name: Build packages for release

on:
  workflow_call:
    inputs:
      publish:
        description: "The release metadata JSON"
        required: true
        type: string
      CARGO_PROFILE_RELEASE_LTO:
        description: "Used to speed up CI"
        required: false
        type: string
      CARGO_PROFILE_RELEASE_CODEGEN_UNITS:
        description: "Used to speed up CI"
        required: false
        type: string

env:
  CARGO_TERM_COLOR: always
  CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse
  JUST_TIMINGS: true

jobs:
  build:
    strategy:
      fail-fast: false
      matrix:
        include:
          - { o: macos-14,   t: x86_64-apple-darwin,                    r: true          }
          - { o: macos-14,   t: x86_64h-apple-darwin,                                    }
          - { o: macos-14,   t: aarch64-apple-darwin                                     }
          - { o: ubuntu-latest,  t: x86_64-unknown-linux-gnu,      g: 2.17, r: true, c: true }
          - { o: ubuntu-latest,  t: armv7-unknown-linux-gnueabihf, g: 2.17,          c: true }
          - { o: ubuntu-latest,  t: aarch64-unknown-linux-gnu,     g: 2.17,          c: true }
          - { o: ubuntu-latest,  t: x86_64-unknown-linux-musl,              r: true, c: true }
          - { o: ubuntu-latest,  t: armv7-unknown-linux-musleabihf,                  c: true }
          - { o: ubuntu-latest,  t: aarch64-unknown-linux-musl,                      c: true }
          - { o: windows-latest, t: x86_64-pc-windows-msvc,                 r: true          }
          - { o: windows-latest, t: aarch64-pc-windows-msvc                                  }

    name: ${{ matrix.t }}
    runs-on: ${{ matrix.o }}
    permissions:
      contents: write
    env:
      CARGO_BUILD_TARGET: ${{ matrix.t }}
      GLIBC_VERSION: ${{ matrix.g }}
      JUST_USE_CARGO_ZIGBUILD: ${{ matrix.c }}
      JUST_FOR_RELEASE: true
      JUST_USE_AUDITABLE: true
      JUST_ENABLE_H3: true

    steps:
    - uses: actions/checkout@v4

    - name: Override release profile lto settings
      if: inputs.CARGO_PROFILE_RELEASE_LTO
      run: echo "CARGO_PROFILE_RELEASE_LTO=${{ inputs.CARGO_PROFILE_RELEASE_LTO }}" >> "$GITHUB_ENV"

    - name: Override release profile codegen-units settings
      if: inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS
      run: echo "CARGO_PROFILE_RELEASE_CODEGEN_UNITS=${{ inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS }}" >> "$GITHUB_ENV"

    - uses: ./.github/actions/just-setup
      with:
        tools: cargo-auditable,rsign2,rage
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    - run: just toolchain rust-src

    - uses: actions/download-artifact@v4
      with:
        name: minisign.pub
    - run: just package
    - if: runner.os == 'Windows'
      run: Get-ChildItem packages/
    - if: runner.os != 'Windows'
      run: ls -shal packages/

    - name: Ensure release binary is runnable
      if: "matrix.r"
      run: just e2e-tests
      env:
        GITHUB_TOKEN: ${{ secrets.CI_RELEASE_TEST_GITHUB_TOKEN }}

    - uses: actions/download-artifact@v4
      with:
        name: minisign.key.age
    - name: Sign package
      env:
        AGE_KEY_SECRET: ${{ secrets.AGE_KEY_SECRET }}
      shell: bash
      run: .github/scripts/ephemeral-sign.sh packages/cargo-binstall-*

    - if: fromJSON(inputs.publish).is-release == 'true'
      name: Upload to release
      uses: svenstaro/upload-release-action@v2
      with:
        repo_token: ${{ secrets.GITHUB_TOKEN }}
        release_name: v${{ fromJSON(inputs.publish).version }}
        tag: v${{ fromJSON(inputs.publish).version }}
        body: ${{ fromJSON(inputs.publish).notes }}
        file: packages/cargo-binstall-*
        file_glob: true
        prerelease: true
    - if: "fromJSON(inputs.publish).is-release != 'true' || runner.os == 'macOS'"
      name: Upload artifact
      uses: actions/upload-artifact@v4
      with:
        name: ${{ matrix.t }}
        path: packages/cargo-binstall-*
        retention-days: 1

    - name: Upload timings
      uses: actions/upload-artifact@v4
      with:
        name: ${{ matrix.t }}-cargo-timings
        path: target/cargo-timings
        retention-days: 1

  lipo:
    needs: build
    name: universal-apple-darwin
    permissions:
      contents: write
    runs-on: macos-14
    env:
      JUST_FOR_RELEASE: true

    steps:
    - uses: actions/checkout@v4

    - uses: taiki-e/install-action@v2
      with:
        tool: just,rsign2,rage
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    - uses: actions/download-artifact@v4
      with:
        name: x86_64h-apple-darwin
        path: packages/
    - uses: actions/download-artifact@v4
      with:
        name: x86_64-apple-darwin
        path: packages/
    - uses: actions/download-artifact@v4
      with:
        name: aarch64-apple-darwin
        path: packages/

    - uses: actions/download-artifact@v4
      with:
        name: minisign.pub
    - run: ls -shalr packages/
    - run: just repackage-lipo
    - run: ls -shal packages/

    - uses: actions/download-artifact@v4
      with:
        name: minisign.key.age
    - env:
        AGE_KEY_SECRET: ${{ secrets.AGE_KEY_SECRET }}
      shell: bash
      run: .github/scripts/ephemeral-sign.sh packages/cargo-binstall-universal-*

    - if: fromJSON(inputs.publish).is-release == 'true'
      name: Upload to release
      uses: svenstaro/upload-release-action@v2
      with:
        repo_token: ${{ secrets.GITHUB_TOKEN }}
        tag: v${{ fromJSON(inputs.publish).version }}
        release_name: v${{ fromJSON(inputs.publish).version }}
        body: ${{ fromJSON(inputs.publish).notes }}
        file: packages/cargo-binstall-universal-*
        file_glob: true
        overwrite: true
        prerelease: true
    - if: fromJSON(inputs.publish).is-release != 'true'
      name: Upload artifact
      uses: actions/upload-artifact@v4
      with:
        name: universal-apple-darwin
        path: packages/cargo-binstall-universal-*
        retention-days: 1