.github/workflows/ci.yml

name: CI

on:
  pull_request:
  push:
    branches: [main]

env:
  CI_PROJECT_PATH: ${{ github.repository }}

jobs:
  lint:
    name: Code Lint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v9
      - uses: cachix/cachix-action@v13
        with:
          name: atciss
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      - name: Run pylint
        run: 'nix run .#pylint'
      - name: Format code
        run: 'nix run .#format'
      - name: Run ruff
        run: 'nix run .#ruff'

  flake-check:
    name: Flake Check
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Check Nix flake inputs
        uses: DeterminateSystems/flake-checker-action@v5
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v9
      - uses: cachix/cachix-action@v13
        with:
          name: atciss
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      - name: Run flake check
        run: nix flake check --no-update-lock-file

  docker-images:
    name: Docker Images
    runs-on: ubuntu-latest
    needs:
      - lint
      - flake-check
    permissions: write-all
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v9
      - uses: cachix/cachix-action@v13
        with:
          name: atciss
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      - name: Log in to the Container registry
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker images
        run: |
          for target in backend frontend; do
            nix build -L .#$target-image --extra-experimental-features 'nix-command flakes'
            skopeo copy --insecure-policy docker-archive://$(readlink -f ./result) docker://ghcr.io/$CI_PROJECT_PATH/atciss-$target:$GITHUB_SHA

            tag=$GITHUB_REF_NAME
            if [ "$GITHUB_REF_NAME" == "main" ]; then
              tag=latest
            fi

            if [ "$GITHUB_EVENT_NAME" != "pull_request" ]; then
              skopeo copy --insecure-policy docker-archive://$(readlink -f ./result) docker://ghcr.io/$CI_PROJECT_PATH/atciss-$target:$tag
            fi
          done
      - name: Deploy to production
        if: github.ref == 'refs/heads/main'
        run: |
          git push origin HEAD:production