.github/workflows/build_rust.yaml

name: Rust

on:
  push:
    tags:
      - "v*"
    branches:
      - master
  pull_request:
    branches:
      - master
  release:
    types:
      - created
  workflow_dispatch:

jobs:
  build:
    name: Build for multiple platforms
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        include:
          - os: ubuntu-latest
            package_name: linux-x64
          - os: windows-latest
            package_name: windows-x64
          - os: macos-latest
            package_name: macos-aarch64
          - os: macos-13
            package_name: macos-x64

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up Rust
        uses: actions-rs/toolchain@v1
        with:
          toolchain: stable
          override: true

      - name: Install OpenSSL (Windows)
        if: runner.os == 'Windows'
        shell: powershell
        run: |
          echo "VCPKG_ROOT=$env:VCPKG_INSTALLATION_ROOT" | Out-File -FilePath $env:GITHUB_ENV -Append
          vcpkg install openssl:x64-windows-static-md

      - name: Install OpenSSL (Macos)
        if: matrix.os == 'macos-latest'
        run: brew install openssl

      - name: Cache cargo registry
        uses: actions/cache@v4
        with:
          path: ~/.cargo/registry
          key: ${{ runner.os }}-cargo-registry
          restore-keys: |
            ${{ runner.os }}-cargo-registry

      - name: Cache cargo index
        uses: actions/cache@v4
        with:
          path: ~/.cargo/git
          key: ${{ runner.os }}-cargo-index
          restore-keys: |
            ${{ runner.os }}-cargo-index

      - name: Build
        run: cargo build --release

      # - name: Run tests
      #   run: cargo test --release

      - name: Create release directory
        run: mkdir -p release

      - name: Create release system directory
        run: mkdir -p release/${{ matrix.package_name }}

      - name: Copy binary to release directory Windows
        if: matrix.os == 'windows-latest'
        run: cp target/release/eim.exe release/${{ matrix.package_name }}/eim.exe

      - name: Sign Windows Binary
        if: matrix.platform == 'windows-latest'
        env:
          WINDOWS_PFX_FILE: ${{ secrets.WIN_CERTIFICATE }}
          WINDOWS_PFX_PASSWORD: ${{ secrets.WIN_CERTIFICATE_PWD }}
          WINDOWS_SIGN_TOOL_PATH: 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe'
        run: |
          echo $env:WINDOWS_PFX_FILE | Out-File -FilePath cert.b64 -Encoding ASCII
          certutil -decode cert.b64 cert.pfx
          Remove-Item cert.b64
          & "$env:WINDOWS_SIGN_TOOL_PATH" sign /f cert.pfx /p $env:WINDOWS_PFX_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 release/${{ matrix.package_name }}/eim.exe

      - name: Copy binary to release directory POSIX
        if: matrix.os != 'windows-latest'
        run: |
          cp target/release/eim release/${{ matrix.package_name }}/eim
          chmod +x release/${{ matrix.package_name }}/eim

      - name: Codesign macOS eim executables
        if: startsWith(matrix.os, 'macos')
        env:
          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
        run: |
          echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
          /usr/bin/security create-keychain -p espressif build.keychain
          /usr/bin/security default-keychain -s build.keychain
          /usr/bin/security unlock-keychain -p espressif build.keychain
          /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
          /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain

          /usr/bin/codesign --entitlements eim.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" release/${{ matrix.package_name }}/eim -v
          /usr/bin/codesign -v -vvv --deep release/${{ matrix.package_name }}/eim

      - name: Zip eim executable for notarization
        if: startsWith(matrix.os, 'macos')
        run: |
          cd release/${{ matrix.package_name }}
          zip -r eim.zip eim

      - name: Notarization of macOS eim executables
        # && github.ref == 'refs/heads/master'
        if: startsWith(matrix.os, 'macos')
        env:
          NOTARIZATION_USERNAME: ${{ secrets.NOTARIZATION_USERNAME }}
          NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
          NOTARIZATION_TEAM_ID: ${{ secrets.NOTARIZATION_TEAM_ID }}
        run: |
          echo "Create notary keychain"
          /usr/bin/security create-keychain -p espressif notary.keychain
          /usr/bin/security default-keychain -s notary.keychain
          /usr/bin/security unlock-keychain -p espressif notary.keychain

          echo "Create keychain profile"
          xcrun notarytool store-credentials "eim-notarytool-profile" --apple-id $NOTARIZATION_USERNAME --team-id $NOTARIZATION_TEAM_ID --password $NOTARIZATION_PASSWORD
          xcrun notarytool submit release/${{ matrix.package_name }}/eim.zip --keychain-profile "eim-notarytool-profile" --wait

          echo "Unzipping the executable"
          unzip -o release/${{ matrix.package_name }}/eim.zip -d release/${{ matrix.package_name }}

          # echo "Attach staple for eim executable"
          # xcrun stapler staple release/${{ matrix.package_name }}/eim

      - name: Zip artifacts (Windows)
        if: matrix.os == 'windows-latest'
        run: |
          cd release/${{ matrix.package_name }}
          7z a -tzip eim.zip eim.exe

      - name: Zip artifacts (POSIX)
        if: matrix.os != 'windows-latest'
        run: |
          cd release/${{ matrix.package_name }}
          zip -r eim.zip eim

      - name: Upload build artifacts
        uses: actions/upload-artifact@v4
        with:
          name: eim-${{ github.run_id }}-${{ matrix.package_name }}
          path: release/${{ matrix.package_name }}/eim.zip

      - name: Upload artifact for tag
        if: startsWith(github.ref, 'refs/tags/')
        uses: actions/upload-artifact@v4
        with:
          name: eim-${{ github.ref_name }}-${{ matrix.package_name }}
          path: release/${{ matrix.package_name }}/eim.zip

      - name: Upload Release Asset
        if: github.event_name == 'release' && github.event.action == 'created'
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ github.event.release.upload_url }}
          asset_path: release/${{ matrix.package_name }}/eim.zip
          asset_name: eim-${{ github.ref_name }}-${{ matrix.package_name }}.zip
          asset_content_type: application/zip

      - name: Create aarch64-linux build
        if: matrix.os == 'ubuntu-latest'
        run: |
          rustup target add aarch64-unknown-linux-gnu
          cargo install cross
          cross build --target aarch64-unknown-linux-gnu --release
          mkdir -p release/aarch64-unknown-linux-gnu
          cp target/aarch64-unknown-linux-gnu/release/eim release/aarch64-unknown-linux-gnu/eim
          chmod +x release/aarch64-unknown-linux-gnu/eim
          cd release/aarch64-unknown-linux-gnu
          zip -r eim.zip eim

      - name: Upload build artifacts for aarch64-linux
        uses: actions/upload-artifact@v4
        if: matrix.os == 'ubuntu-latest'
        with:
          name: eim-${{ github.run_id }}-linux-arm64
          path: release/aarch64-unknown-linux-gnu/eim.zip

      - name: Upload artifact for tag on aarch64-linux
        if: startsWith(github.ref, 'refs/tags/') && runner.os == 'Linux'
        uses: actions/upload-artifact@v4
        with:
          name: eim-${{ github.ref_name }}-linux-arm64
          path: release/aarch64-unknown-linux-gnu/eim.zip

      - name: Upload Release Asset on aarch64-linux
        if: github.event_name == 'release' && github.event.action == 'created' && runner.os == 'Linux'
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ github.event.release.upload_url }}
          asset_path: release/aarch64-unknown-linux-gnu/eim.zip
          asset_name: eim-${{ github.ref_name }}-linux-arm64.zip
          asset_content_type: application/zip

  call-test-workflow:
    needs: build
    uses: ./.github/workflows/test.yml
    with:
      run_id: ${{ github.run_id }}
      ref: ${{ github.event.pull_request.head.ref }}

  fetch-latest-release:
    name: Fetch Latest Release Info
    needs: [build]
    runs-on: ubuntu-latest
    # This ensures the job runs after a release is created or when manually triggered
    if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'

    steps:
      - name: Fetch latest release
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: ap-east-1
        run: |
          curl -s https://api.github.com/repos/espressif/idf-im-cli/releases/latest > eim_cli_release.json
          echo "Latest release tag: $(jq -r .tag_name eim_cli_release.json)"
          aws s3 cp --acl=public-read "eim_cli_release.json" s3://espdldata/dl/eim/eim_cli_release.json