name: "Check shell"

on:
  pull_request:
    paths:
      - .github/workflows/check-shell.yml
  pull_request_target:
    paths:
      - 'shell.nix'
      - 'ci/**'

concurrency:
  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

permissions: {}

jobs:
  shell-check:
    strategy:
      fail-fast: false
      matrix:
        include:
          - runner: ubuntu-24.04
            system: x86_64-linux
          - runner: ubuntu-24.04-arm
            system: aarch64-linux
          - runner: macos-13
            system: x86_64-darwin
          - runner: macos-14
            system: aarch64-darwin

    name: shell-check-${{ matrix.system }}
    runs-on: ${{ matrix.runner }}

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          sparse-checkout: .github/actions
      - name: Check if the PR can be merged and checkout the merge commit
        uses: ./.github/actions/get-merge-commit
        with:
          merged-as-untrusted: true

      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31

      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
        with:
          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
          name: nixpkgs-ci
          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"

      - name: Build shell
        run: nix-build untrusted/ci -A shell