# Release: on a version tag, build the static Linux binary (D2) and publish it
# to a Gitea release with a checksum. Runs in the same prebuilt CI image as the
# gate, so the pinned toolchain + musl target/cc are already warm.
#
# Scope: x86_64-unknown-linux-musl only, for now. The rest of the D1 matrix
# (aarch64, macOS, Windows) and the D3 package-manager manifests layer on later,
# step by step.
#
# Tests run here before the build so a tag can never publish untested code,
# even one pointing at a commit that was never gated on a branch.
name: release
on:
  push:
    tags:
      - 'v*'

jobs:
  release:
    runs-on: ci-public
    container:
      image: git.lazyeval.net/oli/rdbms-playground-ci:latest
    env:
      TARGET: x86_64-unknown-linux-musl
    steps:
      - uses: actions/checkout@v4

      - name: test
        run: nix develop -c cargo test --no-fail-fast

      - name: build static binary
        run: nix develop -c cargo build --release --target "$TARGET"

      - name: package artifacts
        # Pin bash: the runner defaults scripted steps to dash, which rejects
        # `set -o pipefail`. bash is in the CI image.
        shell: bash
        run: |
          set -euo pipefail
          BIN="target/$TARGET/release/rdbms-playground"
          ls -l "$BIN"
          OUT="rdbms-playground-${{ github.ref_name }}-$TARGET"
          mkdir -p dist
          cp "$BIN" "dist/$OUT"
          ( cd dist && sha256sum "$OUT" > "$OUT.sha256" )
          ls -l dist

      - name: publish gitea release + assets
        shell: bash
        env:
          # Auto-provided by Gitea Actions; has repo write (release) scope.
          TOKEN: ${{ secrets.GITEA_TOKEN }}
          API: ${{ github.server_url }}/api/v1
          REPO: ${{ github.repository }}
          TAG: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          # Create the release for this tag; if it already exists, look it up.
          created=$(curl -sS -X POST "$API/repos/$REPO/releases" \
            -H "Authorization: token $TOKEN" \
            -H "Content-Type: application/json" \
            -d "{\"tag_name\":\"$TAG\",\"name\":\"$TAG\",\"body\":\"Automated release for $TAG.\"}")
          id=$(printf '%s' "$created" | node -e 'let s="";process.stdin.on("data",d=>s+=d).on("end",()=>{try{const o=JSON.parse(s);process.stdout.write(String(o.id||""))}catch(e){}})')
          if [ -z "$id" ]; then
            id=$(curl -sS "$API/repos/$REPO/releases/tags/$TAG" \
              -H "Authorization: token $TOKEN" \
              | node -e 'let s="";process.stdin.on("data",d=>s+=d).on("end",()=>{process.stdout.write(String(JSON.parse(s).id))})')
          fi
          echo "release id: $id"
          for f in dist/*; do
            name=$(basename "$f")
            echo "uploading $name"
            curl -sS -X POST "$API/repos/$REPO/releases/$id/assets?name=$name" \
              -H "Authorization: token $TOKEN" \
              -F "attachment=@$f" > /dev/null
          done
          echo "published $TAG"