name: nix

on:
  push:
    branches:
      - '**'
      # Disable builds on these branches, because they will become a pull
      # request, and be handled by merge_group below.
      - '!dependabot/**'
      # `main` and `gh-readonly-queue` are handled by merge_group specifically.
      - '!gh-readonly-queue/**'
      - '!main'
  pull_request:
  merge_group:

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}

permissions: read-all

jobs:
  nix:
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-24.04, macos-14]
    runs-on: ${{ matrix.os }}
    timeout-minutes: 15 # NOTE (aseipp): keep in-sync with the build.yml timeout limit

    name: flake check
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          fetch-depth: 0
      - uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d
      - run: nix flake check -L --show-trace