name: Publish packages to Attic

on:
  push:
    branches:
      - master
  workflow_dispatch:

jobs:
  publish:
    runs-on: docker.io/nixos/nix

    env:
      ATTIC_SERVER: ${{ secrets.ATTIC_SERVER }}
      ATTIC_CACHE: ${{ secrets.ATTIC_CACHE }}
      ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
      NIX_CONFIG: experimental-features = nix-command flakes

    steps:
      - name: Check out repository
        uses: actions/checkout@v4

      - name: Install Attic client
        shell: bash
        run: |
          set -euo pipefail

          if command -v attic >/dev/null 2>&1; then
            exit 0
          fi

          nix profile install --accept-flake-config nixpkgs#attic-client
          echo "$HOME/.nix-profile/bin" >> "$GITHUB_PATH"

      - name: Configure Attic
        shell: bash
        run: |
          set -euo pipefail

          : "${ATTIC_SERVER:?Set the ATTIC_SERVER secret to your Attic API base URL}"
          : "${ATTIC_CACHE:?Set the ATTIC_CACHE secret to the destination cache name}"
          : "${ATTIC_TOKEN:?Set the ATTIC_TOKEN secret to a token with push access}"

          export PATH="$HOME/.nix-profile/bin:$PATH"

          attic login --set-default ci "$ATTIC_SERVER" "$ATTIC_TOKEN"
          attic use "$ATTIC_CACHE"

      - name: Build packages
        shell: bash
        run: |
          set -euo pipefail

          system="$(nix eval --impure --raw --expr builtins.currentSystem)"

          nix build --accept-flake-config --no-link --print-out-paths -L \
            ".#packages.${system}.sable-web" \
            ".#packages.${system}.musicpresence" \
            ".#packages.${system}.vintage-story" \
            ".#packages.${system}.swaytreesave" \
            | tee built-paths.txt

      - name: Push packages to Attic
        shell: bash
        run: |
          set -euo pipefail
          export PATH="$HOME/.nix-profile/bin:$PATH"
          xargs -r attic push "$ATTIC_CACHE" < built-paths.txt