.github/workflows/build.yml

name: Build and Test
on:
  push:
    branches: [ master ]
  pull_request:
    type: [ synchronize ]

jobs:
  build:
    name: build and test
    runs-on: ubuntu-latest
    if: "!contains(github.event.head_commit.message, 'ci skip')"
    steps:
    - uses: actions/checkout@v2
    - uses: cachix/install-nix-action@v25
      with:
        nix_path: nixpkgs=channel:nixos-24.11
        extra_nix_config: |
          trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
          substituters = https://cache.iog.io https://hydra.iohk.io https://cache.nixos.org/
    - uses: cachix/cachix-action@v14
      with:
        name: jcouyang
        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
    - name: Test
      run: nix-shell --run 'cabal update && cabal test'
    - run: |
        VERSION=$(nix-shell -p dhall --run 'dhall text < ./version.dhall')
        echo publishing $VERSION lib...
        env VER=$VERSION nix-shell -p gnused --run 'sed -i "s/0.1.0.0/${VER}/" ./dhall-secret.cabal'
    - name: cabal tar
      run: |
        nix-shell --run 'cabal sdist'
    - name: docker tar
      run: |
        dockertar=$(nix-build docker.nix)
        cp $dockertar ./docker-image-dhall-secret.tar.gz
    - uses: actions/upload-artifact@v4
      with:
        name: tars
        path: |
          ./dist-newstyle/sdist/
          ./docker-image-dhall-secret.tar.gz
  binary:
    strategy:
      matrix:
        os:
          - runner: "macos-latest"
            build-script: "nix-build -A dhall-secret.components.exes.dhall-secret"
          - runner: "ubuntu-latest"
            build-script: "nix-build -A projectCross.musl64.hsPkgs.dhall-secret.components.exes.dhall-secret"
    name: binary on ${{ matrix.os.runner }}
    runs-on: ${{ matrix.os.runner }}
    if: "!contains(github.event.head_commit.message, 'ci skip')"
    steps:
    - uses: actions/checkout@v2
    - uses: cachix/install-nix-action@v25
      with:
        nix_path: nixpkgs=channel:nixos-24.11
        extra_nix_config: |
          trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
          substituters = https://cache.iog.io https://hydra.iohk.io https://cache.nixos.org/
    - uses: cachix/cachix-action@v14
      with:
        name: jcouyang
        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
    - run: |
        VERSION=$(nix-shell -p dhall --run 'dhall text < ./version.dhall')
        echo publishing $VERSION lib...
        env VER=$VERSION nix-shell -p gnused --run 'sed -i "s/0.1.0.0/${VER}/" ./dhall-secret.cabal'
    - name: Static Binary
      run: ${{matrix.os.build-script}}
    - uses: actions/upload-artifact@v4
      with:
        name: ${{matrix.os.runner}}-binary
        path: ./result/bin/dhall-secret
  publish:
    runs-on: ubuntu-latest
    if: "!contains(github.event.head_commit.message, 'publish skip') && (github.ref == 'refs/heads/master')"
    needs:
      - build
      - binary
    permissions:
      contents: write
      packages: write
    steps:
    - uses: actions/checkout@v2
    - uses: actions/download-artifact@v4
    - uses: cachix/install-nix-action@v25
      with:
        nix_path: nixpkgs=channel:nixos-24.11
        extra_nix_config: |
          trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
          substituters = https://cache.iog.io https://hydra.iohk.io https://cache.nixos.org/
    - uses: cachix/cachix-action@v14
      with:
        name: jcouyang
        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
    - name: upload to hackage
      env:
        HACKAGE_PASS: ${{ secrets.HACKAGE_PASS }}
      run: |
        export VERSION=$(nix-shell -p dhall --run 'dhall text < ./version.dhall')
        env VER=$VERSION nix-shell -p gnused --run 'sed -i "s/0.1.0.0/${VER}/" ./dhall-secret.cabal'
        nix-shell --run 'cabal update && cabal upload -u oyanglulu -p "$HACKAGE_PASS" ./tars/dist-newstyle/sdist/dhall-secret-$VERSION.tar.gz'
        nix-shell --run 'cabal upload -d -u oyanglulu -p "$HACKAGE_PASS"'
    - name: Log in to the Container registry
      uses: docker/login-action@v1.10.0
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
    - name: package docker
      run: |
        VERSION=$(nix-shell -p dhall --run 'dhall text < ./version.dhall')
        docker load < ./tars/docker-image-dhall-secret.tar.gz
        docker tag  ghcr.io/jcouyang/dhall-secret:latest ghcr.io/jcouyang/dhall-secret:$VERSION
        docker push ghcr.io/jcouyang/dhall-secret:latest
        docker push ghcr.io/jcouyang/dhall-secret:$VERSION
    - name: tag release
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        VERSION=$(nix-shell -p dhall --run 'dhall text < ./version.dhall')
        echo publishing $VERSION binary...
        mv ubuntu-latest-binary/dhall-secret dhall-secret-x86_64-linux
        mv macos-latest-binary/dhall-secret dhall-secret-x86_64-macOS
        gh release create "v$VERSION" ./dhall-secret-x86_64-linux ./dhall-secret-x86_64-macOS