.github/workflows/release.yml

name: release

on:
  workflow_dispatch:
  push:
    branches:
      - test-nuget

permissions:
  id-token: write
  contents: write

jobs:
  prereqs:
    name: Prerequisites
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.version.outputs.version }}
    steps:
      - uses: actions/checkout@v4

      - name: Set version
        run: echo "version=$(cat VERSION | sed -E 's/.[0-9]+$//')" >> $GITHUB_OUTPUT
        id: version

  # ================================
  #           .NET Tool
  # ================================
  dotnet-tool-build:
    name: Build .NET tool
    runs-on: ubuntu-latest
    needs: prereqs
    steps:
      - uses: actions/checkout@v4

      - name: Set up .NET
        uses: actions/setup-dotnet@v4.0.0
        with:
          dotnet-version: 8.0.x

      - name: Build .NET tool
        run: |
          src/shared/DotnetTool/layout.sh --configuration=Release

      - name: Upload .NET tool artifacts
        uses: actions/upload-artifact@v4
        with:
          name: tmp.dotnet-tool-build
          path: |
            out/shared/DotnetTool/nupkg/Release

  dotnet-tool-payload-sign:
    name: Sign .NET tool payload
    runs-on: windows-latest
    environment: release
    needs: dotnet-tool-build
    steps:
      - uses: actions/checkout@v4

      - name: Download payload
        uses: actions/download-artifact@v4
        with:
          name: tmp.dotnet-tool-build

      - name: Log into Azure
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: Download/extract Sign CLI tool
        env:
          AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
          ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }}
          SCT: ${{ secrets.SIGN_CLI_TOOL }}
        run: |
          az storage blob download --file sign-cli.zip --auth-mode login `
            --account-name $env:AST --container-name $env:ASC --name $env:SCT
          Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli

      - name: Sign payload
        env:
          ACST: ${{ secrets.AZURE_TENANT_ID }}
          ACSI: ${{ secrets.AZURE_CLIENT_ID }}
          ACSS: ${{ secrets.AZURE_CLIENT_SECRET }}
        run: |
          ./sign-cli/sign.exe code azcodesign payload/* `
            -acsu https://wus2.codesigning.azure.net/ `
            -acsa git-fundamentals-signing `
            -acscp git-fundamentals-windows-signing `
            -d "Git Fundamentals Windows Signing Certificate" `
            -u "https://github.com/git-ecosystem/git-credential-manager" `
            -acst $env:ACST `
            -acsi $env:ACSI `
            -acss $env:ACSS

      - name: Lay out signed payload, images, and symbols
        shell: bash
        run: |
          mkdir dotnet-tool-payload-sign
          mv images payload.sym payload -t dotnet-tool-payload-sign

      - name: Upload signed payload
        uses: actions/upload-artifact@v4
        with:
          name: dotnet-tool-payload-sign
          path: |
            dotnet-tool-payload-sign

  dotnet-tool-pack:
    name: Package .NET tool
    runs-on: ubuntu-latest
    needs: [prereqs, dotnet-tool-payload-sign]
    steps:
      - uses: actions/checkout@v4

      - name: Download signed payload
        uses: actions/download-artifact@v4
        with:
          name: dotnet-tool-payload-sign
          path: signed

      - name: Set up .NET
        uses: actions/setup-dotnet@v4.0.0
        with:
          dotnet-version: 8.0.x

      - name: Package tool
        run: |
          src/shared/DotnetTool/pack.sh --configuration=Release \
            --version="${{ needs.prereqs.outputs.version }}" \
            --publish-dir=$(pwd)/signed

      - name: Upload unsigned package
        uses: actions/upload-artifact@v4
        with:
          name: tmp.dotnet-tool-package-unsigned
          path: |
            out/shared/DotnetTool/nupkg/Release/*.nupkg

  dotnet-tool-sign:
    name: Sign .NET tool package
    runs-on: windows-latest
    environment: release
    needs: dotnet-tool-pack
    steps:
      - name: Download unsigned package
        uses: actions/download-artifact@v4
        with:
          name: tmp.dotnet-tool-package-unsigned
          path: nupkg

      - name: Log into Azure
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: Download/extract Sign CLI tool
        env:
          AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
          ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }}
          SCT: ${{ secrets.SIGN_CLI_TOOL }}
        run: |
          az storage blob download --file sign-cli.zip --auth-mode login `
            --account-name $env:AST --container-name $env:ASC --name $env:SCT
          Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli

      - name: Sign package
        env:
          ACST: ${{ secrets.AZURE_TENANT_ID }}
          ACSI: ${{ secrets.AZURE_CLIENT_ID }}
          ACSS: ${{ secrets.AZURE_CLIENT_SECRET }}
        run: |
          ./sign-cli/sign.exe code azcodesign nupkg/* `
            -acsu https://wus2.codesigning.azure.net/ `
            -acsa git-fundamentals-signing `
            -acscp git-fundamentals-windows-signing `
            -d "Git Fundamentals Windows Signing Certificate" `
            -u "https://github.com/git-ecosystem/git-credential-manager" `
            -acst $env:ACST `
            -acsi $env:ACSI `
            -acss $env:ACSS `
            -acsc signing-certificate.cer

      #       exit 1

      # - name: action-tmate
      #   if: failure()
      #   uses: mxschmitt/action-tmate@v3

      - name: Publish signed package
        uses: actions/upload-artifact@v4
        with:
          name: dotnet-tool-sign
          path: |
            nupkg/*.nupkg
            signing-certificate.cer

  # ================================
  #           Validate
  # ================================
  validate:
    name: Validate installers
    strategy:
      matrix:
        component:
          - os: ubuntu-latest
            artifact: dotnet-tool-sign
            command: git-credential-manager
            description: dotnet-tool
    runs-on: ${{ matrix.component.os }}
    needs: [dotnet-tool-sign]
    steps:
      - uses: actions/checkout@v4

      - name: Set up .NET
        uses: actions/setup-dotnet@v4.0.0
        with:
          dotnet-version: 8.0.x

      - name: Download artifacts
        uses: actions/download-artifact@v4
        with:
          name: ${{ matrix.component.artifact }}

      - name: Install .NET tool
        if: contains(matrix.component.description, 'dotnet-tool')
        run: |
          nupkgpath=$(find ./nupkg/*.nupkg)
          dotnet tool install -g --add-source $(dirname "$nupkgpath") git-credential-manager
          "${{ matrix.component.command }}" configure

      - name: Validate
        shell: bash
        run: |
          "${{ matrix.component.command }}" --version | sed 's/+.*//' >actual
          cat VERSION | sed -E 's/.[0-9]+$//' >expect
          cmp expect actual || exit 1

# ================================
#             Publish
# ================================
  create-github-release:
    name: Publish GitHub draft release
    runs-on: ubuntu-latest
    env:
      AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
      GPG_PUBLIC_KEY_SECRET_NAME: ${{ secrets.GPG_PUBLIC_KEY_SECRET_NAME }}
    environment: release
    needs: [ prereqs, validate ]
    steps:
      - uses: actions/checkout@v4

      - name: Set up .NET
        uses: actions/setup-dotnet@v4.0.0
        with:
          dotnet-version: 8.0.x

      - name: Download artifacts
        uses: actions/download-artifact@v4

      - uses: actions/github-script@v7
        with:
          script: |
            const fs = require('fs');
            const path = require('path');
            const version = "${{ needs.prereqs.outputs.version }}"

            var releaseMetadata = {
              owner: context.repo.owner,
              repo: context.repo.repo
            };

            // Create the release
            var tagName = `v${version}`;
            var createdRelease = await github.rest.repos.createRelease({
              ...releaseMetadata,
              draft: true,
              tag_name: tagName,
              target_commitish: context.sha,
              name: `GCM ${version}`
            });
            releaseMetadata.release_id = createdRelease.data.id;

            // Uploads contents of directory to the release created above
            async function uploadDirectoryToRelease(directory, includeExtensions=[]) {
              return fs.promises.readdir(directory)
                .then(async(files) => Promise.all(
                  files.filter(file => {
                    return includeExtensions.length==0 || includeExtensions.includes(path.extname(file).toLowerCase());
                  })
                  .map(async (file) => {
                    var filePath = path.join(directory, file);
                    github.rest.repos.uploadReleaseAsset({
                      ...releaseMetadata,
                      name: file,
                      headers: {
                        "content-length": (await fs.promises.stat(filePath)).size
                      },
                      data: fs.createReadStream(filePath)
                    });
                  }))
                );
            }

            await Promise.all([
              // Upload .NET tool package
              uploadDirectoryToRelease('dotnet-tool-sign'),
              uploadDirectoryToRelease('dotnet-tool-sign/nuget')
            ]);