# Publish workflow — publishes release artifacts.
#
# Jobs:
#   - snap: builds and publishes the snap package to the Snap Store.
#   - binaries: builds static musl binaries via Nix and attaches them to the
#     GitHub Release. Runs only on release events (not on push validation).
#
# Triggers:
#   1. workflow_run: After Nix CI passes on main. Builds the snap to validate
#      the packaging pipeline on every push to main. The binaries job is
#      skipped on this trigger.
#
#   2. workflow_dispatch: Triggered by the release-plz workflow after a release
#      is created, or manually for retrying a failed release. Accepts a tag name
#      input and publishes the snap and uploads binaries for that tag.
#
#   3. release (published): Kept as a fallback trigger in case the release is
#      created with a token that fires events (e.g. a PAT or GitHub App token).
#
# Note: release-plz uses GITHUB_TOKEN, so releases it creates do not fire the
# release event (GitHub Actions limitation). The release-plz workflow explicitly
# dispatches this workflow instead.

name: Publish

on:
  workflow_run:
    workflows: ["Nix"]
    types: [completed]
    branches: ["main"]
  release:
    types: [published]
  workflow_dispatch:
    inputs:
      tag_name:
        description: "Release tag to retry (e.g. v1.2.3)"
        required: true
        type: string

jobs:
  snap:
    name: Snap
    runs-on: ubuntu-latest
    if: |
      github.repository_owner == 'arcuru' &&
      (github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success')
    environment: ${{ (github.event_name == 'release' || github.event_name == 'workflow_dispatch') && 'publish' || '' }}
    steps:
      - name: Resolve ref
        id: ref
        env:
          EVENT_NAME: ${{ github.event_name }}
          RELEASE_TAG: ${{ github.event.release.tag_name }}
          INPUT_TAG: ${{ inputs.tag_name }}
          RUN_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
        run: |
          if [[ "$EVENT_NAME" == "release" ]]; then
            echo "ref=$RELEASE_TAG" >> "$GITHUB_OUTPUT"
          elif [[ "$EVENT_NAME" == "workflow_dispatch" ]]; then
            echo "ref=$INPUT_TAG" >> "$GITHUB_OUTPUT"
          else
            echo "ref=$RUN_SHA" >> "$GITHUB_OUTPUT"
          fi

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ steps.ref.outputs.ref }}

      - name: Set snap version from release tag
        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
        env:
          TAG: ${{ github.event.release.tag_name || inputs.tag_name }}
        run: |
          VERSION="${TAG#v}"
          sed -i "s/^version: .*/version: \"${VERSION}\"/" snap/snapcraft.yaml

      - uses: snapcore/action-build@d12445ae70c52b1ead8b8a0ac6635f0432af5c80 # v1.3.0
        id: build

      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: snap
          path: ${{ steps.build.outputs.snap }}

      - name: Publish to Snap Store
        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
        uses: snapcore/action-publish@214b86e5ca036ead1668c79afb81e550e6c54d40 # v1.2.0
        env:
          SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_STORE_CREDENTIALS }}
        with:
          snap: ${{ steps.build.outputs.snap }}
          release: stable

  binaries:
    name: Binary (${{ matrix.target }})
    runs-on: ${{ matrix.runner }}
    if: |
      github.repository_owner == 'arcuru' &&
      (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
    permissions:
      contents: write
    strategy:
      fail-fast: false
      matrix:
        include:
          - runner: ubuntu-latest
            target: x86_64-unknown-linux-musl
          - runner: ubuntu-24.04-arm
            target: aarch64-unknown-linux-musl
    steps:
      - name: Resolve tag
        id: tag
        env:
          EVENT_NAME: ${{ github.event_name }}
          RELEASE_TAG: ${{ github.event.release.tag_name }}
          INPUT_TAG: ${{ inputs.tag_name }}
        run: |
          if [[ "$EVENT_NAME" == "release" ]]; then
            TAG="$RELEASE_TAG"
          else
            TAG="$INPUT_TAG"
          fi
          echo "tag=$TAG" >> "$GITHUB_OUTPUT"

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ steps.tag.outputs.tag }}

      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22

      - name: Nix Cache
        uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13

      - name: Build static binary
        run: nix build -L .#cmprss-static

      - name: Package binary
        id: pkg
        env:
          TAG: ${{ steps.tag.outputs.tag }}
          TARGET: ${{ matrix.target }}
        run: |
          DIR="cmprss-${TAG}-${TARGET}"
          ASSET="${DIR}.tar.gz"
          mkdir "$DIR"
          install -m 0755 result/bin/cmprss "${DIR}/cmprss"
          cp README.md LICENSE.txt "${DIR}/"
          tar -czf "$ASSET" "$DIR"
          sha256sum "$ASSET" > "${ASSET}.sha256"
          echo "asset=$ASSET" >> "$GITHUB_OUTPUT"

      - name: Upload to GitHub Release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAG: ${{ steps.tag.outputs.tag }}
          ASSET: ${{ steps.pkg.outputs.asset }}
        run: |
          gh release upload "$TAG" "$ASSET" "${ASSET}.sha256" \
            --clobber --repo "$GITHUB_REPOSITORY"