name: Publish on Flakehub

on:
  push:
    branches: [main]
    tags:
      - "v*.*.*"

jobs:
  publish:
    name: Publish
    runs-on: ubuntu-latest
    container: nixos/nix:sha256:b8ea88f763f33dfda2317b55eeda3b1a4006692ee29e60ee54ccf6d07348c598 # 2.19.3

    permissions:
      contents: read
      id-token: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Push to Flakehub
        uses: DeterminateSystems/flakehub-push@b441737e7d01e044d7b60a3240fb81cbf827bee0 # v3
        with:
          visibility: "public"
          rolling: ${{ !startsWith(github.ref, 'refs/tags/v' )}}