# Build flake-hub packages for x86_64-linux and push to attic.
# Separate workflow per arch — sharing one PVC across arches makes
# the second pod permanently Unschedulable (PV node affinity binds
# to the first arch's node).

when:
  - event: push
    branch: main

clone:
  - name: clone
    image: woodpeckerci/plugin-git
    environment:
      CI_NETRC_MACHINE: git.oleks.space
      CI_NETRC_USERNAME: oleks
      CI_NETRC_PASSWORD:
        from_secret: gitea_clone_token
      PLUGIN_TAGS: "false"
      PLUGIN_DEPTH: "1"

steps:
  - name: build-amd64
    image: git.oleks.space/oleks/nix-ci:latest
    environment:
      ATTIC_TOKEN:
        from_secret: attic_token
      GITEA_CLONE_TOKEN:
        from_secret: gitea_clone_token
    backend_options:
      kubernetes:
        nodeSelector:
          kubernetes.io/arch: amd64
        labels:
          commit-tag: "${CI_COMMIT_TAG}"
          commit-branch: "${CI_COMMIT_BRANCH}"
          pipeline-number: "${CI_PIPELINE_NUMBER}"
    commands:
      - echo "▸ arch=$(uname -m)"
      - sh ci/setup.sh
      # Same front door as a local `nix run .#publish -- --publish`. The app
      # is parity-lib's mkAtticClosurePublish (attic-closure archetype); CI and
      # local share one audited impl. PUBLISH=1 makes it actually push (local
      # runs dry-run).
      - PUBLISH=1 nix run .#publish