.github/workflows/ci.yaml

name: CI

on:
  push:
    branches: [main]
  pull_request:

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github. run_id }}
  cancel-in-progress: true

jobs:
  lint:
    name: Lint
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up Nix
        uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # v27
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}

      - name: Set up magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@6221693898146dc97e38ad0e013488a16477a4c4 # v9

      - name: Set up Go cache
        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: |
            ~/.cache/go-build
            ~/go/pkg/mod
          key: ${{ github.job }}-${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ github.job }}-${{ runner.os }}-go-

      - name: Prepare Nix shell
        run: nix develop --impure .#ci

      - name: Lint
        run: nix develop --impure .#ci -c make lint -j

  dev:
    name: Developer environment
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up Nix
        uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # v27
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}

      - name: Set up magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@6221693898146dc97e38ad0e013488a16477a4c4 # v9

      - name: Set up Go cache
        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: |
            ~/.cache/go-build
            ~/go/pkg/mod
          key: ${{ github.job }}-${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ github.job }}-${{ runner.os }}-go-

      - name: Check
        run: nix flake check --impure

      - name: Dev shell
        run: nix develop --impure

  artifacts:
    name: Artifacts
    uses: ./.github/workflows/artifacts.yaml
    with:
      publish: ${{ github.event_name == 'push' }}
    permissions:
      contents: read
      packages: write
      id-token: write
      security-events: write

  acceptance-test:
    name: Acceptance test
    runs-on: ubuntu-latest
    needs: [artifacts]
    strategy:
      matrix:
        k8s_version: ["v1.28.9", "v1.29.4", "v1.30.0"]
        vault_version: ["1.11.12", "1.12.8", "1.13.4", "1.14.8"]

    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up Nix
        uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # v27
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}

      - name: Set up magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@6221693898146dc97e38ad0e013488a16477a4c4 # v9

      - name: Prepare Nix shell
        run: nix develop --impure .#ci

      - name: Start kind cluster
        run: kind create cluster --image kindest/node:${{ matrix.k8s_version }} --wait 1m

      - name: Download helm chart
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: "[helm-chart] package"

      - name: Acceptance test
        run: nix develop --impure .#ci -c make test-acceptance
        env:
          VAULT_VERSION: ${{ matrix.vault_version }}
          HELM_CHART: "${{ github.workspace }}/${{ needs.artifacts.outputs.helm-chart-package }}"