# THROWAWAY build smoke-test for the macOS (Tart) runner. Verifies both
# *-apple-darwin targets actually compile and link (incl. arboard's AppKit)
# through the flake on the real Mac, before the full release-macos workflow is
# wired. Delete once that lands.
#
# Push-triggered (workflow_dispatch only works for workflows on the default
# branch; our CI is on `ci`). Runs when the flake/toolchain or this file change.
# Bring the Mac up before pushing so the run isn't left queued.
name: macos-build-test
on:
  push:
    paths:
      - '.gitea/workflows/macos-probe.yaml'
      - 'flake.nix'
      - 'rust-toolchain.toml'
  workflow_dispatch:

jobs:
  build:
    # Label NAME only — `:host` in the runner registration is the execution
    # backend (run on host), not part of the label.
    runs-on: macos
    env:
      # Guarantee flakes regardless of the Mac's nix config.
      NIX_CONFIG: "experimental-features = nix-command flakes"
    steps:
      - uses: actions/checkout@v4
      - name: test (macOS — the gate only covers Linux)
        run: nix develop -c cargo test --no-fail-fast
      - name: build, de-nix, sign, verify both darwin targets
        run: |
          set -e
          for t in aarch64-apple-darwin x86_64-apple-darwin; do
            echo "==================== $t ===================="
            nix develop -c cargo build --release --target "$t"
            f="target/$t/release/rdbms-playground"

            # The darwin stdenv bakes a /nix/store libiconv load path into the
            # binary. Rewrite it to the system libiconv (every Mac has it, ABI-
            # compatible), then re-sign ad-hoc — install_name_tool invalidates
            # the signature and arm64 won't run an unsigned/broken-sig binary.
            for l in $(otool -L "$f" | awk '/\/nix\/store.*libiconv.*dylib/ {print $1}'); do
              echo "rewrite $l -> /usr/lib/libiconv.2.dylib"
              install_name_tool -change "$l" /usr/lib/libiconv.2.dylib "$f"
            done
            codesign --force --sign - "$f"

            echo "--- linked libs ---"; otool -L "$f"
            if otool -L "$f" | grep -q /nix/store; then
              echo "ERROR: $t still links a /nix/store dylib"; exit 1
            fi
            codesign --verify --verbose=2 "$f" && echo "signature OK"

            # Smoke-run the natively-runnable target (this VM is arm64).
            if [ "$t" = "aarch64-apple-darwin" ]; then
              echo "--- run --help ---"; "$f" --help | head -1
            else
              echo "(skip run: $t needs Rosetta)"
            fi
            echo "OK: $t portable"
          done
          echo "=== both darwin targets built, de-nixed, signed, verified ==="

      - name: prune nix store — keep the last 2 toolchain generations
        # The runner wipes the whole workspace before each run, so cargo target/
        # never accumulates (no sweep needed). The persistent caches are the nix
        # store (/nix) and ~/.cargo (in $HOME). Bound the nix store by generation:
        # record the current devShell closure as a generation of a persistent
        # profile (lives in $HOME, survives the workspace wipe), keep the 2 newest
        # (current + previous), reclaim what the older ones referenced. No time
        # window — never more than two toolchains regardless of flake.lock churn.
        if: always()
        run: |
          echo "--- disk before ---"; df -h / | tail -1
          P="$HOME/.cache/rdbms-ci/toolchain"
          nix develop --profile "$P" -c true || true
          nix-env -p "$P" --delete-generations +2 || true
          nix-collect-garbage || true
          echo "--- disk after ---"; df -h / | tail -1
          # ~/.cargo/registry also persists but grows only on Cargo.lock bumps;
          # bound it later with `cargo-cache --autoclean` if it ever matters.