# A txtar test version of the of the go generate workflow that wraps
# the internal/ci genworkflows CUE command.
#
# Note: all the non-golden files below are updated automatically by
# the internal/ci updateTxtarTests CUE command (with the exception
# of the cue.mod/module.cue file).

# TODO: drop cd when we solve cuelang.org/issue/708
cd internal/ci
cue cmd genworkflows

# TODO: drop cd when we solve cuelang.org/issue/708
cd ../../
cmp .github/workflows/mirror.yml .github/workflows/mirror.yml.golden
cmp .github/workflows/new_version_triggers.yml .github/workflows/new_version_triggers.yml.golden
cmp .github/workflows/release.yml .github/workflows/release.yml.golden
cmp .github/workflows/repository_dispatch.yml .github/workflows/repository_dispatch.yml.golden
cmp .github/workflows/test.yml .github/workflows/test.yml.golden
cmp .github/workflows/tip_triggers.yml .github/workflows/tip_triggers.yml.golden

-- cue.mod/module --
module "cuelang.org/go"
-- .github/workflows/mirror.yml.golden --
# Generated by internal/ci/ci_tool.cue; do not edit

name: Scheduled repo mirror
on:
  schedule:
  - cron: '*/30 * * * *'
jobs:
  mirror:
    runs-on: ubuntu-18.04
    defaults:
      run:
        shell: bash
    steps:
    - name: Checkout code
      uses: actions/checkout@v2
    - name: Mirror Gerrit to GitHub
      run: |-
        cd _scripts
        docker run --rm -v $PWD/cache:/root/copybara/cache -v $PWD:/usr/src/app --entrypoint="" cueckoo/copybara:afc4ae03eed00b0c9d7415141cd1b5dfa583da7c bash -c " \
        	set -eu; \
        	echo \"${{ secrets.gerritCookie }}\" > ~/.gitcookies; \
        	chmod 600 ~/.gitcookies; \
        	git config --global user.name cueckoo; \
        	git config --global user.email cueckoo@gmail.com; \
        	git config --global http.cookiefile \$HOME/.gitcookies; \
          	echo https://cueckoo:${{ secrets.CUECKOO_GITHUB_PAT }}@github.com > ~/.git-credentials; \
        	chmod 600 ~/.git-credentials; \
        	java -jar /opt/copybara/copybara_deploy.jar migrate copy.bara.sky github; \
        	"
-- .github/workflows/new_version_triggers.yml.golden --
# Generated by internal/ci/ci_tool.cue; do not edit

name: New release triggers
on:
  push:
    tags:
    - v*
jobs:
  push:
    runs-on: ubuntu-18.04
    defaults:
      run:
        shell: bash
    steps:
    - name: Rebuild tip.cuelang.org
      run: 'curl -s -H "Content-Type: application/json" -u cueckoo:${{ secrets.CUECKOO_GITHUB_PAT
        }} --request POST --data-binary "{"event_type": "Re-test post release of ${GITHUB_REF##refs/tags/}"}"
        https://api.github.com/repos/cuelang/cuelang.org/dispatches'
    - name: Trigger unity build
      run: 'curl -s -H "Content-Type: application/json" -u cueckoo:${{ secrets.CUECKOO_GITHUB_PAT
        }} --request POST --data-binary "{"event_type": "Check against CUE ${GITHUB_REF##refs/tags/}",
        "client_payload": {"type": "unity", "payload": {"versions": "\"${GITHUB_REF##refs/tags/}\"}}}"
        https://api.github.com/repos/cue-sh/unity/dispatches'
-- .github/workflows/release.yml.golden --
# Generated by internal/ci/ci_tool.cue; do not edit

name: Release
on:
  push:
    tags:
    - v*
jobs:
  goreleaser:
    runs-on: ubuntu-18.04
    defaults:
      run:
        shell: bash
    steps:
    - name: Checkout code
      uses: actions/checkout@v2
      with:
        fetch-depth: 0
    - name: Install Go
      uses: actions/setup-go@v2
      with:
        go-version: ${{ matrix.go-version }}
        version: 1.15.8
        stable: false
    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@v2
      with:
        args: release --rm-dist
        version: v0.155.1
      env:
        GITHUB_TOKEN: ${{ secrets.ACTIONS_GITHUB_TOKEN }}
  docker:
    name: docker
    runs-on: ubuntu-18.04
    defaults:
      run:
        shell: bash
    steps:
    - name: Checkout code
      uses: actions/checkout@v2
    - name: Set version environment
      run: |-
        CUE_VERSION=$(echo ${GITHUB_REF##refs/tags/v})
        echo "CUE_VERSION=$CUE_VERSION"
        echo "CUE_VERSION=$(echo $CUE_VERSION)" >> $GITHUB_ENV
    - name: Push to Docker Hub
      uses: docker/build-push-action@v1
      with:
        tags: ${{ env.CUE_VERSION }},latest
        repository: cuelang/cue
        username: ${{ secrets.DOCKER_USERNAME }}
        password: ${{ secrets.DOCKER_PASSWORD }}
        tag_with_ref: false
        tag_with_sha: false
        target: cue
        always_pull: true
        build_args: GOLANG_VERSION=${{ env.GOLANG_VERSION }},CUE_VERSION=v${{ env.CUE_VERSION
          }}
        add_git_labels: true
      env:
        DOCKER_BUILDKIT: 1
        GOLANG_VERSION: 1.14
        CUE_VERSION: ${{ env.CUE_VERSION }}
-- .github/workflows/repository_dispatch.yml.golden --
# Generated by internal/ci/ci_tool.cue; do not edit

name: Repository Dispatch
on:
- repository_dispatch
jobs:
  runtrybot:
    runs-on: ubuntu-18.04
    defaults:
      run:
        shell: bash
    if: ${{ github.event.client_payload.type == 'runtrybot' }}
    steps:
    - name: Trigger trybot
      run: |-
        mkdir tmpgit
        cd tmpgit
        git init
        git config user.name cueckoo
        git config user.email cueckoo@gmail.com
        git config http.https://github.com/.extraheader "AUTHORIZATION: basic $(echo -n cueckoo:${{ secrets.CUECKOO_GITHUB_PAT }} | base64)"
        git fetch https://cue-review.googlesource.com/cue ${{ github.event.client_payload.payload.ref }}
        git checkout -b ci/${{ github.event.client_payload.payload.changeID }}/${{ github.event.client_payload.payload.commit }} FETCH_HEAD
        git push https://github.com/cuelang/cue ci/${{ github.event.client_payload.payload.changeID }}/${{ github.event.client_payload.payload.commit }}
  mirror:
    runs-on: ubuntu-18.04
    defaults:
      run:
        shell: bash
    if: ${{ github.event.client_payload.type == 'mirror' }}
    steps:
    - name: Checkout code
      uses: actions/checkout@v2
    - name: Mirror Gerrit to GitHub
      run: |-
        cd _scripts
        docker run --rm -v $PWD/cache:/root/copybara/cache -v $PWD:/usr/src/app --entrypoint="" cueckoo/copybara:afc4ae03eed00b0c9d7415141cd1b5dfa583da7c bash -c " \
        	set -eu; \
        	echo \"${{ secrets.gerritCookie }}\" > ~/.gitcookies; \
        	chmod 600 ~/.gitcookies; \
        	git config --global user.name cueckoo; \
        	git config --global user.email cueckoo@gmail.com; \
        	git config --global http.cookiefile \$HOME/.gitcookies; \
          	echo https://cueckoo:${{ secrets.CUECKOO_GITHUB_PAT }}@github.com > ~/.git-credentials; \
        	chmod 600 ~/.git-credentials; \
        	java -jar /opt/copybara/copybara_deploy.jar migrate copy.bara.sky github; \
        	"
  importpr:
    runs-on: ubuntu-18.04
    defaults:
      run:
        shell: bash
    if: ${{ github.event.client_payload.type == 'importpr' }}
    steps:
    - name: Checkout code
      uses: actions/checkout@v2
    - name: 'Import PR #${{ github.event.client_payload.commit }} from GitHub to Gerrit'
      run: |-
        cd _scripts
        docker run --rm -v $PWD/cache:/root/copybara/cache -v $PWD:/usr/src/app --entrypoint="" cueckoo/copybara:afc4ae03eed00b0c9d7415141cd1b5dfa583da7c bash -c " \
        	set -eu; \
        	echo \"${{ secrets.gerritCookie }}\" > ~/.gitcookies; \
        	chmod 600 ~/.gitcookies; \
        	git config --global user.name cueckoo; \
        	git config --global user.email cueckoo@gmail.com; \
        	git config --global http.cookiefile \$HOME/.gitcookies; \
          	echo https://cueckoo:${{ secrets.CUECKOO_GITHUB_PAT }}@github.com > ~/.git-credentials; \
        	chmod 600 ~/.git-credentials; \
        	java -jar /opt/copybara/copybara_deploy.jar migrate copy.bara.sky github-pr ${{ github.event.client_payload.payload.pr }}; \
        	"
-- .github/workflows/test.yml.golden --
# Generated by internal/ci/ci_tool.cue; do not edit

name: Test
on:
  push:
    branches:
    - '**'
    tags-ignore:
    - v*
jobs:
  start:
    runs-on: ubuntu-18.04
    defaults:
      run:
        shell: bash
    steps:
    - if: ${{ startsWith(github.ref, 'refs/heads/ci/') }}
      name: Write the gitcookies file
      run: echo "${{ secrets.gerritCookie }}" > ~/.gitcookies
    - if: ${{ startsWith(github.ref, 'refs/heads/ci/') }}
      name: Update Gerrit CL message with starting message
      run: 'curl -s -H "Content-Type: application/json" --request POST --data ''{"tag":"trybot","message":"Started
        the build... see progress at ${{ github.event.repository.html_url }}/actions/runs/${{
        github.run_id }}"}'' -b ~/.gitcookies https://cue-review.googlesource.com/a/changes/$(basename
        $(dirname $GITHUB_REF))/revisions/$(basename $GITHUB_REF)/review'
  test:
    needs: start
    strategy:
      fail-fast: false
      matrix:
        go-version:
        - 1.14.14
        - 1.15.8
        - "1.16"
        os:
        - ubuntu-18.04
        - macos-10.15
        - windows-2019
    runs-on: ${{ matrix.os }}
    defaults:
      run:
        shell: bash
    steps:
    - name: Write the gitcookies file
      run: echo "${{ secrets.gerritCookie }}" > ~/.gitcookies
    - name: Install Go
      uses: actions/setup-go@v2
      with:
        go-version: ${{ matrix.go-version }}
        stable: false
    - name: Checkout code
      uses: actions/checkout@v2
    - name: Cache Go modules
      uses: actions/cache@v1
      with:
        path: ~/go/pkg/mod
        key: ${{ runner.os }}-${{ matrix.go-version }}-go-${{ hashFiles('**/go.sum')
          }}
        restore-keys: ${{ runner.os }}-${{ matrix.go-version }}-go-
    - if: ${{ github.ref == 'refs/heads/master' }}
      name: Set go build tags
      run: go env -w GOFLAGS=-tags=long
    - if: matrix.go-version == '1.14.14' && matrix.os != 'windows-2019'
      name: Generate
      run: go generate ./...
    - name: Test
      run: go test ./...
    - if: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/ci/')
        && matrix.go-version == '1.15.8' && matrix.os == 'ubuntu-18.04' }}
      name: Test with -race
      run: go test -race ./...
    - name: gorelease check
      run: go run golang.org/x/exp/cmd/gorelease
    - name: Check that git is clean post generate and tests
      run: test -z "$(git status --porcelain)" || (git status; git diff; false)
    - if: ${{ github.ref == 'refs/heads/master' }}
      name: Pull this commit through the proxy on master
      run: |-
        v=$(git rev-parse HEAD)
        cd $(mktemp -d)
        go mod init mod.com
        GOPROXY=https://proxy.golang.org go get -d cuelang.org/go/cmd/cue@$v
    - if: ${{ startsWith(github.ref, 'refs/heads/ci/') && failure() }}
      name: Post any failures for this matrix entry
      run: 'curl -s -H "Content-Type: application/json" --request POST --data ''{"tag":"trybot","message":"Build
        failed for ${{ runner.os }}-${{ matrix.go-version }}; see ${{ github.event.repository.html_url
        }}/actions/runs/${{ github.run_id }} for more details","labels":{"Code-Review":-1}}''
        -b ~/.gitcookies https://cue-review.googlesource.com/a/changes/$(basename
        $(dirname $GITHUB_REF))/revisions/$(basename $GITHUB_REF)/review'
  mark_ci_success:
    runs-on: ubuntu-18.04
    if: ${{ startsWith(github.ref, 'refs/heads/ci/') }}
    needs: test
    defaults:
      run:
        shell: bash
    steps:
    - name: Write the gitcookies file
      run: echo "${{ secrets.gerritCookie }}" > ~/.gitcookies
    - name: Update Gerrit CL message with success message
      run: 'curl -s -H "Content-Type: application/json" --request POST --data ''{"tag":"trybot","message":"Build
        succeeded for ${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id
        }}","labels":{"Code-Review":1}}'' -b ~/.gitcookies https://cue-review.googlesource.com/a/changes/$(basename
        $(dirname $GITHUB_REF))/revisions/$(basename $GITHUB_REF)/review'
  delete_build_branch:
    runs-on: ubuntu-18.04
    if: ${{ startsWith(github.ref, 'refs/heads/ci/') && always() }}
    needs: test
    defaults:
      run:
        shell: bash
    steps:
    - run: |-
        mkdir tmpgit
        cd tmpgit
        git init
        git config user.name cueckoo
        git config user.email cueckoo@gmail.com
        git config http.https://github.com/.extraheader "AUTHORIZATION: basic $(echo -n cueckoo:${{ secrets.CUECKOO_GITHUB_PAT }} | base64)"
        git push https://github.com/cuelang/cue :${GITHUB_REF#refs/heads/}
-- .github/workflows/tip_triggers.yml.golden --
# Generated by internal/ci/ci_tool.cue; do not edit

name: Push to tip triggers
on:
  push:
    branches:
    - master
jobs:
  push:
    runs-on: ubuntu-18.04
    defaults:
      run:
        shell: bash
    steps:
    - name: Rebuild tip.cuelang.org
      run: curl -s -X POST -d {} https://api.netlify.com/build_hooks/${{ secrets.CuelangOrgTipRebuildHook
        }}
    - name: Trigger unity build
      run: 'echo curl -s -H "Content-Type: application/json" -u cueckoo:${{ secrets.CUECKOO_GITHUB_PAT
        }} --request POST --data-binary "{"event_type": "Check against ${GITHUB_SHA}",
        "client_payload": {"type": "unity", "payload": {"versions": "\"commit:${GITHUB_SHA}\""}}}"
        https://api.github.com/repos/cue-sh/unity/dispatches'
-- internal/ci/ci_tool.cue --
// Copyright 2021 The CUE Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package ci

import (
	"path"

	"encoding/yaml"

	"tool/exec"
	"tool/file"
	"tool/os"
)

// genworkflows regenerates the GitHub workflow Yaml definitions.
//
// See internal/ci/gen.go for details on how this step fits into the sequence
// of generating our CI workflow definitions, and updating various txtar tests
// with files from that process.
//
// Until we have a resolution for cuelang.org/issue/704 and
// cuelang.org/issue/708 this must be run from the internal/ci package. At
// which point we can switch to using _#modroot.
//
// This also explains why the ../../ relative path specification below appear
// wrong in the context of the containing directory internal/ci/vendor.
command: genworkflows: {
	goos: _#goos

	for w in workflows {
		"\(w.file)": file.Create & {
			_dir:     path.FromSlash("../../.github/workflows", path.Unix)
			filename: path.Join([_dir, w.file], goos.GOOS)
			contents: """
						 # Generated by internal/ci/ci_tool.cue; do not edit

						 \(yaml.Marshal(w.schema))
						 """
		}
	}
}

// updateTxtarTests ensures certain txtar tests are updated with the
// relevant files that make up the process of generating our CI
// workflows.
//
// See internal/ci/gen.go for details on how this step fits into the sequence
// of generating our CI workflow definitions, and updating various txtar tests
// with files from that process.
//
// Until we have a resolution for cuelang.org/issue/704 and
// cuelang.org/issue/708 this must be run from the internal/ci package. At
// which point we can switch to using _#modroot.
//
// This also explains why the ../../ relative path specification below appear
// wrong in the context of the containing directory internal/ci/vendor.
command: updateTxtarTests: {
	goos: _#goos

	readJSONSchema: file.Read & {
		_path:    path.FromSlash("../../cue.mod/pkg/github.com/SchemaStore/schemastore/src/schemas/json/github-workflow.cue", path.Unix)
		filename: path.Join([_path], goos.GOOS)
		contents: string
	}
	cueDefInternalCI: exec.Run & {
		cmd:    "go run cuelang.org/go/cmd/cue def cuelang.org/go/internal/ci"
		stdout: string
	}
	// updateEvalTxtarTest updates the cue/testdata/eval testscript which exercises
	// the evaluation of the workflows defined in internal/ci (which by definition
	// means resolving and using the vendored GitHub Workflow schema)
	updateEvalTxtarTest: {
		_relpath: path.FromSlash("../../cue/testdata/eval/github.txtar", path.Unix)
		_path:    path.Join([_relpath], goos.GOOS)

		githubSchema: exec.Run & {
			stdin: readJSONSchema.contents
			cmd:   "go run cuelang.org/go/internal/ci/updatetxtar - \(_path) cue.mod/pkg/github.com/SchemaStore/schemastore/src/schemas/json/github-workflow.cue"
		}
		defWorkflows: exec.Run & {
			$after: githubSchema
			stdin:  cueDefInternalCI.stdout
			cmd:    "go run cuelang.org/go/internal/ci/updatetxtar - \(_path) workflows.cue"
		}
	}
	// When we have a solution for cuelang.org/issue/709 we can make this a
	// file.Glob. Ultimately it would be better to be able to do a cue def
	// on the tool "package"
	readToolsFile: file.Read & {
		filename: "ci_tool.cue"
		contents: string
	}
	updateCmdCueCmdTxtarTest: {
		_relpath: path.FromSlash("../../cmd/cue/cmd/testdata/script/cmd_github.txt", path.Unix)
		_path:    path.Join([_relpath], goos.GOOS)

		githubSchema: exec.Run & {
			stdin: readJSONSchema.contents
			cmd:   "go run cuelang.org/go/internal/ci/updatetxtar - \(_path) cue.mod/pkg/github.com/SchemaStore/schemastore/src/schemas/json/github-workflow.cue"
		}
		defWorkflows: exec.Run & {
			$after: githubSchema
			stdin:  cueDefInternalCI.stdout
			cmd:    "go run cuelang.org/go/internal/ci/updatetxtar - \(_path) internal/ci/workflows.cue"
		}
		toolsFile: exec.Run & {
			stdin: readToolsFile.contents
			cmd:   "go run cuelang.org/go/internal/ci/updatetxtar - \(_path) internal/ci/\(readToolsFile.filename)"
		}
	}
}

// _#modroot is a common helper to get the module root
//
// TODO: use once we have a solution to cuelang.org/issue/704.
// This will then allow us to remove the use of .. below.
_#modroot: exec.Run & {
	cmd:    "go list -m -f {{.Dir}}"
	stdout: string
}

// Until we have the ability to inject contextual information
// we need to pass in GOOS explicitly. Either by environment
// variable (which we get for free when this is used via go generate)
// or via a tag in the case you want to manually run the CUE
// command.
_#goos: os.Getenv & {
	GOOS: *path.Unix | string @tag(os)
}
-- cue.mod/pkg/github.com/SchemaStore/schemastore/src/schemas/json/github-workflow.cue --
package json

import "strings"

#Workflow: {
	@jsonschema(schema="http://json-schema.org/draft-07/schema")
	null | bool | number | string | [...] | {
		// The name of your workflow. GitHub displays the names of your
		// workflows on your repository's actions page. If you omit this
		// field, GitHub sets the name to the workflow's filename.
		name?: string

		// The name of the GitHub event that triggers the workflow. You
		// can provide a single event string, array of events, array of
		// event types, or an event configuration map that schedules a
		// workflow or restricts the execution of a workflow to specific
		// files, tags, or branch changes. For a list of available
		// events, see
		// https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows.
		on: #event | [...#event] & [_, ...] | {
			// Runs your workflow anytime the check_run event occurs. More
			// than one activity type triggers this event. For information
			// about the REST API, see
			// https://developer.github.com/v3/checks/runs.
			check_run?: #eventObject & {
				types?: #types & [..."created" | "rerequested" | "completed" | "requested_action"] | *["created", "rerequested", "completed", "requested_action"]
				...
			}

			// Runs your workflow anytime the check_suite event occurs. More
			// than one activity type triggers this event. For information
			// about the REST API, see
			// https://developer.github.com/v3/checks/suites/.
			check_suite?: #eventObject & {
				types?: #types & [..."completed" | "requested" | "rerequested"] | *["completed", "requested", "rerequested"]
				...
			}

			// Runs your workflow anytime someone creates a branch or tag,
			// which triggers the create event. For information about the
			// REST API, see
			// https://developer.github.com/v3/git/refs/#create-a-reference.
			create?: #eventObject

			// Runs your workflow anytime someone deletes a branch or tag,
			// which triggers the delete event. For information about the
			// REST API, see
			// https://developer.github.com/v3/git/refs/#delete-a-reference.
			delete?: #eventObject

			// Runs your workflow anytime someone creates a deployment, which
			// triggers the deployment event. Deployments created with a
			// commit SHA may not have a Git ref. For information about the
			// REST API, see
			// https://developer.github.com/v3/repos/deployments/.
			deployment?: #eventObject

			// Runs your workflow anytime a third party provides a deployment
			// status, which triggers the deployment_status event.
			// Deployments created with a commit SHA may not have a Git ref.
			// For information about the REST API, see
			// https://developer.github.com/v3/repos/deployments/#create-a-deployment-status.
			deployment_status?: #eventObject

			// Runs your workflow anytime when someone forks a repository,
			// which triggers the fork event. For information about the REST
			// API, see
			// https://developer.github.com/v3/repos/forks/#create-a-fork.
			fork?: #eventObject

			// Runs your workflow when someone creates or updates a Wiki page,
			// which triggers the gollum event.
			gollum?: #eventObject

			// Runs your workflow anytime the issue_comment event occurs. More
			// than one activity type triggers this event. For information
			// about the REST API, see
			// https://developer.github.com/v3/issues/comments/.
			issue_comment?: #eventObject & {
				types?: #types & [..."created" | "edited" | "deleted"] | *["created", "edited", "deleted"]
				...
			}

			// Runs your workflow anytime the issues event occurs. More than
			// one activity type triggers this event. For information about
			// the REST API, see https://developer.github.com/v3/issues.
			issues?: #eventObject & {
				types?: #types & [..."opened" | "edited" | "deleted" | "transferred" | "pinned" | "unpinned" | "closed" | "reopened" | "assigned" | "unassigned" | "labeled" | "unlabeled" | "locked" | "unlocked" | "milestoned" | "demilestoned"] | *["opened", "edited", "deleted", "transferred", "pinned", "unpinned", "closed", "reopened", "assigned", "unassigned", "labeled", "unlabeled", "locked", "unlocked", "milestoned", "demilestoned"]
				...
			}

			// Runs your workflow anytime the label event occurs. More than
			// one activity type triggers this event. For information about
			// the REST API, see
			// https://developer.github.com/v3/issues/labels/.
			label?: #eventObject & {
				types?: #types & [..."created" | "edited" | "deleted"] | *["created", "edited", "deleted"]
				...
			}

			// Runs your workflow anytime the member event occurs. More than
			// one activity type triggers this event. For information about
			// the REST API, see
			// https://developer.github.com/v3/repos/collaborators/.
			member?: #eventObject & {
				types?: #types & [..."added" | "edited" | "deleted"] | *["added", "edited", "deleted"]
				...
			}

			// Runs your workflow anytime the milestone event occurs. More
			// than one activity type triggers this event. For information
			// about the REST API, see
			// https://developer.github.com/v3/issues/milestones/.
			milestone?: #eventObject & {
				types?: #types & [..."created" | "closed" | "opened" | "edited" | "deleted"] | *["created", "closed", "opened", "edited", "deleted"]
				...
			}

			// Runs your workflow anytime someone pushes to a GitHub
			// Pages-enabled branch, which triggers the page_build event. For
			// information about the REST API, see
			// https://developer.github.com/v3/repos/pages/.
			page_build?: #eventObject

			// Runs your workflow anytime the project event occurs. More than
			// one activity type triggers this event. For information about
			// the REST API, see https://developer.github.com/v3/projects/.
			project?: #eventObject & {
				types?: #types & [..."created" | "updated" | "closed" | "reopened" | "edited" | "deleted"] | *["created", "updated", "closed", "reopened", "edited", "deleted"]
				...
			}

			// Runs your workflow anytime the project_card event occurs. More
			// than one activity type triggers this event. For information
			// about the REST API, see
			// https://developer.github.com/v3/projects/cards.
			project_card?: #eventObject & {
				types?: #types & [..."created" | "moved" | "converted" | "edited" | "deleted"] | *["created", "moved", "converted", "edited", "deleted"]
				...
			}

			// Runs your workflow anytime the project_column event occurs.
			// More than one activity type triggers this event. For
			// information about the REST API, see
			// https://developer.github.com/v3/projects/columns.
			project_column?: #eventObject & {
				types?: #types & [..."created" | "updated" | "moved" | "deleted"] | *["created", "updated", "moved", "deleted"]
				...
			}

			// Runs your workflow anytime someone makes a private repository
			// public, which triggers the public event. For information about
			// the REST API, see https://developer.github.com/v3/repos/#edit.
			public?: #eventObject

			// Runs your workflow anytime the pull_request event occurs. More
			// than one activity type triggers this event. For information
			// about the REST API, see https://developer.github.com/v3/pulls.
			// Note: Workflows do not run on private base repositories when
			// you open a pull request from a forked repository.
			// When you create a pull request from a forked repository to the
			// base repository, GitHub sends the pull_request event to the
			// base repository and no pull request events occur on the forked
			// repository.
			// Workflows don't run on forked repositories by default. You must
			// enable GitHub Actions in the Actions tab of the forked
			// repository.
			// The permissions for the GITHUB_TOKEN in forked repositories is
			// read-only. For more information about the GITHUB_TOKEN, see
			// https://help.github.com/en/articles/virtual-environments-for-github-actions.
			pull_request?: #ref & {
				types?: #types & [..."assigned" | "unassigned" | "labeled" | "unlabeled" | "opened" | "edited" | "closed" | "reopened" | "synchronize" | "ready_for_review" | "locked" | "unlocked" | "review_requested" | "review_request_removed"] | *["opened", "synchronize", "reopened"]

				{[=~"^(branche|tag|path)s(-ignore)?$" & !~"^(types)$"]: _}
			}

			// Runs your workflow anytime the pull_request_review event
			// occurs. More than one activity type triggers this event. For
			// information about the REST API, see
			// https://developer.github.com/v3/pulls/reviews.
			// Note: Workflows do not run on private base repositories when
			// you open a pull request from a forked repository.
			// When you create a pull request from a forked repository to the
			// base repository, GitHub sends the pull_request event to the
			// base repository and no pull request events occur on the forked
			// repository.
			// Workflows don't run on forked repositories by default. You must
			// enable GitHub Actions in the Actions tab of the forked
			// repository.
			// The permissions for the GITHUB_TOKEN in forked repositories is
			// read-only. For more information about the GITHUB_TOKEN, see
			// https://help.github.com/en/articles/virtual-environments-for-github-actions.
			pull_request_review?: #eventObject & {
				types?: #types & [..."submitted" | "edited" | "dismissed"] | *["submitted", "edited", "dismissed"]
				...
			}

			// Runs your workflow anytime a comment on a pull request's
			// unified diff is modified, which triggers the
			// pull_request_review_comment event. More than one activity type
			// triggers this event. For information about the REST API, see
			// https://developer.github.com/v3/pulls/comments.
			// Note: Workflows do not run on private base repositories when
			// you open a pull request from a forked repository.
			// When you create a pull request from a forked repository to the
			// base repository, GitHub sends the pull_request event to the
			// base repository and no pull request events occur on the forked
			// repository.
			// Workflows don't run on forked repositories by default. You must
			// enable GitHub Actions in the Actions tab of the forked
			// repository.
			// The permissions for the GITHUB_TOKEN in forked repositories is
			// read-only. For more information about the GITHUB_TOKEN, see
			// https://help.github.com/en/articles/virtual-environments-for-github-actions.
			pull_request_review_comment?: #eventObject & {
				types?: #types & [..."created" | "edited" | "deleted"] | *["created", "edited", "deleted"]
				...
			}

			// This event is similar to pull_request, except that it runs in
			// the context of the base repository of the pull request, rather
			// than in the merge commit. This means that you can more safely
			// make your secrets available to the workflows triggered by the
			// pull request, because only workflows defined in the commit on
			// the base repository are run. For example, this event allows
			// you to create workflows that label and comment on pull
			// requests, based on the contents of the event payload.
			pull_request_target?: #ref & {
				types?: #types & [..."assigned" | "unassigned" | "labeled" | "unlabeled" | "opened" | "edited" | "closed" | "reopened" | "synchronize" | "ready_for_review" | "locked" | "unlocked" | "review_requested" | "review_request_removed"] | *["opened", "synchronize", "reopened"]

				{[=~"^(branche|tag|path)s(-ignore)?$" & !~"^(types)$"]: _}
			}

			// Runs your workflow when someone pushes to a repository branch,
			// which triggers the push event.
			// Note: The webhook payload available to GitHub Actions does not
			// include the added, removed, and modified attributes in the
			// commit object. You can retrieve the full commit object using
			// the REST API. For more information, see
			// https://developer.github.com/v3/repos/commits/#get-a-single-commit.
			push?: #ref & {
				{[=~"^(branche|tag|path)s(-ignore)?$" & !~"^()$"]: _}
			}

			// Runs your workflow anytime a package is published or updated.
			// For more information, see
			// https://help.github.com/en/github/managing-packages-with-github-packages.
			registry_package?: #eventObject & {
				types?: #types & [..."published" | "updated"] | *["published", "updated"]
				...
			}

			// Runs your workflow anytime the release event occurs. More than
			// one activity type triggers this event. For information about
			// the REST API, see
			// https://developer.github.com/v3/repos/releases/ in the GitHub
			// Developer documentation.
			release?: #eventObject & {
				types?: #types & [..."published" | "unpublished" | "created" | "edited" | "deleted" | "prereleased" | "released"] | *["published", "unpublished", "created", "edited", "deleted", "prereleased", "released"]
				...
			}

			// Runs your workflow anytime the status of a Git commit changes,
			// which triggers the status event. For information about the
			// REST API, see https://developer.github.com/v3/repos/statuses/.
			status?: #eventObject

			// Runs your workflow anytime the watch event occurs. More than
			// one activity type triggers this event. For information about
			// the REST API, see
			// https://developer.github.com/v3/activity/starring/.
			watch?: #eventObject

			// You can now create workflows that are manually triggered with
			// the new workflow_dispatch event. You will then see a 'Run
			// workflow' button on the Actions tab, enabling you to easily
			// trigger a run.
			workflow_dispatch?: null | bool | number | string | [...] | {
				// Input parameters allow you to specify data that the action
				// expects to use during runtime. GitHub stores input parameters
				// as environment variables. Input ids with uppercase letters are
				// converted to lowercase during runtime. We recommended using
				// lowercase input ids.
				inputs?: {
					{[=~"^[_a-zA-Z][a-zA-Z0-9_-]*$" & !~"^()$"]: {
						// A string description of the input parameter.
						description: string

						// A string shown to users using the deprecated input.
						deprecationMessage?: string

						// A boolean to indicate whether the action requires the input
						// parameter. Set to true when the parameter is required.
						required: bool

						// A string representing the default value. The default value is
						// used when an input parameter isn't specified in a workflow
						// file.
						default?: string
					}}
				}
				...
			}

			// This event occurs when a workflow run is requested or
			// completed, and allows you to execute a workflow based on the
			// finished result of another workflow. For example, if your
			// pull_request workflow generates build artifacts, you can
			// create a new workflow that uses workflow_run to analyze the
			// results and add a comment to the original pull request.
			workflow_run?: #eventObject & {
				types?:     #types & [..."requested" | "completed"] | *["requested", "completed"]
				workflows?: [...string] & [_, ...]

				{[=~"^branches(-ignore)?$" & !~"^(types|workflows)$"]: _}
				...
			}

			// You can use the GitHub API to trigger a webhook event called
			// repository_dispatch when you want to trigger a workflow for
			// activity that happens outside of GitHub. For more information,
			// see
			// https://developer.github.com/v3/repos/#create-a-repository-dispatch-event.
			// To trigger the custom repository_dispatch webhook event, you
			// must send a POST request to a GitHub API endpoint and provide
			// an event_type name to describe the activity type. To trigger a
			// workflow run, you must also configure your workflow to use the
			// repository_dispatch event.
			repository_dispatch?: #eventObject

			// You can schedule a workflow to run at specific UTC times using
			// POSIX cron syntax
			// (https://pubs.opengroup.org/onlinepubs/9699919799/utilities/crontab.html#tag_20_25_07).
			// Scheduled workflows run on the latest commit on the default or
			// base branch. The shortest interval you can run scheduled
			// workflows is once every 5 minutes.
			// Note: GitHub Actions does not support the non-standard syntax
			// @yearly, @monthly, @weekly, @daily, @hourly, and @reboot.
			// You can use crontab guru (https://crontab.guru/). to help
			// generate your cron syntax and confirm what time it will run.
			// To help you get started, there is also a list of crontab guru
			// examples (https://crontab.guru/examples.html).
			schedule?: [...null | bool | number | string | [...] | {
				cron?: =~"^(((\\d+,)+\\d+|((\\d+|\\*)\\/\\d+|JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)|(\\d+-\\d+)|\\d+|\\*|MON|TUE|WED|THU|FRI|SAT|SUN) ?){5,7}$"
			}] & [_, ...]
		}

		// A map of environment variables that are available to all jobs
		// and steps in the workflow.
		env?: #env

		// A map of default settings that will apply to all jobs in the
		// workflow.
		defaults?: #defaults

		// A workflow run is made up of one or more jobs. Jobs run in
		// parallel by default. To run jobs sequentially, you can define
		// dependencies on other jobs using the jobs.<job_id>.needs
		// keyword.
		// Each job runs in a fresh instance of the virtual environment
		// specified by runs-on.
		// You can run an unlimited number of jobs as long as you are
		// within the workflow usage limits. For more information, see
		// https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#usage-limits.
		jobs: {
			{[=~"^[_a-zA-Z][a-zA-Z0-9_-]*$" & !~"^()$"]: {
				// The name of the job displayed on GitHub.
				name?: string

				// Identifies any jobs that must complete successfully before this
				// job will run. It can be a string or array of strings. If a job
				// fails, all jobs that need it are skipped unless the jobs use a
				// conditional statement that causes the job to continue.
				needs?: [...#name] & [_, ...] | #name

				// The type of machine to run the job on. The machine can be
				// either a GitHub-hosted runner, or a self-hosted runner.
				"runs-on": "macos-10.15" | "macos-11.0" | "macos-latest" | "self-hosted" | "ubuntu-16.04" | "ubuntu-18.04" | "ubuntu-20.04" | "ubuntu-latest" | "windows-2016" | "windows-2019" | "windows-latest" | (["self-hosted"] | ["self-hosted", #machine] | ["self-hosted", #architecture] | ["self-hosted", #machine, #architecture] | ["self-hosted", #architecture, #machine]) & [...] | #expressionSyntax

				// The environment that the job references.
				environment?: string | #environment

				// A map of outputs for a job. Job outputs are available to all
				// downstream jobs that depend on this job.
				outputs?: {
					[string]: string
				}

				// A map of environment variables that are available to all steps
				// in the job.
				env?: #env

				// A map of default settings that will apply to all steps in the
				// job.
				defaults?: #defaults

				// You can use the if conditional to prevent a job from running
				// unless a condition is met. You can use any supported context
				// and expression to create a conditional.
				// Expressions in an if conditional do not require the ${{ }}
				// syntax. For more information, see
				// https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.
				if?: string

				// A job contains a sequence of tasks called steps. Steps can run
				// commands, run setup tasks, or run an action in your
				// repository, a public repository, or an action published in a
				// Docker registry. Not all steps run actions, but all actions
				// run as a step. Each step runs in its own process in the
				// virtual environment and has access to the workspace and
				// filesystem. Because steps run in their own process, changes to
				// environment variables are not preserved between steps. GitHub
				// provides built-in steps to set up and complete a job.
				steps?: [...{
					// A unique identifier for the step. You can use the id to
					// reference the step in contexts. For more information, see
					// https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.
					id?: string

					// You can use the if conditional to prevent a step from running
					// unless a condition is met. You can use any supported context
					// and expression to create a conditional.
					// Expressions in an if conditional do not require the ${{ }}
					// syntax. For more information, see
					// https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.
					if?: string

					// A name for your step to display on GitHub.
					name?: string

					// Selects an action to run as part of a step in your job. An
					// action is a reusable unit of code. You can use an action
					// defined in the same repository as the workflow, a public
					// repository, or in a published Docker container image
					// (https://hub.docker.com/).
					// We strongly recommend that you include the version of the
					// action you are using by specifying a Git ref, SHA, or Docker
					// tag number. If you don't specify a version, it could break
					// your workflows or cause unexpected behavior when the action
					// owner publishes an update.
					// - Using the commit SHA of a released action version is the
					// safest for stability and security.
					// - Using the specific major action version allows you to receive
					// critical fixes and security patches while still maintaining
					// compatibility. It also assures that your workflow should still
					// work.
					// - Using the master branch of an action may be convenient, but
					// if someone releases a new major version with a breaking
					// change, your workflow could break.
					// Some actions require inputs that you must set using the with
					// keyword. Review the action's README file to determine the
					// inputs required.
					// Actions are either JavaScript files or Docker containers. If
					// the action you're using is a Docker container you must run the
					// job in a Linux virtual environment. For more details, see
					// https://help.github.com/en/articles/virtual-environments-for-github-actions.
					uses?: string

					// Runs command-line programs using the operating system's shell.
					// If you do not provide a name, the step name will default to
					// the text specified in the run command.
					// Commands run using non-login shells by default. You can choose
					// a different shell and customize the shell used to run
					// commands. For more information, see
					// https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#using-a-specific-shell.
					// Each run keyword represents a new process and shell in the
					// virtual environment. When you provide multi-line commands,
					// each line runs in the same shell.
					run?: string, "working-directory"?: #["working-directory"], shell?: #shell

					// A map of the input parameters defined by the action. Each input
					// parameter is a key/value pair. Input parameters are set as
					// environment variables. The variable is prefixed with INPUT_
					// and converted to upper case.
					with?: #env & {
						args?: string, entrypoint?: string, ...
					}

					// Sets environment variables for steps to use in the virtual
					// environment. You can also set environment variables for the
					// entire workflow or a job.
					env?: #env

					// Prevents a job from failing when a step fails. Set to true to
					// allow a job to pass when this step fails.
					"continue-on-error"?: bool | #expressionSyntax | *false

					// The maximum number of minutes to run the step before killing
					// the process.
					"timeout-minutes"?: number
				}] & [_, ...]

				// The maximum number of minutes to let a workflow run before
				// GitHub automatically cancels it. Default: 360
				"timeout-minutes"?: number | *360

				// A strategy creates a build matrix for your jobs. You can define
				// different variations of an environment to run each job in.
				strategy?: {
					// A build matrix is a set of different configurations of the
					// virtual environment. For example you might run a job against
					// more than one supported version of a language, operating
					// system, or tool. Each configuration is a copy of the job that
					// runs and reports a status.
					// You can specify a matrix by supplying an array for the
					// configuration options. For example, if the GitHub virtual
					// environment supports Node.js versions 6, 8, and 10 you could
					// specify an array of those versions in the matrix.
					// When you define a matrix of operating systems, you must set the
					// required runs-on keyword to the operating system of the
					// current job, rather than hard-coding the operating system
					// name. To access the operating system name, you can use the
					// matrix.os context parameter to set runs-on. For more
					// information, see
					// https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.
					matrix: ({
						...
					} | #expressionSyntax) & {
						{[=~"^(in|ex)clude$" & !~"^()$"]: [...{
											[string]: #configuration
						}] & [_, ...]}
						{[!~"^(in|ex)clude$" & !~"^()$"]: [...#configuration] & [_, ...]}
					}

					// When set to true, GitHub cancels all in-progress jobs if any
					// matrix job fails. Default: true
					"fail-fast"?: bool | *true

					// The maximum number of jobs that can run simultaneously when
					// using a matrix job strategy. By default, GitHub will maximize
					// the number of jobs run in parallel depending on the available
					// runners on GitHub-hosted virtual machines.
					"max-parallel"?: number
				}

				// Prevents a workflow run from failing when a job fails. Set to
				// true to allow a workflow run to pass when this job fails.
				"continue-on-error"?: bool | #expressionSyntax

				// A container to run any steps in a job that don't already
				// specify a container. If you have steps that use both script
				// and container actions, the container actions will run as
				// sibling containers on the same network with the same volume
				// mounts.
				// If you do not set a container, all steps will run directly on
				// the host specified by runs-on unless a step refers to an
				// action configured to run in a container.
				container?: string | #container

				// Additional containers to host services for a job in a workflow.
				// These are useful for creating databases or cache services like
				// redis. The runner on the virtual machine will automatically
				// create a network and manage the life cycle of the service
				// containers.
				// When you use a service container for a job or your step uses
				// container actions, you don't need to set port information to
				// access the service. Docker automatically exposes all ports
				// between containers on the same network.
				// When both the job and the action run in a container, you can
				// directly reference the container by its hostname. The hostname
				// is automatically mapped to the service name.
				// When a step does not use a container action, you must access
				// the service using localhost and bind the ports.
				services?: {
					[string]: #container
				}
			}}
		}
	}

	#architecture: "ARM32" | "x64" | "x86"

	#branch: #globs

	#configuration: string | number | bool | {
		[string]: #configuration
	} | [...#configuration]

	#container: {
		// The Docker image to use as the container to run the action. The
		// value can be the Docker Hub image name or a registry name.
		image: string

		// If the image's container registry requires authentication to
		// pull the image, you can use credentials to set a map of the
		// username and password. The credentials are the same values
		// that you would provide to the `docker login` command.
		credentials?: {
			username?: string
			password?: string
			...
		}

		// Sets an array of environment variables in the container.
		env?: #env

		// Sets an array of ports to expose on the container.
		ports?: [...number | string] & [_, ...]

		// Sets an array of volumes for the container to use. You can use
		// volumes to share data between services or other steps in a
		// job. You can specify named Docker volumes, anonymous Docker
		// volumes, or bind mounts on the host.
		// To specify a volume, you specify the source and destination
		// path: <source>:<destinationPath>
		// The <source> is a volume name or an absolute path on the host
		// machine, and <destinationPath> is an absolute path in the
		// container.
		volumes?: [...=~"^[^:]+:[^:]+$"] & [_, ...]

		// Additional Docker container resource options. For a list of
		// options, see
		// https://docs.docker.com/engine/reference/commandline/create/#options.
		options?: string
	}

	#defaults: run?: {
		shell?:               #shell
		"working-directory"?: #["working-directory"]
	}

	#env: [string]: bool | number | string

	#environment: {
		// The name of the environment configured in the repo.
		name: string

		// A deployment URL
		url?: string
	}

	#event: "check_run" | "check_suite" | "create" | "delete" | "deployment" | "deployment_status" | "fork" | "gollum" | "issue_comment" | "issues" | "label" | "member" | "milestone" | "page_build" | "project" | "project_card" | "project_column" | "public" | "pull_request" | "pull_request_review" | "pull_request_review_comment" | "pull_request_target" | "push" | "registry_package" | "release" | "status" | "watch" | "workflow_dispatch" | "workflow_run" | "repository_dispatch"

	#eventObject: null | {
		...
	}

	#expressionSyntax: =~"^\\$\\{\\{.*\\}\\}$"

	#globs: [...strings.MinRunes(1)] & [_, ...]

	#machine: "linux" | "macos" | "windows"

	#name: =~"^[_a-zA-Z][a-zA-Z0-9_-]*$"

	#path: #globs

	#ref: null | {
		branches?:          #branch
		"branches-ignore"?: #branch
		tags?:              #branch
		"tags-ignore"?:     #branch
		paths?:             #path
		"paths-ignore"?:    #path
		...
	}

	#shell: (string | ("bash" | "pwsh" | "python" | "sh" | "cmd" | "powershell")) & string

	#types: [_, ...]

	#: "working-directory": string
}
-- internal/ci/workflows.cue --
package ci

import (
	"github.com/SchemaStore/schemastore/src/schemas/json"
	encjson "encoding/json"
)

workflowsDir:        *"./" | string @tag(workflowsDir)
_#masterBranch:      "master"
_#releaseTagPattern: "v*"
workflows:           [...{
	file:   string
	schema: json.#Workflow
}] & [{
	file:   "test.yml"
	schema: test
}, {
	file:   "repository_dispatch.yml"
	schema: repository_dispatch
}, {
	file:   "release.yml"
	schema: release
}, {
	file:   "tip_triggers.yml"
	schema: tip_triggers
}, {
	file:   "new_version_triggers.yml"
	schema: new_version_triggers
}, {
	file:   "mirror.yml"
	schema: mirror
}]
test: _#bashWorkflow & {
	name: "Test"
	on: push: {
		branches: ["**"]
		"tags-ignore": [_#releaseTagPattern]
	}
	jobs: {
		start: {
			"runs-on": _#linuxMachine
			steps:     [..._ & {
				if: "${{ \(_#isCLCITestBranch) }}"
			}] & [_#writeCookiesFile, _#startCLBuild]
		}
		test: {
			needs:     "start"
			strategy:  _#testStrategy
			"runs-on": "${{ matrix.os }}"
			steps: [_#writeCookiesFile, _#installGo, _#checkoutCode, _#cacheGoModules, _#setGoBuildTags & {
				_#tags: "long"
				if:     "${{ \(_#isMaster) }}"
			}, _#goGenerate, _#goTest, _#goTestRace & {
				if: "${{ \(_#isMaster) || \(_#isCLCITestBranch) && matrix.go-version == '\(_#latestStableGo)' && matrix.os == '\(_#linuxMachine)' }}"
			}, _#goReleaseCheck, _#checkGitClean, _#pullThroughProxy, _#failCLBuild]
		}
		mark_ci_success: {
			"runs-on": _#linuxMachine
			if:        "${{ \(_#isCLCITestBranch) }}"
			needs:     "test"
			steps: [_#writeCookiesFile, _#passCLBuild]
		}
		delete_build_branch: {
			"runs-on": _#linuxMachine
			if:        "${{ \(_#isCLCITestBranch) && always() }}"
			needs:     "test"
			steps: [_#step & {
				run: """
							\(_#tempCueckooGitDir)
							git push https://github.com/cuelang/cue :${GITHUB_REF#\(_#branchRefPrefix)}
							"""
			}]
		}
	}

	// _#isCLCITestBranch is an expression that evaluates to true
	// if the job is running as a result of a CL triggered CI build
	_#isCLCITestBranch: "startsWith(github.ref, '\(_#branchRefPrefix)ci/')"

	// _#isMaster is an expression that evaluates to true if the
	// job is running as a result of a master commit push
	_#isMaster:         "github.ref == '\(_#branchRefPrefix+_#masterBranch)'"
	_#pullThroughProxy: _#step & {
		name: "Pull this commit through the proxy on \(_#masterBranch)"
		run: """
			v=$(git rev-parse HEAD)
			cd $(mktemp -d)
			go mod init mod.com
			GOPROXY=https://proxy.golang.org go get -d cuelang.org/go/cmd/cue@$v
			"""
		if: "${{ \(_#isMaster) }}"
	}
	_#startCLBuild: _#step & {
		name: "Update Gerrit CL message with starting message"
		run:  (_#gerrit._#setCodeReview & {
			#args: {
				message: "Started the build... see progress at ${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }}"
			}
		}).res
	}
	_#failCLBuild: _#step & {
		if:   "${{ \(_#isCLCITestBranch) && failure() }}"
		name: "Post any failures for this matrix entry"
		run:  (_#gerrit._#setCodeReview & {
			#args: {
				message: "Build failed for ${{ runner.os }}-${{ matrix.go-version }}; see ${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }} for more details"
				labels: "Code-Review": -1
			}
		}).res
	}
	_#passCLBuild: _#step & {
		name: "Update Gerrit CL message with success message"
		run:  (_#gerrit._#setCodeReview & {
			#args: {
				message: "Build succeeded for ${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }}"
				labels: "Code-Review": 1
			}
		}).res
	}
	_#gerrit: {
		// _#setCodeReview assumes that it is invoked from a job where
		// _#isCLCITestBranch is true
		_#setCodeReview: {
			#args: {
				tag:     "trybot"
				message: string
				labels?: "Code-Review": int
			}
			res: "\(_#curl) -H \"Content-Type: application/json\" --request POST --data '\(encjson.Marshal(#args))' -b ~/.gitcookies https://cue-review.googlesource.com/a/changes/$(basename $(dirname $GITHUB_REF))/revisions/$(basename $GITHUB_REF)/review"
		}
	}
}
repository_dispatch: _#bashWorkflow & {
	// These constants are defined by github.com/cue-sh/tools/cmd/cueckoo
	_#runtrybot:   "runtrybot"
	_#mirror:      "mirror"
	_#importpr:    "importpr"
	_#unity:       "unity"
	_#dispatchJob: _#job & {
		_#type:    string
		"runs-on": _#linuxMachine
		if:        "${{ github.event.client_payload.type == '\(_#type)' }}"
	}
	name: "Repository Dispatch"
	on: ["repository_dispatch"]
	jobs: {
		"\(_#runtrybot)": _#dispatchJob & {
			_#type: _#runtrybot
			steps: [_#step & {
				name: "Trigger trybot"
				run:  """
								\(_#tempCueckooGitDir)
								git fetch https://cue-review.googlesource.com/cue ${{ github.event.client_payload.payload.ref }}
								git checkout -b ci/${{ github.event.client_payload.payload.changeID }}/${{ github.event.client_payload.payload.commit }} FETCH_HEAD
								git push https://github.com/cuelang/cue ci/${{ github.event.client_payload.payload.changeID }}/${{ github.event.client_payload.payload.commit }}
								"""
			}]
		}
		"\(_#mirror)": _#dispatchJob & {
			_#type: _#mirror
			steps:  _#copybaraSteps & {
				_
				_#name: "Mirror Gerrit to GitHub"
				_#cmd:  "github"
			}
		}
		"\(_#importpr)": _#dispatchJob & {
			_#type: _#importpr
			steps:  _#copybaraSteps & {
				_
				_#name: "Import PR #${{ github.event.client_payload.commit }} from GitHub to Gerrit"
				_#cmd:  "github-pr ${{ github.event.client_payload.payload.pr }}"
			}
		}
	}
}
mirror: _#bashWorkflow & {
	name: "Scheduled repo mirror"
	on: schedule: [{
		cron: "*/30 * * * *"
	}]
	jobs: mirror: {
		"runs-on": _#linuxMachine
		steps:     _#copybaraSteps & {
			_
			_#name: "Mirror Gerrit to GitHub"
			_#cmd:  "github"
		}
	}
}
release: _#bashWorkflow & {
	name: "Release"
	on: push: tags: [_#releaseTagPattern]
	jobs: {
		goreleaser: {
			"runs-on": _#linuxMachine
			steps: [_#checkoutCode & {
				with: "fetch-depth": 0
			}, _#installGo & {
				with: version: _#latestStableGo
			}, _#step & {
				name: "Run GoReleaser"
				env: GITHUB_TOKEN: "${{ secrets.ACTIONS_GITHUB_TOKEN }}"
				uses: "goreleaser/goreleaser-action@v2"
				with: {
					args:    "release --rm-dist"
					version: "v0.155.1"
				}
			}]
		}
		docker: {
			name:      "docker"
			"runs-on": _#linuxMachine
			steps: [_#checkoutCode, _#step & {
				name: "Set version environment"
				run: """
					CUE_VERSION=$(echo ${GITHUB_REF##refs/tags/v})
					echo \"CUE_VERSION=$CUE_VERSION\"
					echo \"CUE_VERSION=$(echo $CUE_VERSION)\" >> $GITHUB_ENV
					"""
			}, _#step & {
				name: "Push to Docker Hub"
				env: {
					DOCKER_BUILDKIT: 1
					GOLANG_VERSION:  1.14
					CUE_VERSION:     "${{ env.CUE_VERSION }}"
				}
				uses: "docker/build-push-action@v1"
				with: {
					tags:           "${{ env.CUE_VERSION }},latest"
					repository:     "cuelang/cue"
					username:       "${{ secrets.DOCKER_USERNAME }}"
					password:       "${{ secrets.DOCKER_PASSWORD }}"
					tag_with_ref:   false
					tag_with_sha:   false
					target:         "cue"
					always_pull:    true
					build_args:     "GOLANG_VERSION=${{ env.GOLANG_VERSION }},CUE_VERSION=v${{ env.CUE_VERSION }}"
					add_git_labels: true
				}
			}]
		}
	}
}
tip_triggers: _#bashWorkflow & {
	name: "Push to tip triggers"
	on: push: branches: [_#masterBranch]
	jobs: push: {
		"runs-on": _#linuxMachine
		steps: [{
			name: "Rebuild tip.cuelang.org"
			run:  "\(_#curl) -X POST -d {} https://api.netlify.com/build_hooks/${{ secrets.CuelangOrgTipRebuildHook }}"
		}, {
			name: "Trigger unity build"
			run:  "echo \(_#curl) -H \"Content-Type: application/json\" -u cueckoo:${{ secrets.CUECKOO_GITHUB_PAT }} --request POST --data-binary \"{\"event_type\": \"Check against ${GITHUB_SHA}\", \"client_payload\": {\"type\": \"unity\", \"payload\": {\"versions\": \"\\\"commit:${GITHUB_SHA}\\\"\"}}}\" https://api.github.com/repos/cue-sh/unity/dispatches"
		}]
	}
}
new_version_triggers: _#bashWorkflow & {
	name: "New release triggers"
	on: push: tags: [_#releaseTagPattern]
	jobs: push: {
		"runs-on": _#linuxMachine
		steps: [{
			name: "Rebuild tip.cuelang.org"
			run:  "\(_#curl) -H \"Content-Type: application/json\" -u cueckoo:${{ secrets.CUECKOO_GITHUB_PAT }} --request POST --data-binary \"{\"event_type\": \"Re-test post release of ${GITHUB_REF##refs/tags/}\"}\" https://api.github.com/repos/cuelang/cuelang.org/dispatches"
		}, {
			name: "Trigger unity build"
			run:  "\(_#curl) -H \"Content-Type: application/json\" -u cueckoo:${{ secrets.CUECKOO_GITHUB_PAT }} --request POST --data-binary \"{\"event_type\": \"Check against CUE ${GITHUB_REF##refs/tags/}\", \"client_payload\": {\"type\": \"unity\", \"payload\": {\"versions\": \"\\\"${GITHUB_REF##refs/tags/}\\\"}}}\" https://api.github.com/repos/cue-sh/unity/dispatches"
		}]
	}
}
_#bashWorkflow: json.#Workflow & {
	jobs: [string]: defaults: run: shell: "bash"
}

// TODO: drop when cuelang.org/issue/390 is fixed.
// Declare definitions for sub-schemas
_#job: ((json.#Workflow & {}).jobs & {
	x: _
}).x
_#step: ((_#job & {
	steps: _
}).steps & [_])[0]

// We need at least go1.14 for code generation
_#codeGenGo: "1.14.14"

// Use a specific latest version for release builds
_#latestStableGo: "1.15.8"
_#linuxMachine:   "ubuntu-18.04"
_#macosMachine:   "macos-10.15"
_#windowsMachine: "windows-2019"
_#testStrategy: {
	"fail-fast": false
	matrix: {
		// Use a stable version of 1.14.x for go generate
		"go-version": [_#codeGenGo, _#latestStableGo, "1.16"]
		os: [_#linuxMachine, _#macosMachine, _#windowsMachine]
	}
}
_#setGoBuildTags: _#step & {
	_#tags: string
	name:   "Set go build tags"
	run:    "go env -w GOFLAGS=-tags=\(_#tags)"
}
_#installGo: _#step & {
	name: "Install Go"
	uses: "actions/setup-go@v2"
	with: {
		"go-version": *"${{ matrix.go-version }}" | string
		stable:       false
	}
}
_#checkoutCode: _#step & {
	name: "Checkout code"
	uses: "actions/checkout@v2"
}
_#cacheGoModules: _#step & {
	name: "Cache Go modules"
	uses: "actions/cache@v1"
	with: {
		path: "~/go/pkg/mod"
		key:  "${{ runner.os }}-${{ matrix.go-version }}-go-${{ hashFiles('**/go.sum') }}"
		"restore-keys": """
			${{ runner.os }}-${{ matrix.go-version }}-go-
			"""
	}
}
_#goGenerate: _#step & {
	name: "Generate"
	run:  "go generate ./..."
	// The Go version corresponds to the precise version specified in
	// the matrix. Skip windows for now until we work out why re-gen is flaky
	if: "matrix.go-version == '\(_#codeGenGo)' && matrix.os != '\(_#windowsMachine)'"
}
_#goTest: _#step & {
	name: "Test"
	run:  "go test ./..."
}
_#goTestRace: _#step & {
	name: "Test with -race"
	run:  "go test -race ./..."
}
_#goReleaseCheck: _#step & {
	name: "gorelease check"
	run:  "go run golang.org/x/exp/cmd/gorelease"
}
_#checkGitClean: _#step & {
	name: "Check that git is clean post generate and tests"
	run:  "test -z \"$(git status --porcelain)\" || (git status; git diff; false)"
}
_#writeCookiesFile: _#step & {
	name: "Write the gitcookies file"
	run:  "echo \"${{ secrets.gerritCookie }}\" > ~/.gitcookies"
}
_#branchRefPrefix: "refs/heads/"
_#tempCueckooGitDir: """
	mkdir tmpgit
	cd tmpgit
	git init
	git config user.name cueckoo
	git config user.email cueckoo@gmail.com
	git config http.https://github.com/.extraheader "AUTHORIZATION: basic $(echo -n cueckoo:${{ secrets.CUECKOO_GITHUB_PAT }} | base64)"
	"""

// The cueckoo/copybara Docker image to use
_#cueckooCopybaraImage: "cueckoo/copybara:afc4ae03eed00b0c9d7415141cd1b5dfa583da7c"

// Define the base command for copybara
_#copybaraCmd: {
	"""
		cd _scripts
		docker run --rm -v $PWD/cache:/root/copybara/cache -v $PWD:/usr/src/app --entrypoint="" \(_#cueckooCopybaraImage) bash -c " \\
		\tset -eu; \\
		\techo \\"${{ secrets.gerritCookie }}\\" > ~/.gitcookies; \\
		\tchmod 600 ~/.gitcookies; \\
		\tgit config --global user.name cueckoo; \\
		\tgit config --global user.email cueckoo@gmail.com; \\
		\tgit config --global http.cookiefile \\$HOME/.gitcookies; \\
		  \techo https://cueckoo:${{ secrets.CUECKOO_GITHUB_PAT }}@github.com > ~/.git-credentials; \\
		\tchmod 600 ~/.git-credentials; \\
		\tjava -jar /opt/copybara/copybara_deploy.jar migrate copy.bara.sky \(_#cmd); \\
		\t"
		"""
	_#cmd: string
}
_#copybaraSteps: {
	let cmdCmd = _#cmd
	[_#checkoutCode, _#step & {
		name: _#name
		run:  _#copybaraCmd & {
			_
			_#cmd: cmdCmd
		}
	}]
	_#name: string
	_#cmd:  string
}
_#curl: "curl -s"