rosenpass/.github/workflows/nix.yaml

name: Nix
permissions:
  contents: write
on:
  pull_request:
  push:
    branches: [main]

jobs:
  build:
    name: Build ${{ matrix.derivation }} on ${{ matrix.nix-system }}
    runs-on:
      - nix
      - ${{ matrix.nix-system }}
    strategy:
      fail-fast: false
      matrix:
        nix-system:
          - x86_64-linux
          - i686-linux
          - aarch64-linux
        derivation:
          - rosenpass
          - rosenpass-static
          - rosenpass-oci-image
          - rosenpass-static-oci-image
          - proof-proverif
          - whitepaper
        exclude:
          # these do not exist
          - nix-system: i686-linux
            derivation: proof-proverif
          - nix-system: i686-linux
            derivation: whitepaper

          # these fail currently
          # TODO enable once https://github.com/open-quantum-safe/liboqs-rust/issues/202 is fixed
          - nix-system: i686-linux
            derivation: rosenpass-static
          - nix-system: i686-linux
            derivation: rosenpass-static-oci-image

    steps:
      - uses: actions/checkout@v3
      - name: Generate gitHeadInfo.gin for the whitepaper
        if: ${{ matrix.derivation == 'whitepaper' }}
        run: ( cd papers && ./tex/gitinfo2.sh && git add gitHeadInfo.gin )
      - name: Build ${{ matrix.derivation }}@${{ matrix.nix-system }}
        run: |
          # build the package
          nix build .#packages.${{ matrix.nix-system }}.${{ matrix.derivation }} --print-build-logs

          # copy over the results
          if [[ -f $(readlink --canonicalize result ) ]]; then
            mkdir -- ${{ matrix.derivation }}-${{ matrix.nix-system }}
          fi
          cp --recursive -- $(readlink --canonicalize result) ${{ matrix.derivation }}-${{ matrix.nix-system }}
          chmod --recursive ug+rw -- ${{ matrix.derivation }}-${{ matrix.nix-system }}

          # add version information
          git rev-parse --abbrev-ref HEAD > ${{ matrix.derivation }}-${{ matrix.nix-system }}/git-version
          git rev-parse HEAD > ${{ matrix.derivation }}-${{ matrix.nix-system }}/git-sha

          # override the `rp` script to keep compatible with non-nix systems
          if [[ -f ${{ matrix.derivation }}-${{ matrix.nix-system }}/bin/rp ]]; then
            cp --force -- rp ${{ matrix.derivation }}-${{ matrix.nix-system }}/bin/
          fi
      - name: Upload build results
        uses: actions/upload-artifact@v3
        with:
          name: ${{ matrix.derivation }}-${{ matrix.nix-system }}
          path: ${{ matrix.derivation }}-${{ matrix.nix-system }}
      - name: Deploy PDF artifacts
        if: ${{ matrix.derivation == 'whitepaper' && github.ref == 'refs/heads/main' }}
        uses: peaceiris/actions-gh-pages@v3
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          publish_dir: ${{ matrix.derivation }}-${{ matrix.nix-system }}
          publish_branch: papers-pdf
          force_orphan: true
  checks:
    name: Run Nix checks
    runs-on: nixos
    needs: build
    steps:
      - uses: actions/checkout@v3
      - name: Run Checks
        run: nix flake check . --print-build-logs