labels:
  arch: amd64

when:
  - event: tag
    ref: "refs/tags/v*"

# Local-pipeline parity (cluster #192, emmett#44). The flake apps ARE the shared
# code: this same `nix run .#publish` is what a developer runs on emmett. The
# pure-stdlib bridge.py + a stock CPython closure are fully Nix-expressible, so
# both arches build from this single amd64 runner (amd64 native + arm64
# pkgsCross) — no Dockerfile, no buildkit, no remote builder, no howard pin.
# nix2container copy-to (skopeo) pushes each arch; regctl assembles the index.
# The app DRY-RUNS by default; CI opts in with PUBLISH=1. :latest is a digest
# copy of :TAG made last and guarded off for dev tags.
steps:
  - name: publish
    image: git.oleks.space/oleks/nix-ci:latest
    environment:
      # One token env var everywhere; the app reads it (never interpolated).
      REGISTRY_TOKEN:
        from_secret: registry_token
    commands:
      - nixos-ci-entrypoint bash -c "set -e; PUBLISH=1 nix run .#publish"
    backend_options:
      kubernetes:
        nodeSelector:
          kubernetes.io/arch: amd64
        labels:
          commit-tag: "${CI_COMMIT_TAG}"
          commit-branch: "${CI_COMMIT_BRANCH}"
          pipeline-number: "${CI_PIPELINE_NUMBER}"