release.yml

name: Release
on:
  push:
    branches:
      - main
    tags:
      - 'v*'
    paths-ignore:
      - '**.md'
      - 'docs/**'
      - '.github/**'
      - '!.github/workflows/release.yml'

jobs:
  build:
    permissions: write-all
    strategy:
      fail-fast: false
      matrix:
        job:
          - { name: 'hiddify-core-android', os: 'ubuntu-latest', target: 'android' }
          - { name: 'hiddify-core-linux-amd64', os: 'ubuntu-20.04', target: 'linux-amd64' }
          - { name: "hiddify-core-windows-amd64", os: 'ubuntu-latest', target: 'windows-amd64', aarch: 'x64' }
          - { name: "hiddify-core-macos-universal", os: 'macos-12', target: 'macos-universal' }
          - { name: "hiddify-core-ios", os: "macos-12", target: "ios" }
          # linux custom
          - {name: hiddify-cli-linux-amd64, goos: linux, goarch: amd64, goamd64: v1, target: 'linux-custom', os: 'ubuntu-20.04'}
          - {name: hiddify-cli-linux-amd64-v3, goos: linux, goarch: amd64, goamd64: v3, target: 'linux-custom', os: 'ubuntu-20.04'}
          - {name: hiddify-cli-linux-386, goos: linux, goarch: 386, target: 'linux-custom', os: 'ubuntu-20.04'}
          - {name: hiddify-cli-linux-arm64, goos: linux, goarch: arm64, target: 'linux-custom', os: 'ubuntu-20.04'}
          - {name: hiddify-cli-linux-armv5, goos: linux, goarch: arm, goarm: 5, target: 'linux-custom', os: 'ubuntu-20.04'}
          - {name: hiddify-cli-linux-armv6, goos: linux, goarch: arm, goarm: 6, target: 'linux-custom', os: 'ubuntu-20.04'}
          - {name: hiddify-cli-linux-armv7, goos: linux, goarch: arm, goarm: 7, target: 'linux-custom', os: 'ubuntu-20.04'}
          - {name: hiddify-cli-linux-mips-softfloat, goos: linux, goarch: mips, gomips: softfloat, target: 'linux-custom', os: 'ubuntu-20.04'}
          - {name: hiddify-cli-linux-mips-hardfloat, goos: linux, goarch: mips, gomips: hardfloat, target: 'linux-custom', os: 'ubuntu-20.04'}
          - {name: hiddify-cli-linux-mipsel-softfloat, goos: linux, goarch: mipsle, gomips: softfloat, target: 'linux-custom', os: 'ubuntu-20.04'}
          - {name: hiddify-cli-linux-mipsel-hardfloat, goos: linux, goarch: mipsle, gomips: hardfloat, target: 'linux-custom', os: 'ubuntu-20.04'}
          - {name: hiddify-cli-linux-mips64, goos: linux, goarch: mips64, target: 'linux-custom', os: 'ubuntu-20.04'}
          - {name: hiddify-cli-linux-mips64el, goos: linux, goarch: mips64le, target: 'linux-custom', os: 'ubuntu-20.04'}
          - {name: hiddify-cli-linux-s390x, goos: linux, goarch: s390x, target: 'linux-custom', os: 'ubuntu-20.04'}
    
    runs-on: ${{ matrix.job.os }}
    env:
      GOOS: ${{ matrix.job.goos }}
      GOARCH: ${{ matrix.job.goarch }}
      GOAMD64: ${{ matrix.job.goamd64 }}
      GOARM: ${{ matrix.job.goarm }}
      GOMIPS: ${{ matrix.job.gomips }}
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
          check-latest: false

      - name: Setup Java
        if: startsWith(matrix.job.target,'android')
        uses: actions/setup-java@v3
        with:
          distribution: 'zulu'
          java-version: '17'

      - name: Setup NDK
        if: startsWith(matrix.job.target,'android')
        uses: nttld/setup-ndk@v1.4.0
        id: setup-ndk
        with:
          ndk-version: r26b
          add-to-path: true
          local-cache: false
          link-to-sdk: true

      - name: Setup MinGW
        if: startsWith(matrix.job.target,'windows')
        uses: egor-tensin/setup-mingw@v2
        with:
          platform: ${{ matrix.job.aarch }}
      - name: Setup macos
        if: startsWith(matrix.job.target,'macos') ||  startsWith(matrix.job.target,'ios')
        run: |
          brew install create-dmg tree coreutils

      - name: Build
        run: |
          make -j$(($(nproc) + 1)) ${{ matrix.job.target }}

      - name: zip
        run: |
          tree 
          rm -f /*.h */*.h
          rm ./hiddify-libcore*sources* ||echo "no source"
          rm ./hiddify-libcore-macos-a*.dylib || echo "no macos arm and amd"
          files=$(ls | grep -E '^(libcore\.(dll|so|dylib|aar)|webui|Libcore.xcframework|lib|HiddifyCli(\.exe)?)$')
          echo tar -czvf ${{ matrix.job.name }}.tar.gz  $files
          tar -czvf ${{ matrix.job.name }}.tar.gz  $files
          
        working-directory: bin
      - uses: actions/upload-artifact@v4
        if: ${{ success() }}
        with:
          name: ${{ matrix.job.name }}
          path: bin/*.tar.gz
          retention-days: 1


  upload-prerelease:
    permissions: write-all
    if: ${{ github.ref_type=='branch' }}
    needs: [build]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/download-artifact@v4
        with:
          merge-multiple: true
          pattern: hiddify-*
          path: bin/

      - name: Display Files Structure
        run: tree
        working-directory: bin

      - name: Delete Current Release Assets
        uses: 8Mi-Tech/delete-release-assets-action@main
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          tag: 'draft'
          deleteOnlyFromDrafts: false

      - name: Create or Update Draft Release
        uses: softprops/action-gh-release@v1
        if: ${{ success() }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          files: ./bin/*.tar.gz
          name: 'draft'
          tag_name: 'draft'
          prerelease: true

  upload-release:
    permissions: write-all
    if: ${{ github.ref_type=='tag' }}
    needs: [build]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/download-artifact@v4
        with:
          merge-multiple: true
          pattern: hiddify-*
          path: bin/

      - name: Display Files Structure
        run: ls -R
        working-directory: bin

      - name: Upload Release
        uses: softprops/action-gh-release@v1
        if: ${{ success() }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: ${{ github.ref_name }}
          files: bin/*.tar.gz

  make-upload-docker:
    permissions: write-all
    if: ${{ github.ref_type=='tag' }}
    needs: [upload-release]
    runs-on: ubuntu-latest
    # permissions:
    #   contents: read
    #   packages: write
    #   # This is used to complete the identity challenge
    #   # with sigstore/fulcio when running outside of PRs.
    #   id-token: write
    steps:
      - uses: actions/download-artifact@v4
        with:
          merge-multiple: true
          pattern: hiddify-*
          path: bin/
         
              
      - name: Checkout repository
        uses: actions/checkout@v3

      # Install the cosign tool except on PR
      # https://github.com/sigstore/cosign-installer
      - name: Install cosign
        
        uses: sigstore/cosign-installer@v3
        with:
          cosign-release: 'v2.1.1'

      # Set up BuildKit Docker container builder to be able to build
      # multi-platform images and export cache
      # https://github.com/docker/setup-buildx-action
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      # Login against a Docker registry except on PR
      # https://github.com/docker/login-action
      - name: Log into registry ghcr.io
        uses: docker/login-action@v3 
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      # Extract metadata (tags, labels) for Docker
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/hiddify/hiddify-core

      # Build and push Docker image with Buildx (don't push on PR)
      # https://github.com/docker/build-push-action
      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v6
        with:
          context: ./docker/
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Export digest
        run: |
          mkdir -p /tmp/digests
          digest="${{ steps.build-and-push.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"
      - name: Upload digest
        uses: actions/upload-artifact@v4
        with:
            name: digests
            path: /tmp/digests/*
            if-no-files-found: error
            retention-days: 1
      # Sign the resulting Docker image digest except on PRs.
      # This will only write to the public Rekor transparency log when the Docker
      # repository is public to avoid leaking data.  If you would like to publish
      # transparency data even for private images, pass --force to cosign below.
      # https://github.com/sigstore/cosign
      - name: Sign the published Docker image
        env:
          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
          TAGS: ${{ steps.meta.outputs.tags }}
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
        # This step uses the identity token to provision an ephemeral certificate
        # against the sigstore community Fulcio instance.
        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}