name: Release

on:
  push:
    tags:
      - 'v*'

jobs:
  linux:
    name: Linux AppImage
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0  # need tag history for release notes

      - name: Setup PHP
        uses: shivammathur/setup-php@v2
        with:
          php-version: '8.3'
          extensions: curl, json, mbstring
          tools: composer:v2
          coverage: none

      - name: Install bundle dependencies
        working-directory: framework/php
        run: composer install --no-interaction --prefer-dist

      - name: Setup Qt 6
        uses: jurplel/install-qt-action@v4
        with:
          version: '6.5.*'
          modules: 'qtquickcontrols2'
          cache: true

      - name: Install FrankenPHP
        run: |
          curl -fsSL -o /usr/local/bin/frankenphp \
            https://github.com/php/frankenphp/releases/download/v1.12.2/frankenphp-linux-x86_64
          chmod +x /usr/local/bin/frankenphp

      - name: Build the todo example
        working-directory: examples/todo
        run: |
          make install
          make build

      - name: Build AppImage
        working-directory: examples/todo
        env:
          # The AppImage tooling can't always FUSE-mount inside CI; use
          # extract-and-run for linuxdeploy + manual appimagetool.
          APPIMAGE_EXTRACT_AND_RUN: '1'
          FRANKENPHP: /usr/local/bin/frankenphp
        run: make appimage

      - name: Compute SHA256SUMS
        working-directory: examples/todo/build
        run: |
          sha256sum Todo-x86_64.AppImage > SHA256SUMS
          cat SHA256SUMS

      - name: Import GPG signing key
        if: ${{ env.GPG_KEY != '' }}
        env:
          GPG_KEY:        ${{ secrets.GPG_KEY }}
          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
        run: |
          echo "$GPG_KEY" | gpg --batch --import
          # Default key id from the imported keyring (first secret key).
          KEYID=$(gpg --list-secret-keys --with-colons | awk -F: '/^sec/ {print $5; exit}')
          echo "GPG_KEYID=$KEYID" >> "$GITHUB_ENV"

      - name: Sign SHA256SUMS
        if: ${{ env.GPG_KEYID != '' }}
        working-directory: examples/todo/build
        env:
          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
        run: |
          gpg --batch --pinentry-mode loopback \
              --passphrase "$GPG_PASSPHRASE" \
              --local-user "$GPG_KEYID" \
              --detach-sign --armor \
              -o SHA256SUMS.asc \
              SHA256SUMS

      - name: Create Gitea Release and upload artefacts
        env:
          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
          REPO:        ${{ github.repository }}
          TAG:         ${{ github.ref_name }}
        working-directory: examples/todo/build
        run: |
          set -euo pipefail
          api="${GITHUB_SERVER_URL}/api/v1"

          # Create the release (or get the existing one for this tag)
          release_json=$(curl -fsSL -X POST "$api/repos/$REPO/releases" \
              -H "Authorization: token $GITEA_TOKEN" \
              -H 'Content-Type: application/json' \
              -d "$(jq -n --arg tag "$TAG" --arg name "$TAG" \
                       '{tag_name:$tag,name:$name,draft:false,prerelease:false}')" \
              || curl -fsSL "$api/repos/$REPO/releases/tags/$TAG" \
                  -H "Authorization: token $GITEA_TOKEN")
          rid=$(echo "$release_json" | jq -r .id)
          echo "Release id: $rid"

          upload() {
              local f="$1"
              echo "  uploading $f"
              curl -fsSL -X POST \
                  "$api/repos/$REPO/releases/$rid/assets?name=$(basename "$f")" \
                  -H "Authorization: token $GITEA_TOKEN" \
                  -H 'Content-Type: application/octet-stream' \
                  --data-binary "@$f"
          }
          upload Todo-x86_64.AppImage
          upload SHA256SUMS
          [ -f SHA256SUMS.asc ] && upload SHA256SUMS.asc || true