name: "Check whether nix files are parseable"

permissions: read-all

on:
  # avoids approving first time contributors
  pull_request_target:
    branches-ignore:
      - 'release-**'

jobs:
  tests:
    runs-on: ubuntu-latest
    if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
    steps:
    - name: Get list of changed files from PR
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        gh api \
          repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \
          | jq --raw-output '.[] | select(.status != "removed" and (.filename | endswith(".nix"))) | .filename' \
          > "$HOME/changed_files"
        if [[ -s "$HOME/changed_files" ]]; then
          echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV"
        fi
    - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
      with:
        # pull_request_target checks out the base branch by default
        ref: refs/pull/${{ github.event.pull_request.number }}/merge
      if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}
    - uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26
      with:
        nix_path: nixpkgs=channel:nixpkgs-unstable
    - name: Parse all changed or added nix files
      run: |
        ret=0
        while IFS= read -r file; do
          out="$(nix-instantiate --parse "$file")" || { echo "$out" && ret=1; }
        done < "$HOME/changed_files"
        exit "$ret"
      if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}