5 files changed, 149 insertions, 34 deletions

diff --git a/.github/workflows/autobot.yaml b/.github/workflows/autobot.yaml
index ddc70d4..d18cda6 100644
--- a/.github/workflows/autobot.yaml
+++ b/.github/workflows/autobot.yaml
@@ -1,4 +1,4 @@
-name: auto-merge dependabot
+name: Auto-merge Dependabot
 
 on: pull_request
 
@@ -18,7 +18,7 @@ jobs:
         with:
           github-token: ${{ github.token }}
 
-      - name: enable auto-merge
+      - name: Enable auto-merge
         if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
         run: gh pr merge --auto --rebase "$PR"
         env:
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000..bfc7cf4
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,121 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  eval:
+    name: Evaluate flake
+    runs-on: ubuntu-latest
+
+    outputs:
+      matrix: ${{ steps.evaluate.outputs.matrix }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v9
+
+      - name: Evaluate matrix
+        id: evaluate
+        run: |
+          set -eu
+          echo "matrix=$(nix eval --show-trace --json .#githubWorkflow.matrix)" >> "$GITHUB_OUTPUT"
+
+  build:
+    needs: eval
+
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON(needs.eval.outputs.matrix) }}
+
+    name: Build (${{ matrix.attr }})
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup QEMU
+        if: matrix.arch == 'aarch64'
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: "arm64"
+
+      - name: Install Nix
+        if: matrix.arch != 'aarch64'
+        uses: DeterminateSystems/nix-installer-action@v9
+
+      - name: Install Nix (with aarch64)
+        if: matrix.arch == 'aarch64'
+        uses: DeterminateSystems/nix-installer-action@v9
+        with:
+          extra-conf: "extra-platforms = aarch64-linux arm-linux"
+
+      - name: Setup local Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@v2
+
+      - name: Setup Attic cache
+        uses: ryanccn/attic-action@v0
+        with:
+          endpoint: https://cache.mydadleft.me
+          cache: nix-exprs
+          token: ${{ secrets.ATTIC_TOKEN }}
+          skip-push: ${{ github.event_name == 'pull_request' }}
+
+      - name: Run build
+        run: |
+          nix build -L --accept-flake-config .#${{ matrix.attr }}
+
+  check:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+
+    name: Check flake (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v9
+
+      - name: Setup local Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@v2
+
+      - name: Setup Attic cache
+        uses: ryanccn/attic-action@v0
+        with:
+          endpoint: https://cache.mydadleft.me
+          cache: nix-exprs
+          token: ${{ secrets.ATTIC_TOKEN }}
+          skip-push: ${{ github.event_name == 'pull_request' }}
+
+      - name: Run check
+        run: nix flake check --show-trace --accept-flake-config
+
+  # https://github.com/orgs/community/discussions/26822#discussioncomment-3305794
+  gate:
+    needs: [build, check]
+
+    name: CI Gate
+    runs-on: ubuntu-latest
+
+    if: always()
+
+    steps:
+      - name: Exit with result
+        run: |
+          build_result="${{ needs.build.result }}"
+          check_result="${{ needs.check.result }}"
+
+          results=("$build_result" "$check_result")
+
+          for result in "${results[@]}"; do [ "$result" != "success" ] && exit 1; done
+
+          exit 0
diff --git a/.github/workflows/flakehub-publish.yaml b/.github/workflows/flakehub-publish.yaml
index 89a82d2..7ceaefd 100644
--- a/.github/workflows/flakehub-publish.yaml
+++ b/.github/workflows/flakehub-publish.yaml
@@ -1,4 +1,4 @@
-name: flakehub publish
+name: Flakehub publish
 
 on:
   push:
@@ -7,6 +7,7 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+
     permissions:
       id-token: write
       contents: read
@@ -14,10 +15,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: install nix
-        uses: nixbuild/nix-quick-install-action@v26
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v9
 
-      - name: push to flakehub
+      - name: Push to Flakehub
         uses: DeterminateSystems/flakehub-push@v3
         with:
           visibility: "public"
diff --git a/.github/workflows/staging-automerge.yaml b/.github/workflows/staging-automerge.yaml
index 2dd3502..9998584 100644
--- a/.github/workflows/staging-automerge.yaml
+++ b/.github/workflows/staging-automerge.yaml
@@ -1,4 +1,4 @@
-name: auto-merge staging
+name: Auto-merge staging
 
 on:
   push:
@@ -7,25 +7,22 @@ on:
 
 jobs:
   automerge:
+    name: Auto-merge
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: write
-      pull-requests: write
-
     steps:
-      - name: check if pr exists
+      - name: Check if PR exists
         id: check
         run: |
-            prs=$(gh pr list \
-              --repo ${{ github.repository }} \
-              --head staging \
-              --json state \
-              --jq 'map(select(.state == "OPEN")) | length')
+          prs=$(gh pr list \
+            --repo ${{ github.repository }} \
+            --head staging \
+            --json state \
+            --jq 'map(select(.state == "OPEN")) | length')
 
-            if (( prs > 0 )); then
-              echo "skip=true" >> "$GITHUB_OUTPUT"
-            fi
+          if (( prs > 0 )); then
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          fi
 
         env:
           GH_TOKEN: ${{ github.token }}
@@ -35,7 +32,7 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: create pr
+      - name: Create PR
         if: ${{ !steps.check.outputs.skip }}
         run: |
           gh pr create \
@@ -44,10 +41,10 @@ jobs:
             --title "auto-merge: ${{ github.ref_name }} -> main" \
             --fill
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.MERGE_TOKEN }}
 
-      - name: enable auto-merge
+      - name: Enable auto-merge
         if: ${{ !steps.check.outputs.skip }}
         run: gh pr merge --auto --rebase --match-head-commit ${{ github.sha }}
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.MERGE_TOKEN }}
diff --git a/.github/workflows/update-lock.yaml b/.github/workflows/update-lock.yaml
index e735b81..98af4ef 100644
--- a/.github/workflows/update-lock.yaml
+++ b/.github/workflows/update-lock.yaml
@@ -10,27 +10,23 @@ jobs:
   update:
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: write
-      pull-requests: write
-
     steps:
       - uses: actions/checkout@v4
 
-      - name: install nix
-        uses: nixbuild/nix-quick-install-action@v26
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v9
 
-      - name: update lockfile
+      - name: Update lockfile & make PR
         uses: DeterminateSystems/update-flake-lock@v20
         id: update
         with:
           commit-msg: "flake: update inputs"
           pr-title: "flake: update inputs"
-          token: ${{ github.token }}
+          token: ${{ secrets.MERGE_TOKEN }}
 
-      - name: enable auto-merge
+      - name: Enable auto-merge
         shell: bash
         run: gh pr merge --auto --rebase "$PR_ID"
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.MERGE_TOKEN }}
           PR_ID: ${{ steps.update.outputs.pull-request-number }}