cargo-binstall/.github/workflows/release-cli.yml

name: Release CLI
on:
  workflow_call:
    inputs:
      info:
        description: "The release metadata JSON"
        required: true
        type: string
      CARGO_PROFILE_RELEASE_LTO:
        description: "Used to speed up CI"
        required: false
        type: string
      CARGO_PROFILE_RELEASE_CODEGEN_UNITS:
        description: "Used to speed up CI"
        required: false
        type: string

jobs:
  tag:
    permissions:
      contents: write
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - if: fromJSON(inputs.info).is-release == 'true'
      name: Push cli release tag
      uses: mathieudutour/github-tag-action@v6.2
      with:
        github_token: ${{ secrets.GITHUB_TOKEN }}
        custom_tag: ${{ fromJSON(inputs.info).version }}
        tag_prefix: v

  keygen:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - uses: cargo-bins/cargo-binstall@main
    - name: Install binaries required
      run: cargo binstall -y --force rsign2 rage
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    - name: Create ephemeral keypair
      id: keypair
      env:
        AGE_KEY_PUBLIC: ${{ vars.AGE_KEY_PUBLIC }}
      run: .github/scripts/ephemeral-gen.sh
    - uses: actions/upload-artifact@v4
      with:
        name: minisign.pub
        path: minisign.pub
    - uses: actions/upload-artifact@v4
      with:
        name: minisign.key.age
        path: minisign.key.age
        retention-days: 1
    - name: Check that key can be decrypted
      env:
        AGE_KEY_SECRET: ${{ secrets.AGE_KEY_SECRET }}
      shell: bash
      run: .github/scripts/ephemeral-sign.sh minisign.pub

  package:
    needs:
    - tag
    - keygen
    uses: ./.github/workflows/release-packages.yml
    secrets: inherit
    with:
      publish: ${{ inputs.info }}
      CARGO_PROFILE_RELEASE_LTO: ${{ inputs.CARGO_PROFILE_RELEASE_LTO }}
      CARGO_PROFILE_RELEASE_CODEGEN_UNITS: ${{ inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS }}

  publish:
    needs: package
    permissions:
      contents: write
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - uses: actions/download-artifact@v4
      with:
        name: minisign.pub

    - run: .github/scripts/ephemeral-crate.sh

    - if: fromJSON(inputs.info).is-release != 'true' && fromJSON(inputs.info).crate != ''
      name: DRY-RUN Publish to crates.io
      env:
        crate: ${{ fromJSON(inputs.info).crate }}
        CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
      run: cargo publish --dry-run -p "$crate" --allow-dirty --no-default-features
    - if: fromJSON(inputs.info).is-release != 'true' && fromJSON(inputs.info).crate != ''
      name: Upload crate package as artifact
      uses: actions/upload-artifact@v4
      with:
        name: crate-package
        path: target/package/*.crate

    - if: fromJSON(inputs.info).is-release == 'true'
      name: Publish to crates.io
      env:
        crate: ${{ fromJSON(inputs.info).crate }}
        CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
      run: cargo publish -p "$crate" --allow-dirty  --no-default-features

    - if: fromJSON(inputs.info).is-release == 'true'
      name: Make release latest
      uses: svenstaro/upload-release-action@v2
      with:
        repo_token: ${{ secrets.GITHUB_TOKEN }}
        release_name: v${{ fromJSON(inputs.info).version }}
        tag: v${{ fromJSON(inputs.info).version }}
        body: ${{ fromJSON(inputs.info).notes }}
        promote: true
        file: minisign.pub

    - if: fromJSON(inputs.info).is-release == 'true'
      name: Delete signing key artifact
      uses: geekyeggo/delete-artifact@v5
      with:
          name: minisign.key.age
          failOnError: false