name: Release

on:
  push:
    tags:
      - "v*"

env:
  TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
  TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
  STABLE_RELEASE: "true"

jobs:
  security-scan:
    name: Security Vulnerability Scan
    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@90b209d0ea55cea1da9fc0c4e65782cc6acb6e2e" # v2.2.2
    with:
      scan-args: |-
        -r
        --skip-git
        --lockfile=pnpm-lock.yaml
        --lockfile=src-tauri/Cargo.lock
        --lockfile=nodecar/pnpm-lock.yaml
        ./
    permissions:
      security-events: write
      contents: read
      actions: read

  lint-js:
    name: Lint JavaScript/TypeScript
    uses: ./.github/workflows/lint-js.yml
    secrets: inherit
    permissions:
      contents: read

  lint-rust:
    name: Lint Rust
    uses: ./.github/workflows/lint-rs.yml
    secrets: inherit
    permissions:
      contents: read

  codeql:
    name: CodeQL
    uses: ./.github/workflows/codeql.yml
    secrets: inherit
    permissions:
      security-events: write
      contents: read
      packages: read
      actions: read

  spellcheck:
    name: Spell Check
    uses: ./.github/workflows/spellcheck.yml
    secrets: inherit
    permissions:
      contents: read

  release:
    needs: [security-scan, lint-js, lint-rust, codeql, spellcheck]
    permissions:
      contents: write
    strategy:
      fail-fast: false
      matrix:
        include:
          - platform: "macos-latest"
            args: "--target aarch64-apple-darwin --verbose"
            arch: "aarch64"
            target: "aarch64-apple-darwin"
            pkg_target: "latest-macos-arm64"
            nodecar_script: "build:mac-aarch64"
          - platform: "macos-latest"
            args: "--target x86_64-apple-darwin --verbose"
            arch: "x86_64"
            target: "x86_64-apple-darwin"
            pkg_target: "latest-macos-x64"
            nodecar_script: "build:mac-x86_64"
          - platform: "ubuntu-22.04"
            args: "--target x86_64-unknown-linux-gnu --verbose"
            arch: "x86_64"
            target: "x86_64-unknown-linux-gnu"
            pkg_target: "latest-linux-x64"
            nodecar_script: "build:linux-x64"
          - platform: "ubuntu-22.04-arm"
            args: "--target aarch64-unknown-linux-gnu --verbose"
            arch: "aarch64"
            target: "aarch64-unknown-linux-gnu"
            pkg_target: "latest-linux-arm64"
            nodecar_script: "build:linux-arm64"
          # - platform: "windows-latest"
          #   args: "--target x86_64-pc-windows-msvc --verbose"
          #   arch: "x86_64"
          #   target: "x86_64-pc-windows-msvc"
          #   pkg_target: "latest-win-x64"
          #   nodecar_script: "build:win-x64"
          # - platform: "windows-11-arm"
          #   args: "--target aarch64-pc-windows-msvc --verbose"
          #   arch: "aarch64"
          #   target: "aarch64-pc-windows-msvc"
          #   pkg_target: "latest-win-arm64"
          #   nodecar_script: "build:win-arm64"

    runs-on: ${{ matrix.platform }}
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0

      - name: Setup Node.js
        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 #v5.0.0
        with:
          node-version-file: .node-version

      - name: Setup pnpm
        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda #v4.1.0

      - name: Setup Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 #master
        with:
          toolchain: stable
          targets: ${{ matrix.target }}

      - name: Install dependencies (Ubuntu only)
        if: matrix.platform == 'ubuntu-22.04' || matrix.platform == 'ubuntu-22.04-arm'
        run: |
          sudo apt-get update
          sudo apt-get install -y libwebkit2gtk-4.1-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev pkg-config xdg-utils

      - name: Rust cache
        uses: swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 #v2.8.0
        with:
          workdir: ./src-tauri

      - name: Install banderole
        run: cargo install banderole

      - name: Install frontend dependencies
        run: pnpm install --frozen-lockfile

      - name: Build nodecar sidecar
        shell: bash
        working-directory: ./nodecar
        run: |
          pnpm run ${{ matrix.nodecar_script }}

      - name: Copy nodecar binary to Tauri binaries
        shell: bash
        run: |
          mkdir -p src-tauri/binaries
          if [[ "${{ matrix.platform }}" == "windows-latest" ]]; then
            cp nodecar/nodecar-bin src-tauri/binaries/nodecar-${{ matrix.target }}.exe
          else
            cp nodecar/nodecar-bin src-tauri/binaries/nodecar-${{ matrix.target }}
          fi

      # - name: Download Camoufox for testing
      #   run: npx camoufox-js fetch
      #   continue-on-error: true

      - name: Build frontend
        run: pnpm build

      - name: Build Tauri app
        uses: tauri-apps/tauri-action@e834788a94591d81e3ae0bd9ec06366f5afb8994 #v0.5.23
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITHUB_REF_NAME: ${{ github.ref_name }}
        with:
          tagName: ${{ github.ref_name }}
          releaseName: "Donut Browser ${{ github.ref_name }}"
          releaseBody: "See the assets to download this version and install."
          releaseDraft: false
          prerelease: false
          args: ${{ matrix.args }}

#      - name: Commit CHANGELOG.md
#        uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 #v6.0.1
#        with:
#          branch: main
#          commit_message: "docs: update CHANGELOG.md for ${{ github.ref_name }} [skip ci]"