labels:
  arch: arm64

clone:
  - name: clone
    image: woodpeckerci/plugin-git
    environment:
      CI_NETRC_MACHINE: git.oleks.space
      CI_NETRC_USERNAME: oleks
      CI_NETRC_PASSWORD:
        from_secret: gitea_clone_token
      PLUGIN_TAGS: "false"
      PLUGIN_DEPTH: "1"

when:
  - event: push
    branch: [main, master]
  - event: tag
    ref: "refs/tags/v*"

steps:
  - name: build-and-push
    image: git.oleks.space/oleks/nix-ci:latest
    environment:
      GITEA_CLONE_TOKEN:
        from_secret: gitea_clone_token
      CI_REGISTRY_TOKEN:
        from_secret: registry_token
    backend_options:
      kubernetes:
        resources:
          requests:
            memory: 4Gi
    commands:
      # Bootstrap nix substituters and netrc — same as siblings in this repo.
      - echo "79.76.48.244 git.oleks.space nix-cache-upload.oleks.space" >>/etc/hosts
      - |
        cat >>/etc/nix/nix.conf <<'EOF'
        experimental-features = nix-command flakes
        trusted-substituters = https://nix-cache-mirror.oleks.space https://nix-cache-custom.oleks.space/attic-infra-cache-k3s-1
        substituters = https://nix-cache-mirror.oleks.space https://nix-cache-custom.oleks.space/attic-infra-cache-k3s-1
        trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= attic-infra-cache-k3s-1:qYSNK3DmttQXCFqn1t50qoWGtQNPRFWq9mgQjD05DeU=
        EOF
      - if [ -n "$GITEA_CLONE_TOKEN" ]; then echo "machine git.oleks.space login oleks password $GITEA_CLONE_TOKEN" >~/.netrc && chmod 600 ~/.netrc; fi

      # Build the image (a script that streams the OCI tar to stdout).
      - nix build .#default --print-out-paths --no-link
      - VERSION="$(nix eval --raw .#version | xargs cat)"
      - echo "Built angie $VERSION"

      # Push to Gitea OCI registry under both the version tag and `latest-arm64`.
      - mkdir -p ~/.config/containers
      - |
        printf '{"auths":{"git.oleks.space":{"auth":"%s"}}}\n' \
          "$(printf 'oleks:%s' "$CI_REGISTRY_TOKEN" | base64 -w0)" \
          > ~/.config/containers/auth.json
      - |
        nix run nixpkgs#skopeo -- copy --insecure-policy \
          --authfile ~/.config/containers/auth.json \
          docker-archive:<($(nix build .#default --print-out-paths --no-link)) \
          docker://git.oleks.space/oleks/angie:$VERSION-arm64
      - |
        nix run nixpkgs#skopeo -- copy --insecure-policy \
          --authfile ~/.config/containers/auth.json \
          docker://git.oleks.space/oleks/angie:$VERSION-arm64 \
          docker://git.oleks.space/oleks/angie:latest-arm64