.github/workflows/ci.yaml

name: CI

on:
  push:
    branches: [main]
  pull_request:

permissions:
  contents: read

env:
  DAGGER_VERSION: 0.13.6

jobs:
  build:
    name: Build
    runs-on: depot-ubuntu-latest-8

    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up Nix
        uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # v27
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}

      - name: Set up magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8

      - name: Prepare Nix shell
        run: nix develop --impure .#ci

      - name: Build Server
        run: nix develop --impure .#ci -c make build-server

      - name: Build Sink Worker
        run: nix develop --impure .#ci -c make build-sink-worker

  test:
    name: Test
    runs-on: depot-ubuntu-latest-8

    steps:
      # Required as a workaround for Dagger to properly detect Git metadata
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Run pipeline
        uses: dagger/dagger-for-github@ad6a4e308a42fb2cf9be8b060f9aba9d57d4c9aa # v6.14.0
        with:
          verb: call
          args: test
          cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }}
          version: ${{ env.DAGGER_VERSION }}

      - name: Export Dagger Engine logs
        id: export-dagger-engine-logs
        run: docker logs $(docker container list --all --filter 'name=^dagger-engine-*' --format '{{.Names}}') > engine.stdout.log 2> engine.stderr.log
        if: always()
        continue-on-error: true

      - name: Upload Dagger Engine logs as artifact
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        if: always() && steps.export-dagger-engine-logs.outcome == 'success'
        with:
          name: "[${{ github.job }}] Dagger Engine logs"
          path: |
            engine.stdout.log
            engine.stderr.log
          retention-days: 14

  migrations:
    name: Migration Checks
    runs-on: depot-ubuntu-latest-8

    steps:
      # Required as a workaround for Dagger to properly detect Git metadata
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0 # Needed to compare against base branch

      - name: Run pipeline
        uses: dagger/dagger-for-github@ad6a4e308a42fb2cf9be8b060f9aba9d57d4c9aa # v6.14.0
        with:
          verb: call
          args: migrate check
          cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }}
          version: ${{ env.DAGGER_VERSION }}

      - name: Export Dagger Engine logs
        id: export-dagger-engine-logs
        run: docker logs $(docker container list --all --filter 'name=^dagger-engine-*' --format '{{.Names}}') > engine.stdout.log 2> engine.stderr.log
        if: always()
        continue-on-error: true

      - name: Upload Dagger Engine logs as artifact
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        if: always() && steps.export-dagger-engine-logs.outcome == 'success'
        with:
          name: "[${{ github.job }}] Dagger Engine logs"
          path: |
            engine.stdout.log
            engine.stderr.log
          retention-days: 14

  lint:
    name: Lint
    runs-on: depot-ubuntu-latest-8

    steps:
      # Required as a workaround for Dagger to properly detect Git metadata
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Run pipeline
        uses: dagger/dagger-for-github@ad6a4e308a42fb2cf9be8b060f9aba9d57d4c9aa # v6.14.0
        with:
          verb: call
          args: lint all
          cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }}
          version: ${{ env.DAGGER_VERSION }}

      - name: Export Dagger Engine logs
        id: export-dagger-engine-logs
        run: docker logs $(docker container list --all --filter 'name=^dagger-engine-*' --format '{{.Names}}') > engine.stdout.log 2> engine.stderr.log
        if: always()
        continue-on-error: true

      - name: Upload Dagger Engine logs as artifact
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        if: always() && steps.export-dagger-engine-logs.outcome == 'success'
        with:
          name: "[${{ github.job }}] Dagger Engine logs"
          path: |
            engine.stdout.log
            engine.stderr.log
          retention-days: 14

  commit-hooks:
    name: Commit hooks
    runs-on: depot-ubuntu-latest-4

    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

      - name: Set up Nix
        uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # v27
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}

      - name: Set up magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8

      - name: Prepare Nix shell
        run: nix develop --impure .#ci

      - name: Pre-commit hooks
        run: nix develop --impure .#ci -c pre-commit run -a

      - name: Check commit messages
        run: nix develop --impure .#ci -c pre-commit run --hook-stage manual

  dev:
    name: Developer environment
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up Nix
        uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # v27
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}

      - name: Set up magic Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8

      - name: Check
        run: nix flake check --impure

      - name: Dev shell
        run: nix develop --impure

  artifacts:
    name: Artifacts
    uses: ./.github/workflows/artifacts.yaml
    with:
      publish: ${{ github.event_name == 'push' }}
    permissions:
      contents: read
      packages: write
      id-token: write
      security-events: write

  dependency-review:
    name: Dependency review
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'

    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Dependency Review
        uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0

  fossa-scan:
    name: FOSSA Scan
    runs-on: ubuntu-latest
    if: github.event_name == 'push'

    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Run FOSSA Scan
        uses: fossas/fossa-action@09bcf127dc0ccb4b5a023f6f906728878e8610ba # v1.4.0
        with:
          api-key: ${{secrets.FOSSA_API_KEY}}

  quickstart:
    name: Quickstart
    runs-on: depot-ubuntu-latest-8

    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Launch Docker Compose
        run: docker compose -f docker-compose.yaml -f docker-compose.ci.yaml up -d
        working-directory: quickstart

      - name: Check container health
        run: docker inspect --format "{{json .State.Health }}" $(docker container list --all --filter 'name=^*-openmeter-*' --format '{{.Names}}')
        if: always()
        continue-on-error: true

      - name: Wait for worker to become ready
        run: curl --retry 10 --retry-max-time 120 --retry-all-errors http://localhost:10000/healthz

      - name: Run tests
        uses: dagger/dagger-for-github@ad6a4e308a42fb2cf9be8b060f9aba9d57d4c9aa # v6.14.0
        with:
          verb: call
          args: --source .:default quickstart-test --service tcp://localhost:8888 --port 8888
          cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }}
          version: ${{ env.DAGGER_VERSION }}

      - name: Export Container Logs
        id: export-container-logs
        run: docker logs $(docker container list --all --filter 'name=^*-openmeter-*' --format '{{.Names}}') > container.stdout.log 2> container.stderr.log
        if: always()
        continue-on-error: true

      - name: Upload Container logs as artifact
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        if: always() && steps.export-container-logs.outcome == 'success'
        with:
          name: "[${{ github.job }}] Container logs"
          path: |
            container.stdout.log
            container.stderr.log
          retention-days: 14

      - name: Cleanup Docker Compose
        run: docker compose -f docker-compose.yaml -f docker-compose.ci.yaml down -v
        working-directory: quickstart
        if: always()

  e2e:
    name: E2E
    runs-on: depot-ubuntu-latest-16

    steps:
      # Required as a workaround for Dagger to properly detect Git metadata
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Run pipeline
        uses: dagger/dagger-for-github@ad6a4e308a42fb2cf9be8b060f9aba9d57d4c9aa # v6.14.0
        with:
          verb: call
          args: etoe
          cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }}
          version: ${{ env.DAGGER_VERSION }}

      - name: Export Dagger Engine logs
        id: export-dagger-engine-logs
        run: docker logs $(docker container list --all --filter 'name=^dagger-engine-*' --format '{{.Names}}') > engine.stdout.log 2> engine.stderr.log
        if: always()
        continue-on-error: true

      - name: Upload Dagger Engine logs as artifact
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        if: always() && steps.export-dagger-engine-logs.outcome == 'success'
        with:
          name: "[${{ github.job }}] Dagger Engine logs"
          path: |
            engine.stdout.log
            engine.stderr.log
          retention-days: 14

  dagger:
    name: CI
    runs-on: depot-ubuntu-latest-16

    steps:
      # Required as a workaround for Dagger to properly detect Git metadata
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Run pipeline
        uses: dagger/dagger-for-github@ad6a4e308a42fb2cf9be8b060f9aba9d57d4c9aa # v6.14.0
        with:
          verb: call
          args: ci
          cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }}
          version: ${{ env.DAGGER_VERSION }}

      - name: Export Dagger Engine logs
        id: export-dagger-engine-logs
        run: docker logs $(docker container list --all --filter 'name=^dagger-engine-*' --format '{{.Names}}') > engine.stdout.log 2> engine.stderr.log
        if: always()
        continue-on-error: true

      - name: Upload Dagger Engine logs as artifact
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        if: always() && steps.export-dagger-engine-logs.outcome == 'success'
        with:
          name: "[${{ github.job }}] Dagger Engine logs"
          path: |
            engine.stdout.log
            engine.stderr.log
          retention-days: 14