xin/bin/ci

#!/usr/bin/env sh

. ./common.sh

direnv allow

CMD=${1:-""}

eval $(keychain --eval --agents ssh --inherit any)

start_ci

trap ci_error INT TERM

ci_branch=$(date +"%Y%m%dT%H%M%S%z")
can_sign=0

for i in $(ssh-add -L | awk '{print $NF}'); do
	grep -q $i .allowed_signers && can_sign=1
done

if [ $can_sign != 1 ]; then
	echo "Can't find signing key."
	exit 1
fi

git checkout main || handle_co_fail "main"
git pull || handle_pull_fail

if [ "${1}" = "update" ]; then
	if ! git checkout -b "${ci_branch}"; then
		handle_co_fail "${ci_branch}"
		exit 1
	fi

	bin/deploy watch update
	if ! git diff --exit-code >/dev/null; then
		git add pull_requests
		git commit -m 'watched: update watched pull requests'
	fi
	
	for inp in $(nix flake metadata --json | jq -r '.locks.nodes.root.inputs | keys[] as $k | $k'); do
		if ! git checkout -b "${ci_branch}_${inp}"; then
			handle_co_fail "${ci_branch}_${inp}"
			continue
		fi

		if ! nix flake lock --commit-lock-file --update-input "$inp"; then
			handle_update_fail "$inp"
			continue
		fi

		if ! nix flake check --print-build-logs; then
			handle_update_check_fail "$inp"
			continue
		fi

		if ! git checkout "${ci_branch}"; then
			handle_co_fail "${ci_branch}"
			continue
		fi

		if ! git merge "${ci_branch}_${inp}"; then
			handle_merge_fail "${ci_branch}_${inp}" "${ci_branch}"
			continue
		fi
	done

	if ! nix flake check --print-build-logs; then
		handle_update_check_fail "$ci_branch"
		exit 1
	fi


	if ! git checkout main; then
		handle_co_fail
		exit 1
	fi
	if ! git merge "${ci_branch}"; then
		handle_merge_fail "${ci_branch}" "main"
		exit 1
	fi

	# Agent is configured to forget keys after X, if that happens we need to re-add before push
	agentHasKey "$(cat /run/secrets/ci_ed25519_pub | awk '{print $2}')" ||
		ssh-add /run/secrets/ci_ed25519_key
	if ! git push; then
		handle_push_fail
		exit 1
	fi
else
	if ! nix flake check --print-build-logs; then
		handle_check_fail
		exit 1
	fi
fi

finish