name: "Build NixOS manual"

permissions: read-all

on:
  pull_request_target:
    branches:
      - master
    paths:
      - 'nixos/**'

jobs:
  nixos:
    runs-on: ubuntu-latest
    if: github.repository_owner == 'NixOS'
    steps:
      - uses: actions/checkout@v3
        with:
          # pull_request_target checks out the base branch by default
          ref: refs/pull/${{ github.event.pull_request.number }}/merge
      - uses: cachix/install-nix-action@v18
        with:
          # explicitly enable sandbox
          extra_nix_config: sandbox = true
      - uses: cachix/cachix-action@v12
        with:
          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
          name: nixpkgs-ci
          signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
      - name: Building NixOS manual with DocBook options
        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true nixos/release.nix -A manual.x86_64-linux
      - name: Building NixOS manual with Markdown options
        run: |
          export NIX_PATH=nixpkgs=$(pwd)
          nix-build \
            --option restrict-eval true \
            --arg configuration '{ documentation.nixos.options.allowDocBook = false; }' \
            nixos/release.nix \
            -A manual.x86_64-linux