check

Jan bump #5199

	# SPDX-FileCopyrightText: 2022-2026 TII (SSRC) and the Ghaf contributors
	#
	# SPDX-License-Identifier: Apache-2.0

	name: check
	on:
	push:
	branches:
	- main
	pull_request:
	branches:
	- main
	permissions:
	contents: read

	jobs:
	run-checks:
	runs-on: ubuntu-latest
	steps:
	- name: Harden the runner (Audit all outbound calls)
	uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
	with:
	egress-policy: audit

	- name: Checkout
	uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
	with:
	persist-credentials: false
	- name: Install nix
	uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31.9.0
	- name: Check nix flake show runs successfully
	run: nix flake show --all-systems --accept-flake-config
	- name: Check templates
	run: \|
	set -eux -o pipefail
	tmp_flakes=$(mktemp -d)
	cleanup() { rm -rf "$tmp_flakes"; }
	trap cleanup EXIT
	nix eval --json --apply builtins.attrNames .#templates --accept-flake-config \| jq -r '.[]' \| while IFS=$'\t' read -r name; do
	nix flake new -t ".#$name" "${tmp_flakes}/${name}";
	if [[ "$name" == "ghaf-module" ]]; then
	nix-instantiate --parse "${tmp_flakes}/${name}/default.nix"
	else
	nix flake show "${tmp_flakes}/${name}" --accept-flake-config
	fi
	done

Provide feedback