.github/workflows/publish.yml

name: Publish

# Controls when the action will run.
on:
  # Triggers the workflow on new SemVer tags
  push:
    branches:
      - master
    tags:
      - 'v[0-9]+.[0-9]+.[0-9]+'
      - 'v[0-9]+.[0-9]+.[0-9]+-**'

concurrency:
  group: ${{ github.workflow }}

jobs:
  test:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version: '1.21'
      - name: Test
        uses: ./.github/actions/test
  docker:
    runs-on: ubuntu-latest
    needs: [ test ]
    permissions:
      packages: write
      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-qemu-action@v3
      - uses: docker/setup-buildx-action@v3
      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: docker/metadata-action@v5
        name: generate tags
        id: meta
        with:
          images: ghcr.io/${{ github.repository }}
          tags: |
            type=ref,event=branch
            type=sha,prefix=
            type=semver,pattern={{version}}
      - uses: docker/build-push-action@v5
        with:
          context: .
          file: ./docker/Dockerfile
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
  build-linux:
    runs-on: ubuntu-latest
    needs: [ test ]
    strategy:
      matrix:
        go-arch: [amd64, arm64]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version: '1.21'
      - name: Setup
        run: |
          sudo apt update
          go generate ./...
          if [ ${{ matrix.go-arch }} == "arm64" ]; then
            sudo apt install -y gcc-aarch64-linux-gnu
            echo "CC=aarch64-linux-gnu-gcc" >> $GITHUB_ENV
          fi
      - name: Build ${{ matrix.go-arch }}
        env:
          CGO_ENABLED: 1
          GOOS: linux
          GOARCH: ${{ matrix.go-arch }}
        run: |
          mkdir -p release
          ZIP_OUTPUT=release/hostd_${GOOS}_${GOARCH}.zip
          go build -tags='netgo' -trimpath -o bin/ -a -ldflags '-s -w -linkmode external -extldflags "-static"' ./cmd/hostd
          cp README.md LICENSE bin/
          zip -qj $ZIP_OUTPUT bin/*
      - uses: actions/upload-artifact@v4
        with:
          name: hostd_linux_${{ matrix.go-arch }}
          path: release/*
  build-mac:
    runs-on: macos-latest
    needs: [ test ]
    strategy:
      matrix:
        go-arch: [amd64, arm64]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version: '1.21'
      - name: Setup
        env:
          APPLE_CERT_ID: ${{ secrets.APPLE_CERT_ID }}
          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
          APPLE_KEY_B64: ${{ secrets.APPLE_KEY_B64 }}
          APPLE_CERT_B64: ${{ secrets.APPLE_CERT_B64 }}
          APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }}
          APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
        run: |
          # extract apple cert
          APPLE_CERT_PATH=$RUNNER_TEMP/apple_cert.p12
          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
          echo -n "$APPLE_CERT_B64" | base64 --decode --output $APPLE_CERT_PATH

          # extract apple key
          mkdir -p ~/private_keys
          APPLE_API_KEY_PATH=~/private_keys/AuthKey_$APPLE_API_KEY.p8
          echo -n "$APPLE_KEY_B64" | base64 --decode --output $APPLE_API_KEY_PATH

          # create temp keychain
          security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security default-keychain -s $KEYCHAIN_PATH
          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
          security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

          # import keychain
          security import $APPLE_CERT_PATH -P $APPLE_CERT_PASSWORD -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security find-identity -v $KEYCHAIN_PATH -p codesigning
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $APPLE_KEYCHAIN_PASSWORD $KEYCHAIN_PATH

          # generate
          go generate ./...

          # resync system clock https://github.com/actions/runner/issues/2996#issuecomment-1833103110
          sudo sntp -sS time.windows.com
      - name: Build ${{ matrix.go-arch }}
        env:
          APPLE_CERT_ID: ${{ secrets.APPLE_CERT_ID }}
          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
          APPLE_KEY_B64: ${{ secrets.APPLE_KEY_B64 }}
          APPLE_CERT_B64: ${{ secrets.APPLE_CERT_B64 }}
          APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }}
          APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
          CGO_ENABLED: 1
          GOOS: darwin
          GOARCH: ${{ matrix.go-arch }}
        run: |
          ZIP_OUTPUT=release/hostd_${GOOS}_${GOARCH}.zip
          mkdir -p release
          go build -tags='netgo' -trimpath -o bin/ -a -ldflags '-s -w' ./cmd/hostd
          cp README.md LICENSE bin/
          /usr/bin/codesign --deep -f -v --timestamp -o runtime,library -s $APPLE_CERT_ID bin/hostd
          ditto -ck bin $ZIP_OUTPUT
          xcrun notarytool submit -k ~/private_keys/AuthKey_$APPLE_API_KEY.p8 -d $APPLE_API_KEY -i $APPLE_API_ISSUER --wait --timeout 10m $ZIP_OUTPUT
      - uses: actions/upload-artifact@v4
        with:
          name: hostd_darwin_${{ matrix.go-arch }}
          path: release/*
  build-windows:
    runs-on: windows-latest
    needs: [ test ]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version: '1.21'
      - name: Setup
        shell: bash
        run: |
          dotnet tool install --global AzureSignTool
          go generate ./...
      - name: Build amd64
        env:
          CGO_ENABLED: 1
          GOOS: windows
          GOARCH: amd64
        shell: bash
        run: |
          mkdir -p release
          ZIP_OUTPUT=release/hostd_${GOOS}_${GOARCH}.zip
          go build -tags='netgo' -trimpath -o bin/ -a -ldflags '-s -w -linkmode external -extldflags "-static"' ./cmd/hostd
          azuresigntool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v bin/hostd.exe
          cp README.md LICENSE bin/
          7z a $ZIP_OUTPUT ./bin/*
      - uses: actions/upload-artifact@v4
        with:
          name: hostd_windows_amd64
          path: release/*
  combine-release-assets:
    runs-on: ubuntu-latest
    needs: [ build-linux, build-mac, build-windows ]
    steps:
      - name: Merge Artifacts
        uses: actions/upload-artifact/merge@v4
        with:
          name: hostd

  dispatch-homebrew: # only runs on full releases
    if: startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-')
    needs: [ build-mac ]
    runs-on: ubuntu-latest
    steps:
      - name: Extract Tag Name
        id: get_tag
        run: echo "::set-output name=tag_name::${GITHUB_REF#refs/tags/}"

      - name: Dispatch
        uses: peter-evans/repository-dispatch@v3
        with:
          token: ${{ secrets.PAT_REPOSITORY_DISPATCH }}
          repository: siafoundation/homebrew-sia
          event-type: release-tagged
          client-payload: >
            {
              "description": "hostd: The Next-Gen Sia Host",
              "tag": "${{ steps.get_tag.outputs.tag_name }}",
              "project": "hostd",
              "workflow_id": "${{ github.run_id }}"
            }
  dispatch-linux: # always runs
    needs: [ build-linux ]
    runs-on: ubuntu-latest
    steps:
      - name: Build Dispatch Payload
        id: get_payload
        uses: actions/github-script@v7
        with:
          script: |
            const isRelease = context.ref.startsWith('refs/tags/v'),
              isBeta = isRelease && context.ref.includes('-beta'),
              tag = isRelease ? context.ref.replace('refs/tags/', '') : 'master';

            let component = 'nightly';
            if (isBeta) {
              component = 'beta';
            } else if (isRelease) {
              component = 'main';
            }

            return {
              description: "hostd: The Next-Gen Sia Host",
              tag: tag,
              project: "hostd",
              workflow_id: context.runId,
              component: component
            };

      - name: Dispatch
        uses: peter-evans/repository-dispatch@v3
        with:
          token: ${{ secrets.PAT_REPOSITORY_DISPATCH }}
          repository: siafoundation/linux
          event-type: release-tagged
          client-payload: ${{ steps.get_payload.outputs.result }}