.github/workflows/release.yml

name: Handle Release
on:
  workflow_dispatch:
    inputs:
      do_github_release:
        description: "Perform a GitHub release?"
        required: true
        type: boolean
        default: false
      do_crates_release:
        description: "Perform a crates.io release?"
        required: true
        type: boolean
        default: false

  push:
    tags:
    - "v*"

env:
  CARGO_TERM_COLOR: always

jobs:
  build-windows:
    runs-on: windows-latest
    steps:
    - name: Checkout Repository
      uses: actions/checkout@v4
    - name: Build
      run: |
        cargo build --release --bin aplang
    - name: Upload build artifact
      uses: actions/upload-artifact@v4
      with:
        name: windows-binary
        path: target/release/aplang.exe
        
  build-macos:
    runs-on: macos-latest
    steps:
    - name: Checkout Repository
      uses: actions/checkout@v4
    - name: Add Targets
      run: |
        rustup target add aarch64-apple-darwin
        rustup target add x86_64-apple-darwin
    - name: Build x86_64
      run: | 
        cargo build --release --bin aplang --target x86_64-apple-darwin
    - name: Build aarch64
      run: | 
        cargo build --release --bin aplang --target aarch64-apple-darwin
    - name: Create Fat Binary
      run: |
        mkdir -p out
        lipo -create -output out/aplang target/x86_64-apple-darwin/release/aplang target/aarch64-apple-darwin/release/aplang
    - name: Upload build artifact
      uses: actions/upload-artifact@v4
      with:
        name: macos-binary
        path: out/aplang

  # --- JOB: create-pkg ---
  create-pkg:
    name: Create MacOS `.pkg`
    runs-on: macos-latest
    needs: build-macos
    steps:
    - name: Install Apple Certificates to Keychain
      env:
        APPLICATION_CERT_BASE64: ${{ secrets.APPLE_APPLICATION_CERT }}
        INSTALLER_CERT_BASE64: ${{ secrets.APPLE_INSTALLER_CERT }}
        CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }}
        TEMP_KEYCHAIN_PASSWORD: temp_password
      run: |
        echo "$APPLICATION_CERT_BASE64" | base64 --decode > application_cert.p12
        echo "$INSTALLER_CERT_BASE64" | base64 --decode > installer_cert.p12

        # Create a temporary keychain with a temporary password
        security create-keychain -p "$TEMP_KEYCHAIN_PASSWORD" temp.keychain
        security unlock-keychain -p "$TEMP_KEYCHAIN_PASSWORD" temp.keychain
        
        # Set temp.keychain as default keychain
        security default-keychain -s temp.keychain

        # Import certificates into the temporary keychain
        security import application_cert.p12 -k temp.keychain -P "$CERT_PASSWORD" -T /usr/bin/codesign
        security import installer_cert.p12 -k temp.keychain -P "$CERT_PASSWORD" -T /usr/bin/codesign

        # Set the key partition list with explicit unlocking
        security set-key-partition-list -S apple-tool:,apple: -s -k "$TEMP_KEYCHAIN_PASSWORD" temp.keychain

    - name: List Certs
      run: |
        security find-identity -v temp.keychain
        
    - name: Download macOS binary
      uses: actions/download-artifact@v4
      with:
        name: macos-binary
        path: package-root/
        
    - name: Setup Build
      run: |
        mkdir -p package-root/
        chmod +x package-root/aplang
        TAG_VERSION="${GITHUB_REF_NAME#v}"
        TAG_VERSION="${TAG_VERSION:-0.0.0}"
        echo "TAG_VERSION=$TAG_VERSION" >> $GITHUB_ENV

    - name: Sign Application Binary
      run: |
        codesign --keychain temp.keychain --sign "Developer ID Application: Patrick Unick (423YZUTX3G)" --options runtime --deep --force package-root/aplang
        
    - name: Create `.pkg` Installer
      run: |
        pkgbuild --root package-root --identifier snowfoxsh.aplang --version "$TAG_VERSION" --install-location /usr/local/bin aplang-unsigned.pkg
        
    - name: Sign the package
      run: |
        # productsign --sign "Developer ID Installer: Patrick Unick (423YZUTX3G)" aplang-unsigned.pkg aplang.pkg
        productsign --keychain $(pwd)/temp.keychain --sign "Developer ID Installer: Patrick Unick (423YZUTX3G)" aplang-unsigned.pkg aplang.pkg
        
        
    - name: Notarize the package
      env:
        APPLE_ID_EMAIL: ${{ secrets.APPLE_ID_EMAIL }}
        APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
        
      run: |
        # Submit notary
        xcrun notarytool submit aplang.pkg --apple-id "$APPLE_ID_EMAIL" --team-id "423YZUTX3G" --password "$APPLE_APP_SPECIFIC_PASSWORD" --wait
        # Staple the notary
        xcrun stapler staple aplang.pkg
        
    - name: Upload `.pkg` Artifact
      uses: actions/upload-artifact@v4
      with:
        name: macos-pkg
        path: aplang.pkg
      
  release:
    name: Create GitHub Release
    if: ${{ github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.event.inputs.do_github_release == 'true') }}

    runs-on: ubuntu-latest
    needs: [build-windows, build-macos, create-pkg]
    steps:
    - name: Download Windows binary
      uses: actions/download-artifact@v4
      with:
        name: windows-binary
        path: artifacts/windows/
        
    - name: Download macOS binary
      uses: actions/download-artifact@v4
      with:
        name: macos-binary
        path: artifacts/macos/
        
    - name: List Downloaded Files
      run: ls -R artifacts
    - name: Download macOS binary
      uses: actions/download-artifact@v4
      with:
        name: macos-pkg
        path: artifacts/macos

    - name: Create GitHub Release
      uses: softprops/action-gh-release@v2
      with:
        prerelease: true
        generate_release_notes: true
        draft: ${{ github.event_name != 'push' }}
        files: |
          artifacts/windows/aplang.exe
          artifacts/macos/aplang
          artifacts/macos/aplang.pkg


  cargo-publish:
    name: Publish to Crates.io
    runs-on: ubuntu-latest
    if: ${{ startsWith(github.ref, 'refs/tags/v') || (github.event_name == 'workflow_dispatch' && github.event.inputs.do_crates_release == 'true') }}

    steps:
    - name: Checkout Repository
      uses: actions/checkout@v4

    - name: Read version from Cargo.toml
      id: cargo_toml_version
      uses: SebRollen/toml-action@v1.2.0
      with:
        file: Cargo.toml
        field: package.version
  
    - name: Ensure Cargo.toml version matches tag
      if: startsWith(github.ref, 'refs/tags/v')
      run: |
        TAG_VERSION="${GITHUB_REF_NAME#v}"
        CARGO_VERSION="${{ steps.cargo_toml_version.outputs.value }}"
        if [ "$TAG_VERSION" != "$CARGO_VERSION" ]; then
          echo "Error: Tag version ($TAG_VERSION) does not match Cargo.toml version ($CARGO_VERSION)"
          exit 1
        fi

    - name: Publish to crates.io
      env:
        CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
      # allow dirty is to make sure the Cargo.lock is always submited
      run: cargo publish --allow-dirty