.github/workflows/release.yml

name: Release
on:
  push:
    tags:
      - "*"
jobs:
  goreleaser:
    runs-on: macos-13
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          fetch-depth: 0

      - name: Set env
        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV

      - name: Setup Go
        uses: actions/setup-go@v3
        with:
          go-version: '1.20'

      - name: Import Code-Signing Certificates
        uses: apple-actions/import-codesign-certs@v1
        with:
          p12-file-base64: ${{ secrets.MAC_CERT }}
          p12-password: ${{ secrets.MAC_CERT_PASS }}
          keychain: build
          keychain-password: ${{ secrets.MAC_CERT_PASS }}

      - name: Setup Keychain
        run: |
          KEYCHAIN=build.keychain
          security default-keychain -s $KEYCHAIN
          security unlock-keychain -p $MAC_CERT_PASS $KEYCHAIN
          curl -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
          security import AppleWWDRCAG3.cer -k $KEYCHAIN -T /usr/bin/codesign
          curl -o AppleRootCA.cer https://www.apple.com/appleca/AppleIncRootCertificate.cer
          security import AppleRootCA.cer -k $KEYCHAIN -T /usr/bin/codesign
          curl -o AppleDevIntermediate.cer https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer
          security import AppleDevIntermediate.cer -k $KEYCHAIN -T /usr/bin/codesign
          security find-identity -v $KEYCHAIN
          rm *.cer
        env:
          MAC_CERT_PASS: ${{ secrets.MAC_CERT_PASS }}

      - name: Add APK Signing Key
        run: |
          echo "${{ secrets.APK_PACKAGE_RSA }}" > abuild.rsa
          chmod 600 abuild.rsa
          ls -l
        env:
          APK_PACKAGE_RSA: ${{ secrets.APK_PACKAGE_RSA }}

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v3
        with:
          version: latest
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NOTARYTOOL_PASS: ${{ secrets.NOTARYTOOL_PASS }}

      - name: Remove APK key
        run: rm -rf abuild.rsa

      - name: Read post build hook logs
        if: always()
        run: cat post_build_output.txt

  dockerrelease:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          fetch-depth: 0

      - name: Set env
        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push Docker images
        uses: docker/build-push-action@v3
        with:
          push: true
          tags: |
            ghcr.io/iits-consulting/otc-auth:latest
            ghcr.io/iits-consulting/otc-auth:${{ env.RELEASE_VERSION }}

  aur-publish:
    runs-on: ubuntu-latest
    needs: goreleaser
    steps:
      - uses: actions/checkout@v2

      - name: Prepare PKGBUILD
        run: |
          # We simply imply that ref is always a valid tag for now.
          sed -e "s/__VERSION__/${GITHUB_REF_NAME}/" <PKGBUILD.template >PKGBUILD
      - name: Publish AUR package
        uses: KSXGitHub/github-actions-deploy-aur@v2.7.0
        with:
          pkgname: otc-auth
          pkgbuild: ./PKGBUILD
          commit_username: ${{ secrets.AUR_USERNAME }}
          commit_email: ${{ secrets.AUR_EMAIL }}
          ssh_private_key: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
          commit_message: "Bump to ${{ github.github_ref_name }}"
          ssh_keyscan_types: rsa,dsa,ecdsa,ed25519

  apk-publish:
    runs-on: ubuntu-latest
    needs: goreleaser
    container:
      image: alpine:3.19.0

    steps:
      - name: Get latest apks
        uses: robinraju/release-downloader@v1.8
        with:
          latest: true
          fileName: "*.apk"

      - name: Install dependencies
        run: |
          apk add alpine-sdk openssl

      - name: Import keys
        run: |
          mkdir ~/.abuild
          echo "$APK_PACKAGE_RSA" > ~/.abuild/abuild.rsa
          openssl rsa -pubout -in ~/.abuild/abuild.rsa -out ~/.abuild/abuild.rsa.pub
          echo "PACKAGER_PRIVKEY=\"~/.abuild/abuild.rsa\"" >> /etc/abuild.conf
          cp ~/.abuild/abuild.rsa.pub /etc/apk/keys/
        env:
          APK_PACKAGE_RSA: ${{ secrets.APK_PACKAGE_RSA }}

      - name: Make and sign apkindex
        run: |
          apk index -o APKINDEX.tar.gz *.apk
          abuild-sign -k ~/.abuild/abuild.rsa APKINDEX.tar.gz

      - name: Create repo structure
        run: |
          cp ~/.abuild/abuild.rsa.pub otc-auth.rsa.pub
          echo -e "  # <img src='https://github.com/iits-consulting/otc-auth/blob/main/static/images/iits-2024.svg' width="150"/> otc-auth apk-repo \n This repo contains .apk files built from the [latest version of otc-auth](https://github.com/iits-consulting/otc-auth/releases).\n\n ## Usage \n \`\`\`bash \n apk add curl \n curl -SsL -o /etc/apk/keys/otc-auth.rsa.pub https://iits-consulting.github.io/apk-repo otc-auth.rsa.pub \n apk add otc-auth --repository='https://iits-consulting.github.io/apk-repo' \n \`\`\`" > README.md;

      - name: Cleanup
        run: |
          rm -rf ~/.abuild

      - name: Push to APK repo
        uses: cpina/github-action-push-to-another-repository@main
        env:
          SSH_DEPLOY_KEY: ${{ secrets.APK_SSH_DEPLOY_KEY }}
        with:
          source-directory: .
          destination-github-username: 'iits-consulting'
          destination-repository-name: 'apk-repo'
          user-email: mweya.ruider@iits-consulting.de
          target-branch: main

  rpm-publish:
    runs-on: ubuntu-latest
    needs: goreleaser
    container:
      image: fedora:latest

    steps:
      - name: Get latest rpms
        uses: robinraju/release-downloader@v1.8
        with:
          latest: true
          fileName: "*.rpm"

      - name: Get dependencies
        run: |
          dnf install rpm-sign createrepo -y

      - name: Generate keys
        run: |
          export GPG_TTY=`tty`;
          echo "$GPG_PPA_PRIV_KEY" | base64 --decode | gpg --import --batch;
          echo -e "pinentry-mode loopback \npassphrase ${GPG_PPA_PRIV_KEY_PASSPHRASE}" > ~/.gnupg/gpg.conf
          echo -e "%_signature gpg \n%_gpg_name mweya.ruider@iits-consulting.de" > /root/.rpmmacros
          echo "Sanity check: $(cat /root/.rpmmacros)"
          rpm --define "_gpg_name mweya.ruider@iits-consulting.de" --addsign *.rpm
          mkdir -p otc\-auth/packages
          mv *.rpm otc\-auth/packages
          cd otc\-auth/packages
          createrepo .
          gpg --detach-sign --armor --default-key "mweya.ruider@iits-consulting.de" repodata/repomd.xml
          gpg --armor --export "mweya.ruider@iits-consulting.de" > KEY.gpg;
          cd ../../
          echo -e "[rpm-repo]\nname=otc-auth RPM repo\nbaseurl=http://iits-consulting.github.io/rpm-repo/packages\nenabled=1\ngpgcheck=1\ngpgkey=http://iits-consulting.github.io/rpm-repo/KEY.gpg" > rpm-repo.repo
          echo -e " # <img src='https://github.com/iits-consulting/otc-auth/blob/main/static/images/iits-2024.svg' width="150"/> otc-auth RPM Repo \n This repo contains .rpm files built from the [latest version of otc-auth](https://github.com/iits-consulting/otc-auth/releases).\n\n ## Usage \n \`\`\`bash \n yum-config-manager --add-repo https://iits-consulting.github.io/rpm-repo.repo \n yum install -y hello-world \n \`\`\`" > README.md;
        env:
          GPG_PPA_PRIV_KEY: ${{ secrets.GPG_PPA_PRIV_KEY }}
          GPG_PPA_PRIV_KEY_PASSPHRASE: ${{ secrets.GPG_PPA_PRIV_KEY_PASSPHRASE }}

      - name: Push to RPM repo
        uses: cpina/github-action-push-to-another-repository@main
        env:
          SSH_DEPLOY_KEY: ${{ secrets.RPM_SSH_DEPLOY_KEY }}
        with:
          source-directory: .
          destination-github-username: 'iits-consulting'
          destination-repository-name: 'rpm-repo'
          user-email: mweya.ruider@iits-consulting.de
          target-branch: main

  deb-publish:
    runs-on: ubuntu-latest
    needs: goreleaser
    steps:
      - name: Get latest debs
        uses: robinraju/release-downloader@v1.8
        with:
          latest: true
          fileName: "*.deb"

      - name: Create PPA repo structure
        run: |
          dpkg-scanpackages --multiversion . > Packages;
          gzip -k -f Packages;
          apt-ftparchive release . > Release;
          echo "deb [signed-by=/etc/apt/trusted.gpg.d/otc-auth_ppa.gpg] https://iits-consulting.github.io/ppa/debian ./" > otc-auth.list
          echo -e " # <img src='https://github.com/iits-consulting/otc-auth/blob/main/static/images/iits-2024.svg' width="150"/> otc-auth PPA \n This repo (based on the one [here](https://github.com/assafmo/ppa)) contains .deb files built from the [latest version of otc-auth](https://github.com/iits-consulting/otc-auth/releases).\n\n ## Usage \n \`\`\`bash \n sudo curl -SsL -o /etc/apt/trusted.gpg.d/otc-auth_ppa.gpg https://iits-consulting.github.io/ppa/debian/KEY.gpg \n sudo curl -SsL -o /etc/apt/sources.list.d/otc-auth.list https://iits-consulting.github.io/ppa/debian/otc-auth.list \n cat /etc/apt/trusted.gpg.d/otc-auth_ppa.gpg | gpg --dearmor | tee /etc/apt/trusted.gpg.d/otc-auth_ppa.gpg >/dev/null \n sudo apt update \n sudo apt install otc-auth \n \`\`\`" > README.md;

      - name: Generate keys
        run: |
          export GPG_TTY=`tty`;
          echo "$GPG_PPA_PRIV_KEY" | base64 --decode | gpg --import --batch;
          gpg --armor --export "mweya.ruider@iits-consulting.de" > KEY.gpg;
          echo "Sanity Check: $(ls -la Release)"
          echo -e "pinentry-mode loopback \npassphrase ${GPG_PPA_PRIV_KEY_PASSPHRASE}" > ~/.gnupg/gpg.conf
          gpg --default-key "mweya.ruider@iits-consulting.de" -abs -o - Release > Release.gpg;
          gpg --default-key "mweya.ruider@iits-consulting.de" --clearsign -o - Release > InRelease;
          
          sudo apt-get install -y debsigs 
          for package in *.deb; do
            debsigs --sign=origin --default-key="mweya.ruider@iits-consulting.de" "$package"
          done

        env:
          GPG_PPA_PRIV_KEY: ${{ secrets.GPG_PPA_PRIV_KEY }}
          GPG_PPA_PRIV_KEY_PASSPHRASE: ${{ secrets.GPG_PPA_PRIV_KEY_PASSPHRASE }}

      - name: Final cleanup
        run: |
          mkdir .debian
          mv README.md .README.md
          mv * .debian
          mv .README.md README.md
          mv .debian debian
          rm ~/.gnupg/gpg.conf

      - name: Push to PPA repo
        uses: cpina/github-action-push-to-another-repository@main
        env:
          SSH_DEPLOY_KEY: ${{ secrets.SSH_DEPLOY_KEY }}
        with:
          source-directory: .
          destination-github-username: 'iits-consulting'
          destination-repository-name: 'ppa'
          user-email: mweya.ruider@iits-consulting.de
          target-branch: main

  brew-publish:
    runs-on: ubuntu-latest
    needs: goreleaser
    steps:
      - uses: actions/checkout@v2
      - name: Set output
        id: vars
        run: |
           echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
           echo "revision=$(git rev-list -n 1 ${GITHUB_REF#refs/*/})" >> $GITHUB_OUTPUT
          
      - name: Checkout brew repo
        uses: actions/checkout@v2
        with:
          repository: 'iits-consulting/homebrew-tap'
          ref: main
          fetch-depth: 0

      - name: Update otc-auth Formula
        working-directory: Formula
        env:
          TAG: ${{ steps.vars.outputs.tag }}
          REVISION: ${{ steps.vars.outputs.revision }}
        run: |
          set -e
          echo $TAG
          echo $REVISION
          echo ${{ steps.vars.outputs.tag }}
          echo ${{ steps.vars.outputs.revision }}
          
          echo -e 'class OtcAuth < Formula\n  desc "Open Source CLI for the Open Telekom Cloud written in go"\n  homepage "https://github.com/iits-consulting/otc-auth"\n  url "https://github.com/iits-consulting/otc-auth.git",\n      tag:      "'${TAG}'",\n     revision: "'${REVISION}'"\n  license "GPLv3"\n  head "https://github.com/iits-consulting/otc-auth.git", branch: "main"\n  depends_on "bash" => :build\n  depends_on "coreutils" => :build\n  depends_on "go" => :build\n  uses_from_macos "rsync" => :build\n  def install\n    system "go", "build", "-ldflags", "-X main.version=#{version} -X main.date=#{Date.today}"\n    bin.install "./otc-auth"\n  end\n  test do\n    run_output = shell_output("#{bin}/otc-auth version 2>&1")\n    assert run_output.start_with?("OTC-Auth #{version}")\n  end\nend' > otc-auth.rb

      - name: Push to brew repo
        uses: cpina/github-action-push-to-another-repository@main
        env:
          SSH_DEPLOY_KEY: ${{ secrets.BREW_SSH_DEPLOY_KEY }}
        with:
          source-directory: Formula
          target-directory: Formula
          destination-github-username: 'iits-consulting'
          destination-repository-name: 'homebrew-tap'
          user-email: mweya.ruider@iits-consulting.de
          target-branch: main

  wikiupdate:
    runs-on: ubuntu-latest
    steps:
      - name: Setup Go environment
        uses: actions/setup-go@v3
        with:
          go-version: '1.20'
      - name: Checkout
        uses: actions/checkout@v2
      - name: Get dependencies
        run: go mod download
      - name: Build
        run: go run main.go documentation
      - name: Checkout wiki code
        uses: actions/checkout@v2
        with:
          repository: ${{github.repository}}.wiki
          path: markdown
      - name: Push to wiki
        run: |
          cp -r generated-documentation.md markdown/
          cd markdown
          git config --local user.email "action@github.com"
          git config --local user.name "GitHub Action"
          git add .
          git diff-index --quiet HEAD || git commit -m "Updated docs" && git push