donutbrowser/.github/workflows/rolling-release.yml

name: Rolling Release

on:
  push:
    branches:
      - main

env:
  TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
  TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}

jobs:
  security-scan:
    name: Security Vulnerability Scan
    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@2a387edfbe02a11d856b89172f6e978100177eb4" # v2.3.2
    with:
      scan-args: |-
        -r
        --skip-git
        --lockfile=pnpm-lock.yaml
        --lockfile=src-tauri/Cargo.lock
        ./
    permissions:
      security-events: write
      contents: read
      actions: read

  lint-js:
    name: Lint JavaScript/TypeScript
    uses: ./.github/workflows/lint-js.yml
    secrets: inherit
    permissions:
      contents: read

  lint-rust:
    name: Lint Rust
    uses: ./.github/workflows/lint-rs.yml
    secrets: inherit
    permissions:
      contents: read

  codeql:
    name: CodeQL
    uses: ./.github/workflows/codeql.yml
    secrets: inherit
    permissions:
      security-events: write
      contents: read
      packages: read
      actions: read

  spellcheck:
    name: Spell Check
    uses: ./.github/workflows/spellcheck.yml
    secrets: inherit
    permissions:
      contents: read

  rolling-release:
    needs: [security-scan, lint-js, lint-rust, codeql, spellcheck]
    permissions:
      contents: write
    strategy:
      fail-fast: false
      matrix:
        include:
          - platform: "macos-latest"
            args: "--target aarch64-apple-darwin --verbose"
            arch: "aarch64"
            target: "aarch64-apple-darwin"
            pkg_target: "latest-macos-arm64"
          - platform: "macos-latest"
            args: "--target x86_64-apple-darwin --verbose"
            arch: "x86_64"
            target: "x86_64-apple-darwin"
            pkg_target: "latest-macos-x64"
          - platform: "ubuntu-22.04"
            args: "--target x86_64-unknown-linux-gnu --verbose"
            arch: "x86_64"
            target: "x86_64-unknown-linux-gnu"
            pkg_target: "latest-linux-x64"
          - platform: "ubuntu-22.04-arm"
            args: "--target aarch64-unknown-linux-gnu --verbose"
            arch: "aarch64"
            target: "aarch64-unknown-linux-gnu"
            pkg_target: "latest-linux-arm64"
          - platform: "windows-latest"
            args: "--target x86_64-pc-windows-msvc --verbose"
            arch: "x86_64"
            target: "x86_64-pc-windows-msvc"
            pkg_target: "latest-win-x64"

    runs-on: ${{ matrix.platform }}
    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1

      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 #v4.2.0
        with:
          run_install: false

      - name: Setup Node.js
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f #v6.1.0
        with:
          node-version-file: .node-version
          cache: "pnpm"

      - name: Setup Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 #master
        with:
          toolchain: stable
          targets: ${{ matrix.target }}

      - name: Install dependencies (Ubuntu only)
        if: matrix.platform == 'ubuntu-22.04' || matrix.platform == 'ubuntu-22.04-arm'
        run: |
          sudo apt-get update
          sudo apt-get install -y libwebkit2gtk-4.1-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev libxdo-dev pkg-config xdg-utils

      - name: Rust cache
        uses: swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 #v2.8.2
        with:
          workdir: ./src-tauri

      - name: Install frontend dependencies
        run: pnpm install --frozen-lockfile

      - name: Build frontend
        run: pnpm exec next build

      - name: Verify frontend dist exists
        shell: bash
        run: |
          if [ ! -d "dist" ]; then
            echo "Error: dist directory not found after build"
            ls -la
            exit 1
          fi
          echo "Frontend dist directory verified at $(pwd)/dist"
          echo "Checking from src-tauri perspective:"
          ls -la src-tauri/../dist || echo "Warning: dist not accessible from src-tauri"

      - name: Build sidecar binaries
        shell: bash
        working-directory: ./src-tauri
        run: |
          cargo build --bin donut-proxy --target ${{ matrix.target }} --release
          cargo build --bin donut-daemon --target ${{ matrix.target }} --release

      - name: Copy sidecar binaries to Tauri binaries
        shell: bash
        run: |
          mkdir -p src-tauri/binaries
          if [[ "${{ matrix.platform }}" == "windows-latest" ]]; then
            cp src-tauri/target/${{ matrix.target }}/release/donut-proxy.exe src-tauri/binaries/donut-proxy-${{ matrix.target }}.exe
            cp src-tauri/target/${{ matrix.target }}/release/donut-daemon.exe src-tauri/binaries/donut-daemon-${{ matrix.target }}.exe
          else
            cp src-tauri/target/${{ matrix.target }}/release/donut-proxy src-tauri/binaries/donut-proxy-${{ matrix.target }}
            cp src-tauri/target/${{ matrix.target }}/release/donut-daemon src-tauri/binaries/donut-daemon-${{ matrix.target }}
            chmod +x src-tauri/binaries/donut-proxy-${{ matrix.target }}
            chmod +x src-tauri/binaries/donut-daemon-${{ matrix.target }}
          fi

      - name: Generate nightly timestamp
        id: timestamp
        shell: bash
        run: |
          TIMESTAMP=$(date -u +"%Y-%m-%d")
          COMMIT_HASH=$(echo "${GITHUB_SHA}" | cut -c1-7)
          echo "timestamp=${TIMESTAMP}-${COMMIT_HASH}" >> $GITHUB_OUTPUT
          echo "Generated timestamp: ${TIMESTAMP}-${COMMIT_HASH}"

      - name: Build Tauri app
        uses: tauri-apps/tauri-action@73fb865345c54760d875b94642314f8c0c894afa #v0.6.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          BUILD_TAG: "nightly-${{ steps.timestamp.outputs.timestamp }}"
          GITHUB_REF_NAME: "nightly-${{ steps.timestamp.outputs.timestamp }}"
          GITHUB_SHA: ${{ github.sha }}
        with:
          projectPath: ./src-tauri
          tagName: "nightly-${{ steps.timestamp.outputs.timestamp }}"
          releaseName: "Donut Browser Nightly (Build ${{ steps.timestamp.outputs.timestamp }})"
          releaseBody: "⚠️ **Nightly Release** - This is an automatically generated pre-release build from the latest main branch. Use with caution.\n\nCommit: ${{ github.sha }}\nBuild: ${{ steps.timestamp.outputs.timestamp }}"
          releaseDraft: false
          prerelease: true
          args: ${{ matrix.args }}