name: "Prepare release artifacts"

on:
  push:
    tags: [ "v*" ]

permissions:
  id-token: write
  contents: read
  attestations: write
  packages: write

jobs:
  artifact-builder-x86:
    name: "Prepare release artifacts (x86)"
    if: github.ref_type == 'tag'
    runs-on: ubuntu-latest
    container:
      image: "alpine:edge"
    steps:
      - uses: actions/checkout@v1 # v2 does not work with containers
      - name: "Install build dependencies"
        run: |
          apk add --no-cache gcc go zstd
      - name: "Create and package build tree"
        run: |
          ./build.sh --builddir ~/package-output/ --static build
          ver=$(cat .version)
          if [ "v$ver" != "${{github.ref_name}}" ]; then echo ".version does not match the Git tag"; exit 1; fi
          mv ~/package-output/ ~/maddy-$ver-x86_64-linux-musl
          cd ~
          tar c ./maddy-$ver-x86_64-linux-musl | zstd > ~/maddy-x86_64-linux-musl.tar.zst
          cd -
      - name: "Save source tree"
        run: |
          rm -rf .git
          ver=$(cat .version)
          cp -r . ~/maddy-$ver-src
          cd ~
          tar c ./maddy-$ver-src | zstd > ~/maddy-src.tar.zst
          cd -
      - name: "Upload source tree"
        uses: actions/upload-artifact@v4
        with:
          name: maddy-src.tar.zst
          path: '~/maddy-src.tar.zst'
          if-no-files-found: error
      - name: "Upload binary tree"
        uses: actions/upload-artifact@v4
        with:
          name: maddy-binary.tar.zst
          path: '~/maddy-x86_64-linux-musl.tar.zst'
          if-no-files-found: error
      - name: "Generate artifact attestation"
        uses: actions/attest-build-provenance@v2
        with:
          subject-path: '~/maddy-x86_64-linux-musl.tar.zst'
  artifact-builder-arm:
    name: "Prepare release artifacts (aarch64)"
    if: github.ref_type == 'tag'
    runs-on: ubuntu-22.04-arm
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      # Building in a Docker container is a workaround for the issue of
      # JavaScript-based GitHub Actions not being supported in Alpine
      # containers on the Arm64 platform. Otherwise, we could completely reuse
      # artifact-builder-x86 as a matrix job by running it on an Arm runner.
      - name: Build in Docker container
        run: |
          # Create Dockerfile for the build
          cat > Dockerfile << 'EOF'
          FROM alpine:edge
          RUN apk add --no-cache gcc go zstd musl-dev scdoc
          WORKDIR /build
          COPY . .
          RUN ./build.sh --builddir /package-output/ --static build && \
              ver=$(cat .version) && \
              if [ "v$ver" != "${{github.ref_name}}" ]; then echo ".version does not match the Git tag"; exit 1; fi && \
              mv /package-output/ /maddy-$ver-aarch64-linux-musl && \
              cd / && \
              tar c ./maddy-$ver-aarch64-linux-musl | zstd > /maddy-aarch64-linux-musl.tar.zst
          EOF
          # Build the image, create a temporary container and copy the artifact.
          docker build -t maddy-builder .
          container_id=$(docker create maddy-builder)
          docker cp $container_id:/maddy-aarch64-linux-musl.tar.zst .
          docker rm $container_id
      - name: Upload binary tree
        uses: actions/upload-artifact@v4
        with:
          name: maddy-binary-aarch64.tar.zst
          path: maddy-aarch64-linux-musl.tar.zst
          if-no-files-found: error
      - name: "Generate artifact attestation"
        uses: actions/attest-build-provenance@v2
        with:
          subject-path: 'maddy-aarch64-linux-musl.tar.zst'
  docker-builder:
    name: "Build & push Docker image"
    if: github.ref_type == 'tag'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: "Set up QEMU"
        uses: docker/setup-qemu-action@v1
        with:
          platforms: arm64
      - name: "Set up Docker Buildx"
        id: buildx
        uses: docker/setup-buildx-action@v3
      - name: "Login to Docker Hub"
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
          logout: false
      - name: "Login to GitHub Container Registry"
        uses: docker/login-action@v3
        with:
          registry: "ghcr.io"
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
          logout: false # https://news.ycombinator.com/item?id=28607735
      - name: "Generate container metadata"
        uses: docker/metadata-action@v5
        id: meta
        with:
          images: |
            foxcpp/maddy
            ghcr.io/foxcpp/maddy
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
          labels: |
            org.opencontainers.image.title=Maddy Mail Server
            org.opencontainers.image.documentation=https://maddy.email/docker/
            org.opencontainers.image.url=https://maddy.email
      - name: "Build and push"
        uses: docker/build-push-action@v6
        id: docker
        with:
          context: .
          platforms: linux/amd64 #,linux/arm64  Temporary disabled due to SIGSEGV in gcc.
          file: Dockerfile
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
      - name: "Generate container attestation"
        uses: actions/attest-build-provenance@v2
        with:
          subject-name: ghcr.io/foxcpp/maddy
          subject-digest: ${{ steps.docker.outputs.digest }}
          push-to-registry: true