photoncloud-monorepo/.github/workflows/nix.yml

name: Nix CI

on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]

jobs:
  # Detect which workspaces have changed to save CI minutes
  filter:
    runs-on: ubuntu-latest
    outputs:
      workspaces: ${{ steps.filter.outputs.changes }}
      any_changed: ${{ steps.filter.outputs.workspaces_any_changed }}
      global_changed: ${{ steps.filter.outputs.global }}
      shared_crates_changed: ${{ steps.filter.outputs.shared_crates }}
    steps:
      - uses: actions/checkout@v4
      - uses: dorny/paths-filter@v3
        id: filter
        with:
          filters: |
            global:
              - 'flake.nix'
              - 'flake.lock'
              - 'nix/**'
              - 'nix-nos/**'
              - '.github/workflows/nix.yml'
              - 'Cargo.toml'
              - 'Cargo.lock'
              - 'crates/**'
              - 'client-common/**'
              - 'baremetal/**'
              - 'scripts/**'
              - 'specifications/**'
              - 'docs/**'
            shared_crates: 'crates/**'
            chainfire: 'chainfire/**'
            flaredb: 'flaredb/**'
            iam: 'iam/**'
            plasmavmc: 'plasmavmc/**'
            prismnet: 'prismnet/**'
            flashdns: 'flashdns/**'
            fiberlb: 'fiberlb/**'
            lightningstor: 'lightningstor/**'
            nightlight: 'nightlight/**'
            creditservice: 'creditservice/**'
            k8shost: 'k8shost/**'
            apigateway: 'apigateway/**'
            deployer: 'deployer/**'

  # Run CI gates for changed workspaces
  # Uses the provider-agnostic 'photoncloud-gate' defined in nix/ci/flake.nix
  gate:
    needs: filter
    if: ${{ needs.filter.outputs.any_changed == 'true' || needs.filter.outputs.global_changed == 'true' }}
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        # If global files changed, run all. Otherwise run only changed ones.
        workspace: ${{ fromJSON(needs.filter.outputs.global_changed == 'true' && '["chainfire", "flaredb", "iam", "plasmavmc", "prismnet", "flashdns", "fiberlb", "lightningstor", "nightlight", "creditservice", "k8shost", "apigateway", "deployer"]' || needs.filter.outputs.workspaces) }}
    name: gate (${{ matrix.workspace }})
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@v11
      - uses: DeterminateSystems/magic-nix-cache-action@v8

      - name: Run PhotonCloud Gate
        run: |
          nix run ./nix/ci#gate-ci -- --workspace ${{ matrix.workspace }} --tier 0 --no-logs

  shared-crates-gate:
    needs: filter
    if: ${{ needs.filter.outputs.shared_crates_changed == 'true' }}
    runs-on: ubuntu-latest
    name: gate (shared crates)
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@v11
      - uses: DeterminateSystems/magic-nix-cache-action@v8

      - name: Run Shared Crates Gate
        run: |
          nix run ./nix/ci#gate-ci -- --shared-crates --tier 0 --no-logs

  # Build server packages (tier 1+)
  build:
    needs: [filter, gate]
    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
    runs-on: ubuntu-latest
    strategy:
      matrix:
        workspace: ${{ fromJSON(needs.filter.outputs.global_changed == 'true' && '["chainfire", "flaredb", "iam", "plasmavmc", "prismnet", "flashdns", "fiberlb", "lightningstor", "nightlight", "creditservice", "k8shost", "apigateway", "deployer"]' || needs.filter.outputs.workspaces) }}
    name: build (${{ matrix.workspace }})
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@v11
      - uses: DeterminateSystems/magic-nix-cache-action@v8

      - name: Build server
        run: |
          # Only build if the workspace has a corresponding package in flake.nix
          # We check if it exists before building to avoid failure on non-package workspaces
          if nix flake show --json | jq -e ".packages.\"x86_64-linux\".\"${{ matrix.workspace }}-server\"" > /dev/null; then
            nix build .#${{ matrix.workspace }}-server --accept-flake-config
          else
            echo "No server package found for ${{ matrix.workspace }}, skipping build."
          fi

  # Summary job for PR status checks
  ci-status:
    needs: [filter, gate, shared-crates-gate]
    if: always()
    runs-on: ubuntu-latest
    steps:
      - name: Check CI Status
        run: |
          if [[ "${{ needs.gate.result }}" == "failure" ]]; then
            exit 1
          fi
          if [[ "${{ needs.shared-crates-gate.result }}" == "failure" ]]; then
            exit 1
          fi
          if [[ "${{ needs.filter.outputs.any_changed }}" == "true" || "${{ needs.filter.outputs.global_changed }}" == "true" ]]; then
            if [[ "${{ needs.gate.result }}" == "skipped" ]]; then
              echo "Gate was skipped despite changes. This is unexpected."
              exit 1
            fi
          fi
          if [[ "${{ needs.filter.outputs.shared_crates_changed }}" == "true" ]]; then
            if [[ "${{ needs.shared-crates-gate.result }}" == "skipped" ]]; then
              echo "Shared crates gate was skipped despite crates/** changes. This is unexpected."
              exit 1
            fi
          fi
          echo "CI passed or was correctly skipped."