name: Lint

on:
  workflow_call:
    inputs:
      mergedSha:
        required: true
        type: string
      targetSha:
        required: true
        type: string
    secrets:
      # Should only be provided in the merge queue, not in pull requests,
      # where we're evaluating untrusted code.
      CACHIX_AUTH_TOKEN_GHA:
        required: false

permissions: {}

defaults:
  run:
    shell: bash

jobs:
  treefmt:
    runs-on: ubuntu-24.04-arm
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
          sparse-checkout: .github/actions
      - name: Checkout the merge commit
        uses: ./.github/actions/checkout
        with:
          merged-as-untrusted-at: ${{ inputs.mergedSha }}

      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6

      # TODO: Figure out how to best enable caching for the treefmt job. Cachix won't work well,
      # because the cache would be invalidated on every commit - treefmt checks every file.
      # Maybe we can cache treefmt's eval-cache somehow.

      - name: Check that files are formatted
        run: |
          # Note that it's fine to run this on untrusted code because:
          # - There's no secrets accessible here
          # - The build is sandboxed
          if ! nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A fmt.check; then
            echo "Some files are not properly formatted"
            echo "Please format them by going to the Nixpkgs root directory and running one of:"
            echo "  nix-shell --run treefmt"
            echo "  nix develop --command treefmt"
            echo "  nix fmt"
            echo "Make sure your branch is up to date with master; rebase if not."
            echo "If you're having trouble, please ping @NixOS/nix-formatting"
            exit 1
          fi

  parse:
    runs-on: ubuntu-24.04-arm
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
          sparse-checkout: .github/actions
      - name: Checkout the merge commit
        uses: ./.github/actions/checkout
        with:
          merged-as-untrusted-at: ${{ inputs.mergedSha }}

      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6

      - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
        continue-on-error: true
        with:
          # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
          name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
          extraPullNames: nixpkgs-gha
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
          pushFilter: -source$

      - name: Parse all nix files
        run: |
          # Tests multiple versions at once, let's make sure all of them run, so keep-going.
          nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A parse --keep-going

  nixpkgs-vet:
    runs-on: ubuntu-24.04-arm
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
          sparse-checkout: .github/actions
      - name: Checkout merge and target commits
        uses: ./.github/actions/checkout
        with:
          merged-as-untrusted-at: ${{ inputs.mergedSha }}
          target-as-trusted-at: ${{ inputs.targetSha }}

      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6

      - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
        continue-on-error: true
        with:
          # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
          name: ${{ vars.CACHIX_NAME || 'nixpkgs-gha' }}
          extraPullNames: nixpkgs-gha
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
          pushFilter: -source$

      - name: Running nixpkgs-vet
        env:
          # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
          CLICOLOR_FORCE: 1
        run: |
          if nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A nixpkgs-vet --arg base "./nixpkgs/trusted" --arg head "./nixpkgs/untrusted"; then
            exit 0
          else
            exitCode=$?
            echo "To run locally: ./ci/nixpkgs-vet.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"
            echo "If you're having trouble, ping @NixOS/nixpkgs-vet"
            exit "$exitCode"
          fi

  commits:
    # Only check commits if we have access to the pull_request context.
    #
    # Luckily there's no need to lint commit messages in the Merge Queue, because
    # changes to the target branch can't change commit messages on the base branch.
    if: ${{ github.event.pull_request.number }}
    runs-on: ubuntu-slim
    timeout-minutes: 5
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: true # Needed to run git fetch for large PRs.
          path: trusted
      - name: Check commit messages
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const checkCommitMessages = require('./trusted/ci/github-script/lint-commits.js')

            checkCommitMessages({
              github,
              context,
              core,
              repoPath: 'trusted',
            })