name: CI
on:
  pull_request: {}
  push:
    branches:
      - main
    tags:
      - '*'

jobs:
  macos:
    runs-on: ${{ matrix.MACOS }}
    strategy:
      fail-fast: false
      matrix:
        PYTHON:
          - {VERSION: "3.8", NOXSESSION: "tests"}
          - {VERSION: "3.14", NOXSESSION: "tests"}
          - {VERSION: "3.14t", NOXSESSION: "tests"}
        MACOS:
          - macos-15-intel
          - macos-latest
    name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.MACOS }}"
    steps:
      - uses: actions/checkout@v6.0.2
      - name: Setup python
        id: setup-python
        uses: actions/setup-python@v6.2.0
        with:
          python-version: ${{ matrix.PYTHON.VERSION }}
      - uses: actions/cache@v5.0.3
        timeout-minutes: 5
        with:
          path: |
            ~/Library/Caches/pip/
            src/_bcrypt/target/
          key: ${{ runner.os }}-${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-cargo-${{ hashFiles('**/Cargo.lock') }}
      - run: pip install nox
      - run: nox -v
        env:
          NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }}
          CARGO_TARGET_DIR: ${{ format('{0}/src/_bcrypt/target/', github.workspace) }}

  windows:
    runs-on: ${{ matrix.WINDOWS.RUNNER }}
    strategy:
      fail-fast: false
      matrix:
        WINDOWS:
          - {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc', RUNNER: 'windows-latest'}
          - {ARCH: 'x64', WINDOWS: 'win64', RUST_TRIPLE: 'x86_64-pc-windows-msvc', RUNNER: 'windows-latest'}
          - {ARCH: 'arm64', WINDOWS: 'win-arm64', RUST_TRIPLE: 'aarch64-pc-windows-msvc', RUNNER: 'windows-11-arm'}
        PYTHON:
          - {VERSION: "3.8", NOXSESSION: "tests"}
          - {VERSION: "3.14", NOXSESSION: "tests"}
          - {VERSION: "3.14t", NOXSESSION: "tests"}
        exclude:
          - WINDOWS: {ARCH: 'arm64', WINDOWS: 'win-arm64', RUST_TRIPLE: 'aarch64-pc-windows-msvc'}
            PYTHON: {VERSION: "3.8", NOXSESSION: "tests"}
    name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.WINDOWS.WINDOWS }}"
    steps:
      - uses: actions/checkout@v6.0.2
      - name: Setup python
        id: setup-python
        uses: actions/setup-python@v6.2.0
        with:
          python-version: ${{ matrix.PYTHON.VERSION }}
          architecture: ${{ matrix.WINDOWS.ARCH }}
      - uses: actions/cache@v5.0.3
        timeout-minutes: 5
        with:
          path: |
            ~/AppData/Local/pip/Cache/
            src/_bcrypt/target/
          key: ${{ runner.os }}-${{ matrix.WINDOWS.ARCH }}-${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-cargo-${{ hashFiles('**/Cargo.lock') }}

      - run: pip install nox
      - run: nox -v
        env:
          NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }}
          CARGO_TARGET_DIR: ${{ format('{0}/src/_bcrypt/target/', github.workspace) }}
  linux:
    runs-on: ubuntu-22.04
    strategy:
      fail-fast: false
      matrix:
        PYTHON:
          - {VERSION: "3.13", NOXSESSION: "pep8,packaging"}
          - {VERSION: "3.13", NOXSESSION: "mypy"}
          - {VERSION: "3.8", NOXSESSION: "tests"}
          - {VERSION: "3.9", NOXSESSION: "tests"}
          - {VERSION: "3.10", NOXSESSION: "tests"}
          - {VERSION: "3.11", NOXSESSION: "tests"}
          - {VERSION: "3.12", NOXSESSION: "tests"}
          - {VERSION: "3.13", NOXSESSION: "tests"}
          - {VERSION: "3.13t", NOXSESSION: "tests"}
          - {VERSION: "3.14", NOXSESSION: "tests"}
          - {VERSION: "3.14t", NOXSESSION: "tests"}
          - {VERSION: "pypy-3.11", NOXSESSION: "tests"}

          # MSRV
          - {VERSION: "3.13", NOXSESSION: "tests", RUST_VERSION: "1.85"}
          - {VERSION: "3.13", NOXSESSION: "tests", RUST_VERSION: "beta"}
          - {VERSION: "3.13", NOXSESSION: "tests", RUST_VERSION: "nightly"}
    name: "${{ matrix.PYTHON.VERSION }} on linux, Rust ${{ matrix.PYTHON.RUST_VERSION || 'stable' }}"
    steps:
      - uses: actions/checkout@v6.0.2
      - name: Setup python
        id: setup-python
        uses: actions/setup-python@v6.2.0
        with:
          python-version: ${{ matrix.PYTHON.VERSION }}
      - uses: actions/cache@v5.0.3
        timeout-minutes: 5
        with:
          path: |
            ~/.cache/pip/
            src/_bcrypt/target/
          key: ${{ runner.os }}-${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-cargo-${{ hashFiles('**/Cargo.lock') }}
      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
        with:
          toolchain: ${{ matrix.PYTHON.RUST_VERSION || 'stable' }}

      - run: pip install nox
      - run: nox -v
        env:
          NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }}
          CARGO_TARGET_DIR: ${{ format('{0}/src/_bcrypt/target/', github.workspace) }}

  alpine:
    runs-on: ${{ matrix.IMAGE.RUNNER }}
    container:
      image: ghcr.io/pyca/cryptography-runner-${{ matrix.IMAGE.IMAGE }}
      volumes:
        - /staticnodehost:/staticnodecontainer:rw,rshared
        - /staticnodehost/20:/__e/node20:ro,rshared
        - /staticnodehost/24:/__e/node24:ro,rshared
    strategy:
      fail-fast: false
      matrix:
        IMAGE:
          - {IMAGE: "alpine", NOXSESSION: "tests", RUNNER: "ubuntu-latest"}
          - {IMAGE: "alpine:aarch64", NOXSESSION: "tests", RUNNER: "ubuntu-24.04-arm"}
    name: "${{ matrix.IMAGE.NOXSESSION }} on ${{ matrix.IMAGE.IMAGE }}"
    steps:
      - name: Ridiculous-er workaround for static node20
        run: |
          cp -R /staticnode/* /staticnodecontainer/
      - name: Ridiculous alpine workaround for actions support on arm64
        run: |
          # This modifies /etc/os-release so the JS actions
          # from GH can't detect that it's on alpine:aarch64. It will
          # then use a glibc nodejs, which works fine when gcompat
          # is installed in the container (which it is)
          sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release
        if: matrix.IMAGE.IMAGE == 'alpine:aarch64'
      - uses: actions/checkout@v6.0.2
        with:
          persist-credentials: false
      - run: /venv/bin/pip install nox
      - run: /venv/bin/nox -v
        env:
          NOXSESSION: ${{ matrix.IMAGE.NOXSESSION }}
          RUSTUP_HOME: /root/.rustup
          CARGO_TARGET_DIR: ${{ format('{0}/src/_bcrypt/target/', github.workspace) }}

  linux-distros:
    runs-on: ${{ matrix.IMAGE.RUNNER }}
    container: ghcr.io/pyca/cryptography-runner-${{ matrix.IMAGE.IMAGE }}
    strategy:
      fail-fast: false
      matrix:
        IMAGE:
          - {IMAGE: "ubuntu-rolling:aarch64", NOXSESSION: "tests", RUNNER: "ubuntu-24.04-arm"}
          - {IMAGE: "ubuntu-rolling:armv7l", NOXSESSION: "tests", RUNNER: "ubuntu-24.04-arm"}
    name: "${{ matrix.IMAGE.NOXSESSION }} on ${{ matrix.IMAGE.IMAGE }}"
    steps:
      - uses: actions/checkout@v6.0.2
        with:
          persist-credentials: false
      - run: /venv/bin/pip install nox
      - run: /venv/bin/nox -v
        env:
          NOXSESSION: ${{ matrix.IMAGE.NOXSESSION }}
          RUSTUP_HOME: /root/.rustup
          CARGO_TARGET_DIR: ${{ format('{0}/src/_bcrypt/target/', github.workspace) }}

  all-green:  # This job does nothing and is only used for the branch protection
    if: always()

    needs:
    - macos
    - windows
    - linux
    - alpine
    - linux-distros

    runs-on: ubuntu-latest

    steps:
    - name: Decide whether the needed jobs succeeded or failed
      uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe
      with:
        jobs: ${{ toJSON(needs) }}