when:
  - event: pull_request
  - event: push
    branch:
      - ${CI_REPO_DEFAULT_BRANCH}

steps:
  check:
    image: docker.io/nixpkgs/nix-flakes:nixos-25.05
    commands:
      - nix flake check

  sign:
    image: docker.io/nixpkgs/nix-flakes:nixos-25.05
    environment:
        DB_KEY:
          from_secret: secure_boot_key
        DB_CRT:
          from_secret: secure_boot_crt
    commands:
      - ./scripts/sign-release.sh