name: publish
on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v27
        with:
          extra_nix_config: |
            experimental-features = nix-command flakes
      - name: Configure binary cache push
        # Replace with your cache of choice (attic, cachix, S3+nix-serve, ...).
        run: echo "configure cache push here"
      - name: Build system closure
        id: build
        run: |
          out=$(nix build --no-link --print-out-paths \
            ".#nixosConfigurations.${HOST}.config.system.build.toplevel")
          echo "store_path=$out" >> "$GITHUB_OUTPUT"
        env:
          HOST: my-device
      - name: Push to cache
        run: nix copy --to "${CACHE_URL}?secret-key=$(pwd)/cache.key" "${{ steps.build.outputs.store_path }}"
        env:
          CACHE_URL: ${{ secrets.NIX_OTA_CACHE_URL }}
      - name: Publish manifest
        run: |
          nix run git+https://linus.dyrehytten.dk/max/nix-ota#nix-ota -- publish \
            --server "$NIX_OTA_SERVER" \
            --token  "$NIX_OTA_PUBLISH_TOKEN" \
            --key    "$NIX_OTA_SIGNING_KEY_FILE" \
            --channel prod \
            --store-path "${{ steps.build.outputs.store_path }}" \
            --substituter "$NIX_OTA_CACHE_URL"
        env:
          NIX_OTA_SERVER: ${{ secrets.NIX_OTA_SERVER }}
          NIX_OTA_PUBLISH_TOKEN: ${{ secrets.NIX_OTA_PUBLISH_TOKEN }}
          NIX_OTA_CACHE_URL: ${{ secrets.NIX_OTA_CACHE_URL }}
          NIX_OTA_SIGNING_KEY_FILE: ${{ runner.temp }}/sign.key
        # Note: write the signing key from a secret to NIX_OTA_SIGNING_KEY_FILE
        # in a previous step (omitted; depends on your secret store).