.github/workflows/package.yaml

name: Package

on:
  push:
    tags:
      - "v[0-9]+.[0-9]+.[0-9]+"

jobs:
  linux-deb:
    environment: packaging
    runs-on: ubuntu-latest
    container: "debian:latest"
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Setup dependencies
        run: |
          apt-get -q update && apt-get -q upgrade -y
          apt-get -q install -y openjdk-17-jdk maven binutils fakeroot wget git
          
      - uses: actions/checkout@v4

      - name: Build artifact
        run: |
          git config --global --add safe.directory ${GITHUB_WORKSPACE}
          ./mvnw versions:set -DnewVersion=$(git describe --tags --abbrev=0 | sed -r 's/^v//g')
          
          ./mvnw -B -C -V package
          ls -lah ./target

      - name: Create release if tag pushed
        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
        if: startsWith(github.ref, 'refs/tags/')
        with:
          draft: true
          prerelease: true
          files: |
            target/*.deb
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  linux-rpm:
    environment: packaging
    runs-on: ubuntu-latest
    container: "fedora:latest"
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Setup dependencies
        run: |
          dnf -q install -y java-17-openjdk maven rpm-build git

      - uses: actions/checkout@v4

      - name: Build artifact
        run: |
          git config --global --add safe.directory ${GITHUB_WORKSPACE}
          ./mvnw versions:set -DnewVersion=$(git describe --tags --abbrev=0 | sed -r 's/^v//g')

          ./mvnw -B -C -V package
          ls -lah ./target

      - name: Create release if tag pushed
        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
        if: startsWith(github.ref, 'refs/tags/')
        with:
          draft: true
          prerelease: true
          files: |
            target/*.rpm
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  macos:
    environment: packaging
    runs-on: macos-latest

    steps:
      - uses: actions/checkout@v4

      - uses: actions/download-artifact@v4
        with:
          merge-multiple: true
          path: target

      - name: Update version in pom if tag pushed
        if: startsWith(github.ref, 'refs/tags/')
        run: ./mvnw versions:set -DnewVersion=$(git describe --tags --abbrev=0 | sed -r 's/^v//g')
        shell: bash

      - name: Set up JDK
        uses: actions/setup-java@v3
        with:
          java-version: "17.0.7+7"

      - name: Cache local Maven repository and JDK cache
        uses: actions/cache@v3
        with:
          path: |
            ~/.m2/repository
            target/jdkCache
          key: macos-maven-${{ hashFiles('**/pom.xml') }}
          restore-keys: |
            macos-maven-

      - name: Install an Apple keychain (MacOS)
        # based on https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development#add-a-step-to-your-workflow
        env:
          APPLE_KEYCHAIN_BASE64: ${{ secrets.APPLE_KEYCHAIN_BASE64 }}
          APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
          APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }}
        shell: bash
        run: |
          # create variables
          APPLE_KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
          # share to rest of steps
          echo "APPLE_KEYCHAIN_PATH=$APPLE_KEYCHAIN_PATH" >> "$GITHUB_ENV"

          # import keychain from secrets
          echo -n "$APPLE_KEYCHAIN_BASE64" | base64 --decode -o $APPLE_KEYCHAIN_PATH
          set -x

          # unlock, set timeout and set as used keychain
          security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $APPLE_KEYCHAIN_PATH
          #security set-keychain-settings -lut 21600 $APPLE_KEYCHAIN_PATH
          security list-keychain -d user -s $APPLE_KEYCHAIN_PATH
          security default-keychain -s $APPLE_KEYCHAIN_PATH

      - name: Package with Maven
        run: ./mvnw -B -C -V package
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          APPLE_KEYCHAIN_PATH: ${{ env.APPLE_KEYCHAIN_PATH }}
          APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }}

      - name: Notarize release with Apple (MacOS)
        env:
          APPLE_KEYCHAIN_PATH: ${{ env.APPLE_KEYCHAIN_PATH }}
        shell: bash
        run: |
          set -x
          # run notarization
          xcrun notarytool submit --keychain-profile "autogram" --keychain $APPLE_KEYCHAIN_PATH --wait target/Autogram-*.pkg
          # staple
          xcrun stapler staple target/Autogram-*.pkg
          # lock all keychains
          security lock-keychain -a

      - name: Create release if tag pushed
        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
        if: startsWith(github.ref, 'refs/tags/')
        with:
          draft: true
          prerelease: true
          files: |
            target/*.pkg
            target/*.dmg
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  windows:
    environment: packaging
    runs-on: windows-latest

    steps:
      - uses: actions/checkout@v4

      - uses: actions/download-artifact@v4
        with:
          merge-multiple: true
          path: target

      - name: Update version in pom if tag pushed
        if: startsWith(github.ref, 'refs/tags/')
        run: ./mvnw versions:set -DnewVersion=$(git describe --tags --abbrev=0 | sed -r 's/^v//g')
        shell: bash

      - name: Set up JDK
        uses: actions/setup-java@v3
        with:
          java-version: "17.0.7+7"

      - name: Cache local Maven repository and JDK cache
        uses: actions/cache@v3
        with:
          path: |
            ~/.m2/repository
            target/jdkCache
          key: windows-maven-${{ hashFiles('**/pom.xml') }}
          restore-keys: |
            windows-maven-

      - name: Package with Maven
        run: ./mvnw -B -C -V package
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Sign on Azure
        shell: bash
        run: |
          dotnet tool install --global AzureSignTool
          AzureSignTool sign --description "Autogram" -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v target/*.msi

      - name: Create release if tag pushed
        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
        if: startsWith(github.ref, 'refs/tags/')
        with:
          draft: true
          prerelease: true
          files: |
            target/*.exe
            target/*.msi
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}