.github/workflows/publish.yml

name: publish

on:
  push:
    branches: ['main']
    tags:
      - 'v*.*.*'

concurrency: ${{ github.ref }}

jobs:
  create-draft-release:
    runs-on: ubuntu-latest
    outputs:
      RELEASE_ID: ${{ steps.create-release.outputs.result }}
    steps:
      - run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
      - uses: actions/github-script@v7
        id: create-release
        if: startsWith(github.ref, 'refs/tags/')
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          result-encoding: string
          script: |
            try {
              const response = await github.rest.repos.createRelease({
                draft: true,
                generate_release_notes: true,
                name: process.env.RELEASE_TAG,
                owner: context.repo.owner,
                prerelease: false,
                repo: context.repo.repo,
                tag_name: process.env.RELEASE_TAG,
              });

              return response.data.id;
            } catch (error) {
              core.setFailed(error.message);
            }

  build-binaries:
    strategy:
      matrix:
        include:
          - runner: macos-latest
            os: darwin
            arch: arm64
          - runner: ubuntu-latest
            os: freebsd
            arch: amd64
          - runner: ubuntu-latest
            os: freebsd
            arch: arm64
          - runner: ubuntu-latest
            os: linux
            arch: amd64
          - runner: ubuntu-latest
            os: linux
            arch: arm64
          - runner: ubuntu-latest
            os: windows
            arch: amd64
          - runner: ubuntu-latest
            os: windows
            arch: arm64
    runs-on: ${{ matrix.runner }}
    needs: [create-draft-release]
    permissions:
      actions: write
      attestations: write
      checks: write
      contents: write
      id-token: write
      packages: write
      statuses: write
    steps:
      - run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
      - uses: actions/checkout@v4
        with:
          fetch-depth: '0'
      - uses: actions/setup-go@v5
        with:
          go-version: 1.22.x
      - name: Build binary
        run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} make build

      # Sign Windows build
      - name: Set up Java
        uses: actions/setup-java@v4
        if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' }}
        with:
          java-version: 17
          distribution: 'temurin'
      - id: 'auth'
        name: Authenticate with Google Cloud
        if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' }}
        uses: 'google-github-actions/auth@v2'
        with:
          credentials_json: '${{ secrets.CERTIFICATE_SA_CREDENTIALS }}'
      - name: Set up Cloud SDK
        if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' }}
        uses: 'google-github-actions/setup-gcloud@v2'
      - name: Sign windows binary
        if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' }}
        run: |
          echo "Downloading jsign.jar"
          curl -L -o jsign.jar https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar
          echo "Verifying jsign.jar checksum"
          echo '05ca18d4ab7b8c2183289b5378d32860f0ea0f3bdab1f1b8cae5894fb225fa8a  jsign.jar' | sha256sum -c
          echo "${{ secrets.CERTIFICATE_CHAIN }}" | base64 --decode > codesign-chain.pem
          set +x
          _filename=adder
          ACCESS_TOKEN=$(gcloud auth print-access-token)
          echo "::add-mask::$ACCESS_TOKEN"
          java -jar jsign.jar \
            --storetype ${{ secrets.CERTIFICATE_STORE_TYPE }} \
            --storepass "$ACCESS_TOKEN" \
            --keystore ${{ secrets.CERTIFICATE_KEYSTORE }} \
            --alias ${{ secrets.CERTIFICATE_KEY_NAME }} \
            --certfile codesign-chain.pem \
            --tsmode RFC3161 \
            --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 \
            ${_filename}
          unset ACCESS_TOKEN
          set -x
          echo "Signed Windows binary: ${_filename}"
          echo "Cleaning up certificate chain"
          rm -f codesign-chain.pem

      # Sign MacOS build

      - name: Create .app package and sign macos binary
        if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'darwin' }}
        run: |
          echo "Decoding and importing Apple certificate..."
          echo -n "${{ secrets.APPLE_CERTIFICATE }}" | base64 --decode -o apple_certificate.p12
          security create-keychain -p "${{ secrets.APPLE_KEYCHAIN_PASSWORD }}" build.keychain
          security default-keychain -s build.keychain
          security set-keychain-settings -lut 21600 build.keychain
          security unlock-keychain -p "${{ secrets.APPLE_KEYCHAIN_PASSWORD }}" build.keychain
          security import apple_certificate.p12 -k build.keychain -P "${{ secrets.APPLE_CERTIFICATE_PASSWORD }}" -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.APPLE_KEYCHAIN_PASSWORD }}" build.keychain
          echo "Packaging adder..."
          mkdir -p Adder.app/Contents/MacOS
          mkdir -p Adder.app/Contents/Resources
          cp adder Adder.app/Contents/MacOS/adder
          chmod +x Adder.app/Contents/MacOS/adder
          cp .github/assets/Adder.icns Adder.app/Contents/Resources
          cat <<EOF > Adder.app/Contents/Info.plist
          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
          <plist version="1.0">
          <dict>
              <key>CFBundleExecutable</key>
              <string>adder</string>
              <key>CFBundleIdentifier</key>
              <string>com.blinklabssoftware.adder</string>
              <key>CFBundleName</key>
              <string>Adder</string>
              <key>CFBundleIconFile</key>
              <string>Adder</string>
              <key>CFBundleVersion</key>
              <string>${{ env.RELEASE_TAG }}</string>
              <key>CFBundleShortVersionString</key>
              <string>${{ env.RELEASE_TAG }}</string>
          </dict>
          </plist>
          EOF
          /usr/bin/codesign --force -s "Developer ID Application: Blink Labs Software (${{ secrets.APPLE_TEAM_ID }})" --options runtime Adder.app -v
          xcrun notarytool store-credentials "notarytool-profile" --apple-id "${{ secrets.APPLE_ID }}" --team-id "${{ secrets.APPLE_TEAM_ID }}" --password "${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}"
          ditto -c -k --keepParent "Adder.app" "notarization.zip"
          xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
          xcrun stapler staple "Adder.app"
      - name: Upload release asset
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          _filename=adder-${{ env.RELEASE_TAG }}-${{ matrix.os }}-${{ matrix.arch }}
          if [[ "${{ matrix.os }}" == "windows" ]]; then
            _filename=${_filename}.exe
          fi
          if [[ "${{ matrix.os }}" == "windows" || "${{ matrix.os }}" == "linux" || "${{ matrix.os }}" == "freebsd" ]]; then
            cp adder ${_filename}
          fi
          if [[ "${{ matrix.os }}" == "darwin" ]]; then
            _filename=adder-${{ env.RELEASE_TAG }}-${{ matrix.os }}-${{ matrix.arch }}.zip
            zip -r ${_filename} Adder.app
          fi
          curl \
            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
            -H "Content-Type: application/octet-stream" \
            --data-binary @${_filename} \
            https://uploads.github.com/repos/${{ github.repository_owner }}/adder/releases/${{ needs.create-draft-release.outputs.RELEASE_ID }}/assets?name=${_filename}

      - name: Attest binary
        uses: actions/attest-build-provenance@v2
        with:
          subject-path: 'adder'

  build-images:
    runs-on: ubuntu-latest
    needs: [create-draft-release]
    permissions:
      actions: write
      attestations: write
      checks: write
      contents: write
      id-token: write
      packages: write
      statuses: write
    steps:
      - run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
      - uses: actions/checkout@v4
        with:
          fetch-depth: '0'
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: blinklabs
          password: ${{ secrets.DOCKER_PASSWORD }} # uses token
      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
          registry: ghcr.io
      - id: meta
        uses: docker/metadata-action@v5
        with:
          images: |
            blinklabs/adder
            ghcr.io/${{ github.repository }}
          tags: |
            # Only version, no revision
            type=match,pattern=v(.*)-(.*),group=1
            # branch
            type=ref,event=branch
            # semver
            type=semver,pattern={{version}}
      - name: Build images
        id: push
        uses: docker/build-push-action@v6
        with:
          outputs: "type=registry,push=true"
          platforms: linux/amd64,linux/arm64
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
      - name: Attest Docker Hub image
        uses: actions/attest-build-provenance@v2
        with:
          subject-name: index.docker.io/blinklabs/adder
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
      - name: Attest GHCR image
        uses: actions/attest-build-provenance@v2
        with:
          subject-name: ghcr.io/${{ github.repository }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
      # Update Docker Hub from README
      - name: Docker Hub Description
        uses: peter-evans/dockerhub-description@v4
        with:
          username: blinklabs
          password: ${{ secrets.DOCKER_PASSWORD }}
          repository: blinklabs/adder
          readme-filepath: ./README.md
          short-description: "Adder is a tool for tailing the Cardano blockchain and emitting events"

  finalize-release:
    runs-on: ubuntu-latest
    needs: [create-draft-release, build-binaries, build-images]
    steps:
      - uses: actions/github-script@v7
        if: startsWith(github.ref, 'refs/tags/')
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            try {
              await github.rest.repos.updateRelease({
                owner: context.repo.owner,
                repo: context.repo.repo,
                release_id: ${{ needs.create-draft-release.outputs.RELEASE_ID }},
                draft: false,
              });
            } catch (error) {
              core.setFailed(error.message);
            }
      # This updates the documentation on pkg.go.dev and the latest version available via the Go module proxy
      - name: Pull new module version
        if: startsWith(github.ref, 'refs/tags/')
        uses: andrewslotin/go-proxy-pull-action@v1.2.0