# THROWAWAY DIAGNOSTIC — delete once the real gate is wired.
#
# This answers the questions that decide the CI architecture, on facts rather
# than guesses:
#   * How does this runner execute a plain job — directly on the host, or inside
#     a default container? (-> is "the ci server has nix" reachable from steps?)
#   * Is `nix` on PATH where steps run, and does a /nix store persist?
#   * Is a docker client/daemon reachable from a plain job (no DinD service)?
#   * Does a custom job `container:` work on this rootless runner, and can it pull
#     an image (nixos/nix) — i.e. is the "reusable nix image" model viable?
#
# Trigger: push to this branch, or run manually from the Actions UI.
name: ci-probe
on: [push, workflow_dispatch]

jobs:
  # --- Job 1: DEFAULT execution -------------------------------------------
  # No `container:` override — this is whatever environment the runner gives a
  # plain job. Tells us where steps actually run and what's already there.
  host:
    runs-on: ci-public
    steps:
      - name: identity & environment
        run: |
          echo "=== uname ==="; uname -a
          echo "=== os-release ==="; head -3 /etc/os-release 2>/dev/null || echo "(none)"
          echo "=== whoami / id ==="; whoami; id
          echo "=== containerized? ==="
          if [ -f /.dockerenv ]; then
            echo "/.dockerenv PRESENT -> steps run INSIDE a container"
          else
            echo "/.dockerenv absent"
          fi
          echo "--- /proc/1/cgroup (first lines) ---"; head -5 /proc/1/cgroup 2>/dev/null || echo "(none)"

      - name: nix availability (the decisive check)
        run: |
          echo "=== which nix ==="; command -v nix || echo "nix NOT on PATH"
          echo "=== nix --version ==="; nix --version 2>/dev/null || echo "(no nix here)"
          echo "=== /nix store ==="; ls -ld /nix /nix/store 2>/dev/null || echo "(no /nix)"
          echo "=== store path count (persistence hint; high => warm/shared) ==="
          ls /nix/store 2>/dev/null | wc -l

      - name: docker availability (without a DinD service)
        run: |
          echo "=== which docker ==="; command -v docker || echo "docker NOT on PATH"
          docker version 2>/dev/null || echo "(no docker client/daemon reachable from a plain job)"

      - name: checkout — does the flake land here?
        uses: actions/checkout@v4

      - name: flake present in this checkout?
        run: ls -la flake.nix flake.lock rust-toolchain.toml 2>/dev/null || echo "(flake not on this branch's checkout)"

  # --- Job 2: CUSTOM CONTAINER --------------------------------------------
  # Tests the "reusable nix image" model: run steps inside a pinned nix image.
  # Deliberately minimal — no checkout (the checkout action needs node, which a
  # bare nixos/nix image lacks; that's a separate concern). If this job's steps
  # run at all, custom job containers are viable on this runner.
  nix-container:
    runs-on: ci-public
    container:
      image: nixos/nix:latest
    steps:
      - name: nix inside a pinned container
        run: |
          echo "=== inside nixos/nix container ==="
          nix --version
          echo "--- identity ---"; whoami; id; uname -a
          echo "--- flakes enabled? ---"
          nix --extra-experimental-features 'nix-command flakes' flake --help >/dev/null 2>&1 \
            && echo "flakes usable (with --extra-experimental-features)" \
            || echo "flake subcommand not usable as invoked"