.github/workflows/publish.yml

name: publish

on:
  push:
    branches: ['main']
    tags:
      - 'v*.*.*'

concurrency: ${{ github.ref }}

jobs:
  create-draft-release:
    runs-on: ubuntu-latest
    outputs:
      RELEASE_ID: ${{ steps.create-release.outputs.result }}
    steps:
      - run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
      - uses: actions/github-script@v7
        id: create-release
        if: startsWith(github.ref, 'refs/tags/')
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          result-encoding: string
          script: |
            try {
              const response = await github.rest.repos.createRelease({
                draft: true,
                generate_release_notes: true,
                name: process.env.RELEASE_TAG,
                owner: context.repo.owner,
                prerelease: false,
                repo: context.repo.repo,
                tag_name: process.env.RELEASE_TAG,
              });

              return response.data.id;
            } catch (error) {
              core.setFailed(error.message);
            }

  build-binaries:
    strategy:
      matrix:
        os: [linux, darwin] #, freebsd, windows]
        arch: [amd64, arm64]
    runs-on: ubuntu-latest
    needs: [create-draft-release]
    permissions:
      actions: write
      attestations: write
      checks: write
      contents: write
      id-token: write
      packages: write
      statuses: write
    steps:
      - run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
      - uses: actions/checkout@v4
        with:
          fetch-depth: '0'
      - uses: actions/setup-go@v5
        with:
          go-version: 1.22.x
      - name: Build binary
        run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} make build
      - name: Upload release asset
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          _filename=cardano-up-${{ env.RELEASE_TAG }}-${{ matrix.os }}-${{ matrix.arch }}
          if [[ ${{ matrix.os }} == windows ]]; then
            _filename=${_filename}.exe
          fi
          cp cardano-up ${_filename}
          curl \
            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
            -H "Content-Type: application/octet-stream" \
            --data-binary @${_filename} \
            https://uploads.github.com/repos/${{ github.repository_owner }}/cardano-up/releases/${{ needs.create-draft-release.outputs.RELEASE_ID }}/assets?name=${_filename}
      - name: Attest binary
        uses: actions/attest-build-provenance@v2
        with:
          subject-path: 'cardano-up'

  build-images:
    runs-on: ubuntu-latest
    needs: [create-draft-release]
    permissions:
      actions: write
      attestations: write
      checks: write
      contents: write
      id-token: write
      packages: write
      statuses: write
    steps:
      - run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
      - uses: actions/checkout@v4
        with:
          fetch-depth: '0'
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: blinklabs
          password: ${{ secrets.DOCKER_PASSWORD }} # uses token
      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
          registry: ghcr.io
      - id: meta
        uses: docker/metadata-action@v5
        with:
          images: |
            blinklabs/cardano-up
            ghcr.io/${{ github.repository }}
          tags: |
            # Only version, no revision
            type=match,pattern=v(.*)-(.*),group=1
            # branch
            type=ref,event=branch
            # semver
            type=semver,pattern={{version}}
      - name: Build images
        uses: docker/build-push-action@v6
        id: push
        with:
          outputs: "type=registry,push=true"
          platforms: linux/amd64,linux/arm64
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
      - name: Attest Docker Hub image
        uses: actions/attest-build-provenance@v2
        with:
          subject-name: index.docker.io/blinklabs/cardano-up
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
      - name: Attest GHCR image
        uses: actions/attest-build-provenance@v2
        with:
          subject-name: ghcr.io/${{ github.repository }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
      # Update Docker Hub from README
      - name: Docker Hub Description
        uses: peter-evans/dockerhub-description@v4
        with:
          username: blinklabs
          password: ${{ secrets.DOCKER_PASSWORD }}
          repository: blinklabs/cardano-up
          readme-filepath: ./README.md
          short-description: "Command line utility for managing Cardano services for local development"

  finalize-release:
    runs-on: ubuntu-latest
    needs: [create-draft-release, build-binaries, build-images]
    steps:
      - uses: actions/github-script@v7
        if: startsWith(github.ref, 'refs/tags/')
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            try {
              await github.rest.repos.updateRelease({
                owner: context.repo.owner,
                repo: context.repo.repo,
                release_id: ${{ needs.create-draft-release.outputs.RELEASE_ID }},
                draft: false,
              });
            } catch (error) {
              core.setFailed(error.message);
            }