name: CI
on:
  pull_request:
  push:
env:
  DATABASE_URL: ${{ vars.DATABASE_URL }}

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.ref != 'ref/heads/master' }}

jobs:
  tests:
    runs-on: ubuntu-latest
    container:
      image: catthehacker/ubuntu:js-latest
      options: --security-opt seccomp=unconfined
    permissions:
      pull-requests: write
    services:
      postgres:
        image: postgres:16-alpine
        env:
          POSTGRES_PASSWORD: ${{ vars.DB_PASSWORD }}
          POSTGRES_USER: ${{ vars.DB_USER }}
          POSTGRES_DB: ${{ vars.DB_NAME }}
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 10s
          --health-retries 5
    steps:
      - uses: actions/checkout@v4
      - name: Install Nix
        uses: cachix/install-nix-action@v27
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - name: Migrate database
        run: nix develop --command -- just migrate
      - name: Formatting check
        run: nix develop --command -- just format-check
      - name: Lint
        run: nix develop --command -- just lint
      - name: Audit
        run: nix develop --command -- just audit
      - name: Tests
        run: nix develop --command -- just test