.github/workflows/release.yml

name: "Build & Release"
on:
  push:
    tags:
      - 'v*.*.*'

permissions:
  contents: write
  packages: write

jobs:
  build-windows:
    name: Build and release Windows
    runs-on: windows-latest
    strategy:
      matrix:
        goos: [ windows ]
        goarch: [ amd64, arm64 ]
    steps:
      - uses: actions/checkout@v4
      - uses: ./
        name: "Common Setup"

      - name: Build
        run: |
          $env:CGO_ENABLED='0'; $env:GOOS='${{ matrix.goos }}'; $env:GOARCH='${{ matrix.goarch }}'; go build -o out/ftb-server-${{ matrix.goos }}-${{ matrix.goarch }}.exe -trimpath -buildvcs=false -ldflags "-s -w -X 'ftb-server-downloader/util.GitCommit=$env:GITHUB_SHA_SHORT' -X 'ftb-server-downloader/util.ReleaseVersion=$env:GITHUB_REF_NAME'"

      - name: Windows Signing
        run: |
          dotnet tool install --global AzureSignTool --version 5.0.0
          azuresigntool sign -kvu ${{ secrets.AZURE_KEY_VAULT_URL }} -kvi ${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }} -kvs ${{ secrets.AZURE_KEY_VAULT_CLIENT_SECRET }} -kvc ${{ secrets.AZURE_KEY_VAULT_CERTIFICATE_NAME }} -kvt ${{ secrets.AZURE_KEY_VAULT_TENANT_ID }} -tr http://timestamp.digicert.com -v out\ftb-server-${{ matrix.goos }}-${{ matrix.goarch }}.exe

      - name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
          name: release-windows-${{ matrix.goarch }}
          path: |
            out/*

  build-macos:
    name: Build and release macOS
    runs-on: macos-latest
    strategy:
      matrix:
        goos: [ darwin ]
        goarch: [ amd64, arm64 ]
    steps:
      - uses: actions/checkout@v4
      - uses: ./
        name: "Common Setup"

      - name: Build
        run: |
          CGO_ENABLED=0 GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} go build -o out/ftb-server-${{ matrix.goos }}-${{ matrix.goarch }} -trimpath -buildvcs=false -ldflags "-s -w -X 'ftb-server-downloader/util.GitCommit=$GITHUB_SHA_SHORT' -X 'ftb-server-downloader/util.ReleaseVersion=$GITHUB_REF_NAME'"
          chmod +x out/ftb-server-${{ matrix.goos }}-${{ matrix.goarch }}

      - name: Apple Certificate
        env:
          BUILD_CERTIFICATE_BASE64: ${{ secrets.CSC_LINK }}
          P12_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
        run: |
          # create variables
          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

          # import certificate and provisioning profile from secrets
          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH

          # create temporary keychain
          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH > /dev/null
          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH > /dev/null
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH > /dev/null

          # import certificate to keychain
          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH > /dev/null
          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH > /dev/null
          security list-keychain -d user -s $KEYCHAIN_PATH > /dev/null

      - name: Codesign & Notarize
        run: |
          codesign -s "5372643C69B1D499BDF6EA772082E9CE99E85029" -v ./out/ftb-server-darwin-${{ matrix.goarch }} --options=runtime --timestamp
          codesign -dv ./out/ftb-server-darwin-${{ matrix.goarch }}
          zip -r ftb-server_signed.zip out/ftb-server-darwin-${{ matrix.goarch }}
          echo "${{secrets.APPLE_API_KEY}}" > apple_api_key.p8
          xcrun notarytool submit "ftb-server_signed.zip" --key "./apple_api_key.p8" --key-id ${{ secrets.APPLE_API_KEY_ID }} --issuer ${{ secrets.APPLE_API_ISSUER }} --wait

      - name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
          name: release-macos-${{ matrix.goarch }}
          path: |
            out/*


  build-linux:
    name: Build and release Linux
    runs-on: ubuntu-latest
    strategy:
      matrix:
        goos: [ linux, freebsd ]
        goarch: [ amd64, arm64 ]
    steps:
      - uses: actions/checkout@v4
      - uses: ./
        name: "Common Setup"

      - name: Build
        run: |
          CGO_ENABLED=0 GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} go build -o out/ftb-server-${{ matrix.goos }}-${{ matrix.goarch }} -trimpath -buildvcs=false -ldflags "-s -w -X 'ftb-server-downloader/util.GitCommit=$GITHUB_SHA_SHORT' -X 'ftb-server-downloader/util.ReleaseVersion=$GITHUB_REF_NAME'"
          chmod +x out/ftb-server-${{ matrix.goos }}-${{ matrix.goarch }}

      - name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
          name: release-${{ matrix.goos }}-${{ matrix.goarch }}
          path: |
            out/*
  release:
    needs:
      - build-windows
      - build-macos
      - build-linux
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        
      # Windows
      - name: Download windows amd64 artifact
        uses: actions/download-artifact@v4
        with:
          name: release-windows-amd64
          path: release/

      - name: Download windows arm64 artifact
        uses: actions/download-artifact@v4
        with:
          name: release-windows-arm64
          path: release/

      # Macos
      - name: Download macos amd64 artifact
        uses: actions/download-artifact@v4
        with:
          name: release-macos-amd64
          path: release/

      - name: Download macos arm64 artifact
        uses: actions/download-artifact@v4
        with:
          name: release-macos-arm64
          path: release/

      # Linux
      - name: Download linux arm64 artifact
        uses: actions/download-artifact@v4
        with:
          name: release-linux-arm64
          path: release/

      - name: Download linux amd64 artifact
        uses: actions/download-artifact@v4
        with:
          name: release-linux-amd64
          path: release/

      - name: Download freebsd arm64 artifact
        uses: actions/download-artifact@v4
        with:
          name: release-freebsd-arm64
          path: release/

      - name: Download freebsd amd64 artifact
        uses: actions/download-artifact@v4
        with:
          name: release-freebsd-amd64
          path: release/

      - name: Create latest.json
        if: "!contains(github.ref_name, 'beta')"
        shell: bash
        run: |
          echo "{\"version\": \"$GITHUB_REF_NAME\", \"commit\": \"$GITHUB_SHA_SHORT\"}" > latest.json

      - name: Get B2 client
        if: "!contains(github.ref_name, 'beta')"
        shell: bash
        run: |
          wget -q -O /usr/local/bin/b2 https://github.com/Backblaze/B2_Command_Line_Tool/releases/latest/download/b2-linux
          chmod +x /usr/local/bin/b2

      - name: Upload
        if: "!contains(github.ref_name, 'beta')"
        shell: bash
        run: |
          ls -la release
          b2 authorize-account ${{ secrets.AWS_ACCESS_KEY_ID }} ${{ secrets.AWS_SECRET_ACCESS_KEY }} > /dev/null 2>&1
          b2 sync --replace-newer --no-progress latest.json b2://${{ secrets.PUBLISH_BUCKET }}/bin/server-installer/
          b2 sync --replace-newer --no-progress release b2://${{ secrets.PUBLISH_BUCKET }}/bin/server-installer/latest/
          b2 sync --replace-newer --no-progress release b2://${{ secrets.PUBLISH_BUCKET }}/bin/server-installer/$GITHUB_REF_NAME/

      # Release to GitHub
      - name: Github Release
        if: "!contains(github.ref_name, 'beta')"
        env:
          GH_TOKEN: ${{ github.token }}
        shell: bash
        run: |
          gh release create $GITHUB_REF_NAME --title $GITHUB_REF_NAME --notes "Latest version of the server installer" --generate-notes release/*

      - name: Github PreRelease
        if: "contains(github.ref_name, 'beta')"
        env:
          GH_TOKEN: ${{ github.token }}
        shell: bash
        run: |
          gh release create $GITHUB_REF_NAME --prerelease --title $GITHUB_REF_NAME --notes "Latest version of the server installer" --generate-notes release/*