name: Release

# Builds the full release tarball (orchestrator + agent + live image +
# deploy scripts) and publishes it to the Gitea generic package
# registry under two versions:
#   - sha-<short-sha>  immutable, per-commit pin
#   - latest           rolling alias (DELETE+PUT on each run)
#
# The LXC installer (deploy/proxmox-install.sh) curls the "latest"
# version by default; operators can pin via VETTING_VERSION=sha-abc1234.

on:
  push:
    branches: [main]

permissions:
  contents: read

jobs:
  release:
    runs-on: ubuntu-latest
    timeout-minutes: 45
    steps:
      - uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: "1.26.x"
          cache: false

      - name: Install live-image build dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y --no-install-recommends \
            mkosi debootstrap squashfs-tools dosfstools \
            systemd-ukify systemd-boot kmod \
            debian-archive-keyring

      - name: Install templ
        run: go install github.com/a-h/templ/cmd/templ@v0.3.1001

      - name: Build release bundle
        run: make release

      - name: Resolve bundle path + short sha
        id: meta
        run: |
          short_sha=$(git rev-parse --short HEAD)
          echo "short_sha=${short_sha}" >> "$GITHUB_OUTPUT"
          echo "bundle=bin/vetting-bundle-${short_sha}.tar.gz" >> "$GITHUB_OUTPUT"

      - name: Publish sha-pinned bundle
        env:
          REGISTRY_URL:   ${{ vars.REGISTRY_URL }}
          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
          OWNER:          ${{ gitea.repository_owner }}
          SHORT_SHA:      ${{ steps.meta.outputs.short_sha }}
          BUNDLE:         ${{ steps.meta.outputs.bundle }}
        run: |
          curl -fsSL -H "Authorization: token ${REGISTRY_TOKEN}" \
            --upload-file "${BUNDLE}" \
            "${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/sha-${SHORT_SHA}/vetting-bundle.tar.gz"

      - name: Replace latest alias
        env:
          REGISTRY_URL:   ${{ vars.REGISTRY_URL }}
          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
          OWNER:          ${{ gitea.repository_owner }}
          BUNDLE:         ${{ steps.meta.outputs.bundle }}
        run: |
          curl -fsSL -H "Authorization: token ${REGISTRY_TOKEN}" \
            -X DELETE \
            "${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/latest/vetting-bundle.tar.gz" \
            || true
          curl -fsSL -H "Authorization: token ${REGISTRY_TOKEN}" \
            --upload-file "${BUNDLE}" \
            "${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/latest/vetting-bundle.tar.gz"