name: release-assets
on:
  release:
    types:
    - published
env:
  CARGO_INCREMENTAL: 0
  CARGO_NET_GIT_FETCH_WITH_CLI: true
  CARGO_NET_RETRY: 10
  CARGO_TERM_COLOR: always
  RUST_BACKTRACE: 1
  RUSTUP_MAX_RETRIES: 10
jobs:
  services:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        arch:
        - x86_64
        - aarch64
    env:
      TARGET_ARCH: "${{ matrix.arch }}"
      CI_NEEDS_FPM: "1"
    name: release-assets services ${{ matrix.arch }}
    permissions:
      contents: write
    steps:
    - name: harden runner
      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
      with:
        egress-policy: audit
    - name: checkout repository
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
    - name: install stable rust toolchain with ${{ matrix.arch }}-unknown-linux-gnu and ${{ matrix.arch }}-unknown-linux-musl rust targets
      run: |
        rustup update --no-self-update stable
        rustup default stable
        rustup target add ${{ matrix.arch }}-unknown-linux-gnu ${{ matrix.arch }}-unknown-linux-musl
    - name: install linux dependencies
      run: ./hack/ci/install-linux-deps.sh
    - name: build systemd bundle
      run: ./hack/dist/bundle.sh
    - name: assemble systemd bundle
      run: "./hack/ci/assemble-release-assets.sh bundle-systemd ${{ github.event.release.tag_name }} ${{ matrix.arch }} target/dist/bundle-systemd-${{ matrix.arch }}.tgz"
    - name: build deb package
      run: ./hack/dist/deb.sh
    - name: assemble deb package
      run: "./hack/ci/assemble-release-assets.sh debian ${{ github.event.release.tag_name }} ${{ matrix.arch }} target/dist/*.deb"
    - name: build apk package
      run: ./hack/dist/apk.sh
    - name: assemble apk package
      run: "./hack/ci/assemble-release-assets.sh alpine ${{ github.event.release.tag_name }} ${{ matrix.arch }} target/dist/*_${{ matrix.arch }}.apk"
    - name: upload release artifacts
      run: "./hack/ci/upload-release-assets.sh ${{ github.event.release.tag_name }}"
      env:
        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
  kratactl:
    strategy:
      fail-fast: false
      matrix:
        platform:
        - { os: linux, arch: x86_64, on: ubuntu-latest, deps: linux }
        - { os: linux, arch: aarch64, on: ubuntu-latest, deps: linux }
        - { os: darwin, arch: x86_64, on: macos-14, deps: darwin }
        - { os: darwin, arch: aarch64, on: macos-14, deps: darwin }
        - { os: freebsd, arch: x86_64, on: ubuntu-latest, deps: linux }
        - { os: windows, arch: x86_64, on: windows-latest, deps: windows }
    env:
      TARGET_OS: "${{ matrix.platform.os }}"
      TARGET_ARCH: "${{ matrix.platform.arch }}"
    runs-on: "${{ matrix.platform.on }}"
    name: release-assets kratactl ${{ matrix.platform.os }}-${{ matrix.platform.arch }}
    defaults:
      run:
        shell: bash
    timeout-minutes: 60
    permissions:
      contents: write
    steps:
    - name: harden runner
      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
      with:
        egress-policy: audit
    - name: checkout repository
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
    - name: install stable rust toolchain
      run: |
        rustup update --no-self-update stable
        rustup default stable
    - name: install ${{ matrix.platform.arch }}-apple-darwin rust target
      run: "rustup target add --toolchain stable ${{ matrix.platform.arch }}-apple-darwin"
      if: ${{ matrix.platform.os == 'darwin' }}
    - name: setup homebrew
      uses: homebrew/actions/setup-homebrew@4b34604e75af8f8b23b454f0b5ffb7c5d8ce0056 # master
      if: ${{ matrix.platform.os == 'darwin' }}
    - name: install ${{ matrix.platform.deps }} dependencies
      run: ./hack/ci/install-${{ matrix.platform.deps }}-deps.sh
    - name: cargo build kratactl
      run: ./hack/build/cargo.sh build --release --bin kratactl
    - name: assemble kratactl executable
      run: "./hack/ci/assemble-release-assets.sh kratactl ${{ github.event.release.tag_name }} ${{ matrix.platform.os }}-${{ matrix.platform.arch }} target/*/release/kratactl"
      if: ${{ matrix.platform.os != 'windows' }}
    - name: assemble kratactl executable
      run: "./hack/ci/assemble-release-assets.sh kratactl ${{ github.event.release.tag_name }} ${{ matrix.platform.os }}-${{ matrix.platform.arch }} target/*/release/kratactl.exe"
      if: ${{ matrix.platform.os == 'windows' }}
    - name: upload release artifacts
      run: "./hack/ci/upload-release-assets.sh ${{ github.event.release.tag_name }}"
      env:
        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
  oci:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        component:
        - kratactl
        - kratad
        - kratanet
        - krata-zone
    name: release-assets oci ${{ matrix.component }}
    permissions:
      contents: read
      id-token: write
      packages: write
    steps:
    - name: harden runner
      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
      with:
        egress-policy: audit
    - name: checkout repository
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
    - name: install cosign
      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
    - name: setup docker buildx
      uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
    - name: login to container registry
      uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
      with:
        registry: ghcr.io
        username: "${{ github.actor }}"
        password: "${{ secrets.GITHUB_TOKEN }}"
    - name: capture krata version
      id: version
      run: |
        echo "KRATA_VERSION=$(./hack/dist/version.sh)" >> "${GITHUB_OUTPUT}"
    - name: docker build and push ${{ matrix.component }}
      uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1
      id: push
      with:
        file: ./images/Dockerfile.${{ matrix.component }}
        platforms: linux/amd64,linux/aarch64
        tags: "ghcr.io/edera-dev/${{ matrix.component }}:${{ steps.version.outputs.KRATA_VERSION }},ghcr.io/edera-dev/${{ matrix.component }}:latest"
        push: true
    - name: cosign sign ${{ matrix.component }}:${{ steps.version.outputs.KRATA_VERSION }}
      run: cosign sign --yes "${TAGS}@${DIGEST}"
      env:
        DIGEST: "${{ steps.push.outputs.digest }}"
        TAGS: "ghcr.io/edera-dev/${{ matrix.component }}:${{ steps.version.outputs.KRATA_VERSION }}"
        COSIGN_EXPERIMENTAL: "true"
    - name: cosign sign ${{ matrix.component }}:latest
      run: cosign sign --yes "${TAGS}@${DIGEST}"
      env:
        DIGEST: "${{ steps.push.outputs.digest }}"
        TAGS: "ghcr.io/edera-dev/${{ matrix.component }}:latest"
        COSIGN_EXPERIMENTAL: "true"