# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Build & Test

on:
  push:
    paths:
      - ".github/workflows/build.yml"
      - ".github/workflows/reusable-docker.yml"
      - ".github/workflows/reusable-build.yml"
      - "src/**"
      - "tests/**"
      - "docker/**"
      - "ci/**"
      - "**.props"
      - "**.targets"

  pull_request:
    paths:
      - ".github/workflows/build.yml"
      - ".github/workflows/reusable-docker.yml"
      - ".github/workflows/reusable-build.yml"
      - "src/**"
      - "tests/**"
      - "docker/**"
      - "ci/**"
      - "**.props"
      - "**.targets"

jobs:
  #############################################
  build-win:
    name: Build Windows
    secrets: inherit
    uses: ./.github/workflows/reusable-build.yml
    strategy:
      matrix:
        runtime: [win-x64, win-arm64]
    with:
      platform: windows-latest
      runtime: ${{ matrix.runtime }}

  #############################################
  build-linux:
    name: Build Linux
    secrets: inherit
    uses: ./.github/workflows/reusable-build.yml
    strategy:
      matrix:
        runtime: [linux-x64, linux-arm64, linux-arm]
    with:
      platform: ubuntu-latest
      runtime: ${{ matrix.runtime }}

  #############################################
  build-osx:
    name: Build Mac OS
    secrets: inherit
    uses: ./.github/workflows/reusable-build.yml
    strategy:
      matrix:
        runtime: [osx-x64, osx-arm64]
    with:
      platform: macos-latest
      runtime: ${{ matrix.runtime }}

  #############################################
  codesign:
    name: Apple Signing
    runs-on: macos-latest
    # Ignore pull requests & non-master branches
    if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v')
    needs: [build-osx]
    strategy:
      matrix:
        runtime:
          - osx-x64
          - osx-arm64
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Download Artifacts
        uses: ./.github/actions/download-tar
        with:
          name: ${{ matrix.runtime }}
          path: publish

      - name: Add Cert to Keychain
        # todo: Switch back to upstream when this is merged:
        # https://github.com/Apple-Actions/import-codesign-certs/pull/58
        uses: recyclarr/import-codesign-certs@master
        with:
          p12-file-base64: ${{ secrets.MAC_CERT_BASE64 }}
          p12-password: ${{ secrets.MAC_CERT_PASSWORD }}

      - name: Code Sign
        env:
          CODESIGN_IDENTITY: ${{ secrets.MAC_CODESIGN_IDENTITY }}
        run: >
          codesign --timestamp --no-strict --force
          --options=runtime
          --entitlements ci/codesign/entitlements.plist
          --sign "$CODESIGN_IDENTITY"
          "publish/recyclarr"

      - name: Notarize
        run: >-
          ci/notarize.sh
          "${{ secrets.MAC_DEV_USERNAME }}"
          "${{ secrets.MAC_DEV_PASSWORD }}"
          AVLRN599D8
          publish/recyclarr

      # Cannot staple directly to a binary:
      # https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow?language=objc#3087720
      # - name: Staple
      #   run: xcrun stapler staple -v publish/recyclarr

      - name: Upload Artifacts
        uses: ./.github/actions/upload-tar
        with:
          name: ${{ matrix.runtime }}
          path: publish

  #############################################
  docker:
    name: Docker
    needs: [build-win, build-linux, build-osx]
    uses: ./.github/workflows/reusable-docker.yml
    secrets: inherit

  #############################################
  release:
    name: Release
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/v')
    needs:
      - build-win
      - build-linux
      - codesign # Depends on build-osx
      - docker # Only for preventing a release if docker build & publish fails
    env:
      XZ_OPT: "-T0 -9"
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0 # avoid shallow clone for GitVersion

      - name: Install GitVersion
        uses: gittools/actions/gitversion/setup@v0
        with:
          versionSpec: 6.x
          includePrerelease: true

      - name: Determine Version
        uses: gittools/actions/gitversion/execute@v0
        id: gitversion

      - name: Download Artifacts
        uses: ./.github/actions/download-tar
        with:
          path: publish

      - name: Create Archive
        shell: pwsh
        run: >
          ci/CreateArchive.ps1
          -PublishDir publish
          -OutputDir archive

      - name: Extract Changelog
        id: changelog
        uses: ffurrer2/extract-release-notes@v1

      - name: Create Release
        uses: softprops/action-gh-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.DEPLOY_PAT }}
        with:
          files: |
            archive/**/recyclarr-*.zip
            archive/**/recyclarr-*.tar.xz
          body: ${{ steps.changelog.outputs.release_notes }}
          tag_name: ${{ github.event.create.ref }}
          draft: false
          prerelease: ${{ steps.gitversion.outputs.preReleaseTag != '' }}

  #############################################
  # The main purpose of this job is to group all the other jobs together into one single job status
  # that can be set as a requirement to merge pull requests. This is easier than enumerating all
  # jobs in a workflow to ensure they all pass.
  check:
    if: always()
    name: Report Build Status
    needs:
      - build-win
      - build-linux
      - build-osx
      - codesign
      - docker
      - release
    runs-on: ubuntu-latest
    steps:
      - name: Check if all jobs succeeded
        uses: re-actors/alls-green@release/v1
        with:
          allowed-skips: codesign, release
          jobs: ${{ toJSON(needs) }}