name: CI
permissions:
  contents: read
  id-token: write
  actions: write

on:
  pull_request:
  push:
    branches: [main]

jobs:
  checks:
    name: Nix checks
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
      actions: write

    steps:
      - uses: actions/checkout@v4
        with:
          submodules: recursive

      - name: Install Nix
        uses: DeterminateSystems/determinate-nix-action@main

      - name: Set up Nix store cache
        uses: nix-community/cache-nix-action@v6
        with:
          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock', 'Cargo.lock') }}
          restore-prefixes-first-match: nix-${{ runner.os }}-
          gc-max-store-size-linux: 10G
          purge: true
          purge-prefixes: nix-${{ runner.os }}-
          purge-created: 14
          purge-last-access: 7
          purge-primary-key: never

      - name: Run all flake checks
        run: nix flake check -L --show-trace