.github/workflows/release.yml

name: Release

on:
  push:
    branches:
      - mbuild-pr
    tags:
      - "v*.*.*"

permissions:
  contents: write

jobs:
  cgo-build:
    strategy:
      matrix:
        targets:
          - 'linux-amd64'
          - 'linux-amd64-musl'
          - 'linux-arm64'
          - 'linux-arm64-musl'
    name: Build Binaries
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Go
        uses: actions/setup-go@v5

      - name: Declare version
        run: |
            echo BUILD_VERSION="$(git describe --tags --always)" >> $GITHUB_ENV

      - name: BUILD_VERSION go program
        id: cgo-action
        uses: go-cross/cgo-actions@v1
        env:
          BUILD_VERSION: ${{ env.BUILD_VERSION }}
        with:
          flags: -ldflags=-X 'github.com/Keeper-Security/linux-keyring-utility/cmd.Version=${{ env.BUILD_VERSION }}'
          targets: ${{ matrix.targets }}
          output: lkru-${{ github.ref_name }}_$target$ext

      - name: Upload Release Artifacts
        uses: actions/upload-artifact@v4
        with:
          name: binaries-${{ matrix.targets }}
          path: |
            bin/*-${{ github.ref_name }}_*

  release:
    name: Create Release
    needs: cgo-build
    runs-on: ubuntu-latest
    steps:
      - name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v6
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}

      - name: Download artifacts
        uses: actions/download-artifact@v4
        with:
          path: bin
          pattern: binaries-*
          merge-multiple: true

      - name: Strip binaries with symbols
        run: |
              strip -s bin/*_linux-amd64

      - name: Create checksums
        run: |
          cd bin; shasum -a 256 *-${{ github.ref_name }}_* >| ../checksums.txt
  
      - name: Sign checksums
        run: |
          GPG_TTY=$(tty) gpg -vvv --batch --yes --detach-sign --armor \
            --output checksums.txt.sig \
            --passphrase "${{ secrets.GPG_PASSPHRASE }}" \
            --pinentry-mode loopback checksums.txt

      - name: Create release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh release create "${{ github.ref_name }}" \
            --title "${{ github.ref_name }}" \
            --repo "${{ github.repository }}" \
            --generate-notes

      - name: Upload artifacts
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh release upload "${{ github.ref_name }}" \
            --repo "${{ github.repository }}" \
            bin/*-${{ github.ref_name }}_* \
            checksums.txt checksums.txt.sig