.github/workflows/go.yml

name: Go package

on:
  push:
    tags:
      - "v*" # push events to tagged commits
    branches:
      - "**"
  schedule: # nightly release
    - cron: "15 9 * * 2-6" # Tuesday to Saturday at 2:15 AM

permissions:
  contents: read
  id-token: write # for GitHub id-token auth

jobs:
  go-test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version-file: src/go.mod
          cache-dependency-path: src/go.sum

      - name: Run Go unit tests
        run: go test -test.short -v ./...
        working-directory: src

      - name: Verify Go modules
        working-directory: src
        run: |
          go mod tidy
          git diff --exit-code go.mod go.sum || { echo "Go modules are not up to date"; exit 1; }

      - name: Verify Proto files
        working-directory: src
        run: |
          go run github.com/bufbuild/buf/cmd/buf@v1.31.0 generate protos
          git diff --exit-code protos || { echo "Proto files are not up to date"; exit 1; }

      - name: Build MacOS binary
        run: GOOS=darwin go build ./cmd/cli
        working-directory: src

      - name: Build Windows binary
        run: GOOS=windows go build ./cmd/cli
        working-directory: src

  nix-shell-test:
    runs-on: ubuntu-latest
    needs: go-test
    steps:
      - uses: actions/checkout@v4

      - name: Install Nix
        uses: cachix/install-nix-action@v26
        with:
          nix_path: nixpkgs=channel:nixos-unstable

      - name: Check nix-shell default.nix
        run: |
          set -o pipefail
          nix-shell --pure -E 'with import <nixpkgs> {}; mkShell { buildInputs = [ (import ./default.nix {}) ]; }' --run defang 2>&1 | sed -u 's|\s\+got:|::error file=pkgs/defang/cli.nix,line=9::Replace the vendorHash with the correct value:|'

  # go-byoc-test:
  #   runs-on: ubuntu-latest
  #   steps:
  #     - name: Configure AWS Credentials for CI
  #       uses: aws-actions/configure-aws-credentials@v4
  #       with:
  #         aws-region: us-west-2
  #         output-credentials: true
  #         role-to-assume: arn:aws:iam::488659951590:role/ci-role-d4fe904 # ciRoleArn from defang-io/infrastructure stack

  #     - name: Configure AWS Credentials for Staging
  #       uses: aws-actions/configure-aws-credentials@v4
  #       with:
  #         aws-region: us-west-2
  #         role-duration-seconds: 1200
  #         role-chaining: true
  #         role-to-assume: arn:aws:iam::426819183542:role/admin # adminUserRoleArn from defang-io/bootstrap stack

  #     - uses: actions/checkout@v4

  #     - name: Set up Go
  #       uses: actions/setup-go@v5
  #       with:
  #         go-version-file: src/go.mod
  #         cache-dependency-path: src/go.sum

  #     - name: Run sanity tests
  #       run: go run ./cmd/cli compose up -f testdata/compose.yaml
  #       working-directory: src

  go-playground-test:
    runs-on: ubuntu-latest
    needs: go-test
    env:
      COMPOSE_PROJECT_NAME: ${{ github.run_id }}
    steps:
      - uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version-file: src/go.mod
          cache-dependency-path: src/go.sum

      - name: Login using GitHub token
        run: go run ./cmd/cli login --debug
        working-directory: src

      - name: Add dummy config
        run: echo blah | go run ./cmd/cli config set -n dummy -f testdata/sanity/compose.yaml --debug
        working-directory: src

      - name: Run sanity tests UP
        continue-on-error: true # until we have multi-project support in playground
        run: go run ./cmd/cli compose up -f testdata/sanity/compose.yaml --debug
        working-directory: src

      - name: Run sanity tests DOWN
        continue-on-error: true # until we have multi-project support in playground
        run: go run ./cmd/cli compose down --detach -f testdata/sanity/compose.yaml --debug
        working-directory: src

  build-and-sign:
    name: Build app and sign files (with Trusted Signing)
    if: startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' # only run this step on tagged commits or the main branch
    environment: release # must use environment to be able to authenticate with Azure Federated Identity for Trusted Signing
    needs: go-test
    runs-on: windows-latest
    env: # from https://github.com/spiffe/spire/pull/5158
      GOPATH: 'D:\golang\go'
      GOCACHE: 'D:\golang\cache'
      GOMODCACHE: 'D:\golang\modcache'
    steps:
      - uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version-file: src/go.mod
          cache-dependency-path: src/go.sum

      - name: Download Go dependencies
        run: go mod download
        working-directory: src

      - name: Run GoReleaser (Linux)
        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro'
          # version: latest
          args: release --split ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' || '' }} ${{ github.event_name == 'schedule' && '--nightly' || ''}}
          workdir: src
        env:
          GGOOS: linux
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}

      - name: Run GoReleaser (Windows)
        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro'
          # version: latest
          args: release --split ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' || '' }} ${{ github.event_name == 'schedule' && '--nightly' || ''}}
          workdir: src
        env:
          GGOOS: windows
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}

      # From https://github.com/Azure/trusted-signing-action/pull/37
      - name: Azure login
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: Trusted Signing
        uses: Azure/trusted-signing-action@v0.3.20
        with:
          endpoint: https://wus2.codesigning.azure.net/ # from Azure portal
          trusted-signing-account-name: DefangLabs # from Azure portal
          certificate-profile-name: signed-binary${{ !startsWith(github.ref, 'refs/tags/v') && '-test' || '' }} # from Azure portal
          files-folder: ${{ github.workspace }}\src\dist
          files-folder-filter: exe # no dll
          files-folder-recurse: true
          file-digest: SHA256
          timestamp-rfc3161: http://timestamp.acs.microsoft.com
          timestamp-digest: SHA256
          exclude-environment-credential: true
          exclude-workload-identity-credential: true
          exclude-managed-identity-credential: true
          exclude-shared-token-cache-credential: true
          exclude-visual-studio-credential: true
          exclude-visual-studio-code-credential: true
          exclude-azure-cli-credential: false
          exclude-azure-powershell-credential: true
          exclude-azure-developer-cli-credential: true
          exclude-interactive-browser-credential: true

      - name: Update archives
        if: startsWith(github.ref, 'refs/tags/v') # skip this step for snapshots because we don't know the name of the archive
        env:
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          $version = $env:GITHUB_REF_NAME -replace '^v', ''
          Compress-Archive -Path defang-cli_windows_amd64_v1\* -DestinationPath "defang_${version}_windows_amd64.zip" -Update
          Compress-Archive -Path defang-cli_windows_arm64*\* -DestinationPath "defang_${version}_windows_arm64.zip" -Update
        shell: pwsh
        working-directory: src\dist\windows

      - name: Upload dist-win folder
        uses: actions/upload-artifact@v4
        with:
          name: dist-win
          path: src/dist
          if-no-files-found: error

  build-and-sign-mac:
    name: Build app and sign (MacOS)
    if: startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' # only run this step on tagged commits or the main branch
    needs: go-test
    runs-on: macos-latest # for codesign and notarytool
    steps:
      - uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version-file: src/go.mod
          cache-dependency-path: src/go.sum

      # - name: Download Go dependencies
      #   run: go mod download
      #   working-directory: src

      - name: Run GoReleaser (macOS)
        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro'
          # version: latest
          args: release --split ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' || '' }} ${{ github.event_name == 'schedule' && '--nightly' || ''}}
          workdir: src
        env:
          GGOOS: darwin
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
          MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }}
          MACOS_P12_BASE64: ${{ secrets.MACOS_P12_BASE64 }}
          MACOS_P12_PASSWORD: ${{ secrets.MACOS_P12_PASSWORD }}
          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
          MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
          MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
          MACOS_NOTARIZATION_APP_PW: ${{ secrets.MACOS_NOTARIZATION_APP_PW }}

      - name: Upload dist-mac folder
        uses: actions/upload-artifact@v4
        with:
          name: dist-mac
          path: src/dist
          if-no-files-found: error

  go-release:
    if: startsWith(github.ref, 'refs/tags/v') # only run this step on tagged commits
    environment: release
    needs:
      - build-and-sign-mac
      - build-and-sign
    runs-on: ubuntu-latest
    permissions:
      contents: write # to upload archives as GitHub Releases
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0 # for release notes

      - name: Install Nix (for nix-prefetch-url)
        uses: cachix/install-nix-action@v26

      - name: Download dist-mac folder
        uses: actions/download-artifact@v4
        with:
          name: dist-mac
          path: src/dist

      - name: Download dist-win folder
        uses: actions/download-artifact@v4
        with:
          name: dist-win
          path: src/dist

      - name: List files
        run: ls -lR src/dist

      - name: Set up Go # not sure why this is needed for release
        uses: actions/setup-go@v5
        with:
          go-version-file: src/go.mod
          cache-dependency-path: src/go.sum

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro'
          # version: latest
          args: continue --merge
          workdir: src
        env:
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
          GH_PAT_WINGET: ${{ secrets.GH_PAT_WINGET }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is limited to the current repository
          DISCORD_WEBHOOK_ID: ${{ secrets.DISCORD_WEBHOOK_ID }}
          DISCORD_WEBHOOK_TOKEN: ${{ secrets.DISCORD_WEBHOOK_TOKEN }}

  nighly-release:
    if: ${{ github.event_name == 'schedule' }}
    environment: release
    needs:
      - build-and-sign-mac
      - build-and-sign
    runs-on: ubuntu-latest
    permissions:
      contents: write # to upload archives as GitHub Releases
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0 # for release notes

      - name: Install Nix (for nix-prefetch-url)
        uses: cachix/install-nix-action@v26

      - name: Download dist-mac folder
        uses: actions/download-artifact@v4
        with:
          name: dist-mac
          path: src/dist

      - name: Download dist-win folder
        uses: actions/download-artifact@v4
        with:
          name: dist-win
          path: src/dist

      - name: List files
        run: ls -lR src/dist

      - name: Set up Go # not sure why this is needed for release
        uses: actions/setup-go@v5
        with:
          go-version-file: src/go.mod
          cache-dependency-path: src/go.sum

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro'
          # version: latest
          args: continue --merge --skip announce
          workdir: src
        env:
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
          GH_PAT_WINGET: ${{ secrets.GH_PAT_WINGET }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is limited to the current repository

  post-release:
    runs-on: ubuntu-latest
    needs: go-release
    steps:
      # - name: Update Windows s.defang.io/defang_win_amd64.zip short link
      #   run: |
      #     curl --request POST \
      #       --url https://api.short.io/links/$DEFANG_WIN_AMD64_LNK \
      #       --header "Authorization: $SHORTIO_PK" \
      #       --header 'accept: application/json' \
      #       --header 'content-type: application/json' \
      #       --data "{\"originalURL\":\"https://github.com/DefangLabs/defang/releases/download/${TAG}/defang_${TAG#v}_windows_amd64.zip\"}"
      #   env:
      #     SHORTIO_PK: ${{ secrets.SHORTIO_PK }}
      #     TAG: ${{ github.ref_name }}
      #     DEFANG_WIN_AMD64_LNK: "lnk_4vSQ_CDukZ5POEE4o0mMDysr2U"

      - name: Trigger CLI Autodoc
        uses: peter-evans/repository-dispatch@v3
        with:
          token: ${{ secrets.DOCS_ACTION_TRIGGER_TOKEN }}
          repository: DefangLabs/defang-docs
          event-type: cli-autodoc
          client-payload: '{"version": "${{ github.ref_name }}"}'

      - name: Trigger Homebrew Formula Update
        uses: peter-evans/repository-dispatch@v3
        with:
          token: ${{ secrets.HOMEBREW_ACTION_TRIGGER_TOKEN }}
          repository: DefangLabs/homebrew-defang
          event-type: update-homebrew-formula
          client-payload: '{"version": "${{ github.ref_name }}"}'

      - name: Checkout tag
        uses: actions/checkout@v4

      - name: Install node
        uses: actions/setup-node@v4
        with:
          node-version: "20" # same as the version in flake.nix
          registry-url: https://registry.npmjs.org

      - name: Build npm package
        shell: bash
        working-directory: ./pkgs/npm
        run: |
          # Get version number without the 'v'
          export version_number=`echo "${{ github.ref_name }}" | cut -c2- `

          echo "Setting version number to ${version_number}"
          # update version placeholder in package.json with version matching binary.
          npm version ${version_number}

          # install dependencies
          npm ci --ignore-scripts

          # build
          npm run build

      - run: npm publish --access public
        shell: bash
        working-directory: ./pkgs/npm
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}

  cleanup-nightly:
    runs-on: ubuntu-latest
    needs: nighly-release
    steps:
      - name: "Clean up nightly releases"
        uses: dev-drprasad/delete-older-releases@v0.3.4
        with:
          keep_latest: 5
          delete_tags: true
          delete_tag_pattern: nightly
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is limited to the current repository