.github/workflows/release.yml

name: Release

on:
  release:
    types: [created]

defaults:
  run:
    shell: bash

env:
  tag_name: ${{ github.event.release.tag_name }}
  package_resources: >-
    README.md LICENSE-APACHE LICENSE-MIT
    docs lang res tmpl
    config.toml.dist

jobs:
  release-linux:
    strategy:
      fail-fast: false
      matrix:
        # These are tags for rust-musl-cross.
        # NOTE: Packages are named after the first component of the target,
        # so these must be unique.
        # NOTE: On Linux, we are limited mostly by arch support in Ring.
        # See: https://github.com/briansmith/ring/blob/main/mk/cargo.sh
        target:
        - aarch64-musl
        - x86_64-musl
    runs-on: ubuntu-latest
    container: "ghcr.io/rust-cross/rust-musl-cross:${{ matrix.target }}"
    steps:

    - name: Checkout
      uses: actions/checkout@v4

    - name: Install GitHub CLI
      run: |
        curl -Lo gh.deb https://github.com/cli/cli/releases/download/v1.11.0/gh_1.11.0_linux_amd64.deb
        dpkg -i gh.deb
        rm gh.deb

    - name: Build
      run: cargo build --release --locked

    - name: Package
      env:
        matrix_target: ${{ matrix.target }}
      run: |
        rm docs/build.md  # Not useful for binaries

        mkdir release-packages

        broker_executable=target/*-unknown-linux-musl*/release/portier-broker
        basename="Portier-Broker-${tag_name}-Linux-${matrix_target/-*/}"
        mkdir $basename
        cp $broker_executable $basename/
        cp -r $package_resources $basename/
        tar -czf "release-packages/$basename.tgz" $basename

    - name: Upload
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        # Workaround for wonky ownership because we build in docker.
        git config --global --add safe.directory "$PWD"
        gh release upload "$tag_name" release-packages/*

  release-macos:
    runs-on: macos-latest
    env:

      build_targets: |
        aarch64-apple-darwin
        x86_64-apple-darwin

    steps:

    - name: Checkout
      uses: actions/checkout@v4

    - name: Install Rust
      uses: dtolnay/rust-toolchain@stable

    - name: Add targets
      run: |
        rustup target add $build_targets

    - name: Build
      run: |
        for target in $build_targets; do
          echo "::group::Building for $target"
          if ! cargo build --release --locked --target $target; then
            echo "::warning::Build for $target failed"
          fi
          echo "::endgroup::"
        done

    - name: Package
      run: |
        rm docs/build.md  # Not useful for binaries
        rm -r docs/systemd  # Linux-specific

        mkdir release-packages

        basename="Portier-Broker-${tag_name}-Darwin"
        mkdir $basename
        lipo -create -output $basename/portier-broker ./target/*/release/portier-broker
        codesign --force -s - $basename/portier-broker
        cp -r $package_resources $basename/
        tar -czf "release-packages/$basename.tgz" $basename

    - name: Upload
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        gh release upload "$tag_name" release-packages/*

  release-windows:
    runs-on: windows-latest
    env:

      # NOTE: Packages are named after the first component of the triple, so
      # these must be unique.
      build_targets: |
        i686-pc-windows-msvc
        x86_64-pc-windows-msvc

    steps:

    - name: Checkout
      uses: actions/checkout@v4

    - name: Install Rust
      uses: dtolnay/rust-toolchain@stable

    # Required for building AWS Libcrypto
    - name: Install NASM
      uses: ilammy/setup-nasm@v1

    - name: Add targets
      run: |
        rustup target add $build_targets

    - name: Build
      run: |
        for target in $build_targets; do
          echo "::group::Building for $target"
          if ! cargo build --release --locked --target $target; then
            echo "::warning::Build for $target failed"
          fi
          echo "::endgroup::"
        done

    - name: Package
      run: |
        rm docs/build.md  # Not useful for binaries
        rm -r docs/systemd  # Linux-specific

        mkdir release-packages
        for target in $build_targets; do
          broker_executable="./target/$target/release/portier-broker.exe"
          if [ ! -f "$broker_executable" ]; then
            continue
          fi

          echo "::group::Packaging for $target"
          basename="Portier-Broker-${tag_name}-Windows-${target/-*/}"

          mkdir $basename
          cp $broker_executable $basename/
          cp -r $package_resources $basename/
          7z a -tzip "release-packages/$basename.zip" $basename

          echo "::endgroup::"
        done

    - name: Upload
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        gh release upload "$tag_name" release-packages/*

  release-linux-docker:
    needs: release-linux
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    services:
      # Scratch registry for building multiarch images.
      registry:
        image: registry:2
        ports:
          - 5000:5000
    env:
      scratch_repo: "localhost:5000/scratch"
    steps:

    - name: Checkout
      uses: actions/checkout@v4

    - name: Set up QEMU
      uses: docker/setup-qemu-action@v3
      with:
        platforms: arm64

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3
      with:
        # Need network=host for the builder to contact our scratch registry.
        driver: docker-container
        driver-opts: network=host

    - name: Build
      run: |
        # Map Docker arch to package name
        declare -A build_targets
        build_targets['amd64']='x86_64'
        build_targets['arm64/v8']='aarch64'

        declare -a scratch_tags
        for docker_arch in "${!build_targets[@]}"; do
          pkg_arch="${build_targets[$docker_arch]}"

          # This download may fail if the release build failed for this
          # platform. Continue without the platform, in that case.
          echo "::group::Downloading package for $pkg_arch"
          basename="Portier-Broker-${tag_name}-Linux-${pkg_arch}"
          if ! wget "https://github.com/portier/portier-broker/releases/download/${tag_name}/${basename}.tgz"; then
            echo "::endgroup::"
            continue
          fi
          tar -xzf $basename.tgz

          echo "::endgroup::"
          echo "::group::Building image for $docker_arch"

          # Reuse the Dockerfile base system, but copy in the release instead
          # of rebuilding. This ensures we use the same binaries everywhere.
          cp Dockerfile Dockerfile-release
          echo "FROM base AS release" >> Dockerfile-release
          echo "COPY ./$basename /opt/portier-broker" >> Dockerfile-release

          scratch_tag="$scratch_repo:$pkg_arch"
          docker buildx build \
            --platform linux/$docker_arch \
            --push --tag "$scratch_tag" \
            -f Dockerfile-release .

          scratch_tags+=( "$scratch_tag" )
          echo "::endgroup::"
        done

        # Create a combined 'latest' tag with the multiarch image list.
        docker buildx imagetools create -t "$scratch_repo" "${scratch_tags[@]}"

    - name: Upload
      run: |
        # We used to use skopeo to copy the final multiarch image, but the
        # current version installed on the GitHub runner is too old. Here we
        # setup regclient.
        curl -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 > "/tmp/regctl"
        sudo install -t /usr/local/bin -o root -g root -m 0755 "/tmp/regctl"

        # Setup the scratch registry.
        regctl registry set --tls=disabled localhost:5000
        # Login to GitHub Container Registry.
        docker login --password-stdin \
          --username '${{ github.actor }}' \
          ghcr.io <<< '${{ secrets.GITHUB_TOKEN }}'
        # Login to Docker Hub.
        docker login --password-stdin \
          --username '${{ secrets.DOCKERHUB_USERNAME }}' \
          <<< '${{ secrets.DOCKERHUB_TOKEN }}'

        # Publish a version-specific tag.
        regctl image copy "$scratch_repo" "ghcr.io/portier/portier-broker:$tag_name"
        regctl image copy "$scratch_repo" "docker.io/portier/broker:$tag_name"

        # Publish a 'latest' tag.
        if ! grep -q "test" <<< "$tag_name"; then
          regctl image copy "$scratch_repo" "ghcr.io/portier/portier-broker:latest"
          regctl image copy "$scratch_repo" "docker.io/portier/broker:latest"
        fi