# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Build & Test

on:
  push:
    paths:
      - ".github/workflows/build.yml"
      - ".github/workflows/docker.yml"
      - "src/**"
      - "schemas/**"
      - "docker/**"
      - "ci/**"

  pull_request:
    paths:
      - ".github/workflows/build.yml"
      - ".github/workflows/docker.yml"
      - "src/**"
      - "schemas/**"
      - "docker/**"
      - "ci/**"

jobs:
  build-win:
    name: Build Windows
    secrets: inherit
    uses: ./.github/workflows/reusable-build.yml
    strategy:
      matrix:
        runtime: [win-x64, win-arm64]
    with:
      platform: windows-latest
      runtime: ${{ matrix.runtime }}

  build-linux:
    name: Build Linux
    secrets: inherit
    uses: ./.github/workflows/reusable-build.yml
    strategy:
      matrix:
        runtime: [linux-x64, linux-arm64, linux-arm]
    with:
      platform: ubuntu-latest
      runtime: ${{ matrix.runtime }}

  build-osx:
    name: Build Mac OS
    secrets: inherit
    uses: ./.github/workflows/reusable-build.yml
    strategy:
      matrix:
        runtime: [osx-x64, osx-arm64]
    with:
      platform: macos-latest
      runtime: ${{ matrix.runtime }}
      # Compression cannot be used on MacOS due to this issue:
      # https://github.com/dotnet/runtime/issues/79267
      publish-args: -NoCompress

  build-musl:
    name: Build MUSL
    secrets: inherit
    uses: ./.github/workflows/reusable-build.yml
    strategy:
      matrix:
        runtime: [linux-musl-x64, linux-musl-arm, linux-musl-arm64]
    with:
      platform: ubuntu-latest
      runtime: ${{ matrix.runtime }}
      publish-args: -NoSingleFile
      skip-test: true

  codesign:
    name: Apple Signing
    runs-on: macos-latest
    if: github.event_name != 'pull_request'
    needs: [build-osx]
    strategy:
      matrix:
        runtime:
          - osx-x64
          - osx-arm64
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Download Artifacts
        uses: actions/download-artifact@v3
        with:
          name: ${{ matrix.runtime }}
          path: publish

      - name: Add Cert to Keychain
        uses: apple-actions/import-codesign-certs@v1
        with:
          p12-file-base64: ${{ secrets.MAC_CERT_BASE64 }}
          p12-password: ${{ secrets.MAC_CERT_PASSWORD }}

      - name: Code Sign
        env:
          CODESIGN_IDENTITY: ${{ secrets.MAC_CODESIGN_IDENTITY }}
        run: >
          codesign --timestamp --no-strict --force
          --options=runtime
          --entitlements ci/codesign/entitlements.plist
          --sign "$CODESIGN_IDENTITY"
          "publish/recyclarr"

      - name: Notarize
        uses: recyclarr/xcode-notarize@main
        with:
          product-path: publish/recyclarr
          appstore-connect-username: ${{ secrets.MAC_DEV_USERNAME }}
          appstore-connect-password: ${{ secrets.MAC_DEV_PASSWORD }}
          primary-bundle-id: dev.recyclarr.cli

      # Cannot staple directly to a binary:
      # https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow?language=objc#3087720
      # - name: Staple
      #   run: xcrun stapler staple -v publish/recyclarr

      - name: Upload Artifacts
        uses: actions/upload-artifact@v3
        with:
          name: ${{ matrix.runtime }}
          path: publish/*

  docker:
    name: Docker
    needs: [build-musl]
    uses: ./.github/workflows/reusable-docker.yml
    secrets: inherit

  release:
    name: Release
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/v')
    needs:
      - build-win
      - build-linux
      - codesign # Depends on build-osx
      - docker # Only for preventing a release if docker build & publish fails
    env:
      XZ_OPT: "-T0 -9"
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0 # avoid shallow clone for GitVersion

      - name: Install GitVersion
        uses: gittools/actions/gitversion/setup@v0
        with:
          versionSpec: 5.x

      - name: Determine Version
        uses: gittools/actions/gitversion/execute@v0
        id: gitversion

      - name: Download Artifacts
        uses: actions/download-artifact@v3
        with:
          path: publish

      - name: Create Archive
        shell: pwsh
        run: >
          ci/CreateArchive.ps1
          -PublishDir publish
          -OutputDir archive

      - name: Extract Changelog
        id: changelog
        uses: ffurrer2/extract-release-notes@v1

      - name: Create Release
        uses: softprops/action-gh-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.DEPLOY_PAT }}
        with:
          files: archive/*
          body: ${{ steps.changelog.outputs.release_notes }}
          tag_name: ${{ github.event.create.ref }}
          draft: false
          prerelease: ${{ steps.gitversion.outputs.preReleaseTag != '' }}

  # The main purpose of this job is to group all the other jobs together into one single job status
  # that can be set as a requirement to merge pull requests. This is easier than enumerating all
  # jobs in a workflow to ensure they all pass.
  check:
    if: always()
    name: Report Build Status
    needs:
      - build-win
      - build-linux
      - build-osx
      - build-musl
      - codesign
      - docker
      - release
    runs-on: ubuntu-latest
    steps:
      - name: Check if all jobs succeeded
        uses: re-actors/alls-green@release/v1
        with:
          allowed-skips: codesign, release
          jobs: ${{ toJSON(needs) }}