-link \
            --print-build-logs \
            ./nixos#nixosConfigurations.strixi-minaj.config.system.build.toplevel \
            --override-input railbird-secrets ./nixos/ci/railbird-secrets-stub