name: Nix

on:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]

jobs:
  # Architecture-independent lints and formatting. Run once on x86_64.
  lint:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22
      - name: Nix Cache
        uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13

      - name: Format
        run: nix build .#fmt

      - name: Format non-Rust
        run: nix build .#checks.x86_64-linux.treefmt

      - name: Deny (audit + licenses + bans)
        run: nix build .#deny

      - name: Clippy
        run: nix build .#clippy

      - name: Build docs
        run: nix build .#doc

  # Build and test on each supported architecture.
  build:
    name: Build (${{ matrix.arch }})
    runs-on: ${{ matrix.runner }}
    strategy:
      fail-fast: false
      matrix:
        include:
          - runner: ubuntu-latest
            arch: x86_64
          - runner: ubuntu-24.04-arm
            arch: aarch64
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22
      - name: Nix Cache
        uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13

      - name: Test
        run: nix build .#test

      - name: Build cmprss
        run: nix build .#cmprss

      - name: Build static musl binary
        run: nix build .#cmprss-static

        # Run any nix checks that aren't covered by the above
        # This should evaluate the nix expression and then do nothing
      - name: Forgotten checks
        run: nix flake check

  # Run this separately since
  #   1) it uses a separate set of deps, so no shared cache with the other build
  #   2) failures here shouldn't block merging
  coverage:
    runs-on: ubuntu-latest
    needs: build
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22
      - name: Nix Cache
        uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13

      - name: Build Coverage
        # Build and ensure the output is linked in result/
        run: nix build -L .#coverage

      # Upload code coverage
      - name: Upload coverage to Codecov
        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: ./result/lcov.info