.github/workflows/nightly.yaml

---
name: Nightly Builder
"on":
  push:
    tags:
      - "*"
  schedule:
    - cron: "0 0 * * *" # build nightly!
  workflow_dispatch:
    inputs:
      tag:
        description: Release tag
        required: true
      name:
        description: Release name
        required: true

jobs:
  create-release:
    name: Create Release
    runs-on: ubuntu-latest

    steps:
      - name: Create artifacts directory
        run: mkdir artifacts

      - name: Get the release version from the tag
        id: release_version
        run: |
          if [[ "${{ github.event_name }}" == "schedule" ]]; then
            release_name="nightly-$(date '+%Y-%m-%d')"
            release_tag="$release_name"
          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
            release_name=${{ github.event.inputs.name }}
            release_tag=${{ github.event.inputs.tag }}
          else
            release_name="$(basename "${{ github.ref }}")"
            release_tag="$release_name"
          fi
          echo "Release name is: ${release_name}"
          echo "Release version is: ${release_tag}"
          echo "name=${release_name}" >> $GITHUB_OUTPUT
          echo "tag=${release_tag}" >> $GITHUB_OUTPUT

      - name: Clone Artichoke
        uses: actions/checkout@v3.5.3
        with:
          repository: artichoke/artichoke
          path: artichoke

      - name: Set latest_commit
        id: latest_commit
        working-directory: artichoke
        run: |
          artichoke_head=$(git rev-parse HEAD)
          echo "Artichoke HEAD commit is: ${artichoke_head}"
          echo "commit=${artichoke_head}" >> $GITHUB_OUTPUT

      - name: Create GitHub release
        id: release
        uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          tag: ${{ steps.release_version.outputs.tag }}
          draft: true
          prerelease: false
          name: ${{ steps.release_version.outputs.name }}
          body: artichoke/artichoke@${{ steps.latest_commit.outputs.commit }}

      - name: Save release commit hash to artifact
        run: echo "${{ steps.latest_commit.outputs.commit }}" > artifacts/release-commit-hash

      - name: Save release ID to artifact
        run: echo "${{ steps.release.outputs.id }}" > artifacts/release-id

      - name: Save release upload URL to artifact
        run: echo "${{ steps.release.outputs.upload_url }}" > artifacts/release-upload-url

      - name: Save version number to artifact
        run: echo "${{ steps.release_version.outputs.tag }}" > artifacts/release-version

      - name: Upload artifacts
        uses: actions/upload-artifact@v3.1.2
        with:
          name: artifacts
          path: artifacts

  build-release:
    name: Build Release
    needs: ["create-release"]
    runs-on: ${{ matrix.os }}

    strategy:
      fail-fast: false
      matrix:
        build:
          - linux-x64
          - linux-x64-musl
          - linux-arm64
          - macos-x64
          - macos-arm64
          - windows-x64
        include:
          - build: linux-x64
            os: ubuntu-latest
            target: x86_64-unknown-linux-gnu
          - build: linux-x64-musl
            os: ubuntu-latest
            target: x86_64-unknown-linux-musl
          - build: linux-arm64
            os: ubuntu-latest
            target: aarch64-unknown-linux-gnu
          - build: macos-x64
            os: macos-latest
            target: x86_64-apple-darwin
          - build: macos-arm64
            os: macos-latest
            target: aarch64-apple-darwin
          - build: windows-x64
            os: windows-latest
            target: x86_64-pc-windows-msvc
    env:
      RUST_BACKTRACE: 1

    steps:
      - name: Checkout repository
        uses: actions/checkout@v3.5.3

      - name: Get release download URL
        uses: actions/download-artifact@v3.0.2
        with:
          name: artifacts
          path: artifacts

      - name: Set release upload URL and release version
        shell: bash
        id: release_info
        run: |
          release_upload_url="$(cat artifacts/release-upload-url)"
          release_version="$(cat artifacts/release-version)"
          release_commit="$(cat artifacts/release-commit-hash)"

          echo "Release upload url: ${release_upload_url}"
          echo "Release version: ${release_version}"
          echo "Release commit: ${release_commit}"

          echo "upload_url=${release_upload_url}" >> $GITHUB_OUTPUT
          echo "version=${release_version}" >> $GITHUB_OUTPUT
          echo "commit=${release_commit}" >> $GITHUB_OUTPUT

      - name: Generate THIRDPARTY license listing
        uses: artichoke/generate_third_party@v1.11.0
        with:
          artichoke_ref: ${{ steps.release_info.outputs.commit }}
          target_triple: ${{ matrix.target }}
          output_file: ${{ github.workspace }}/THIRDPARTY.txt
          github_token: ${{ secrets.GITHUB_TOKEN }}

      - name: Clone Artichoke
        uses: actions/checkout@v3.5.3
        with:
          repository: artichoke/artichoke
          path: artichoke
          ref: ${{ steps.release_info.outputs.commit }}
          # Fetch all history.
          #
          # The Artichoke release metadata build script calculates Ruby
          # constants like `RUBY_REVISION` by walking the git history.
          fetch-depth: 0

      - name: Setup Python
        uses: actions/setup-python@v4.6.1
        with:
          python-version: "3.11"

      - name: Set Artichoke Rust toolchain version
        id: rust_toolchain
        working-directory: artichoke
        shell: python
        run: |
          import os
          import tomllib

          with open("rust-toolchain.toml", "rb") as f:
              data = tomllib.load(f)
          toolchain = data["toolchain"]["channel"]
          print(f"Rust toolchain version: {toolchain}")
          with open(os.environ["GITHUB_OUTPUT"], "a") as f:
              print(f"version={toolchain}", file=f)

      - name: Install Rust toolchain
        uses: artichoke/setup-rust/build-and-test@v1.10.0
        with:
          toolchain: ${{ steps.rust_toolchain.outputs.version }}
          target: ${{ matrix.target }}

      - name: Setup Python
        uses: actions/setup-python@v4.6.1

      # ```
      # $ gpg --fingerprint --with-subkey-fingerprints codesign@artichokeruby.org
      # pub   ed25519 2021-01-03 [SC]
      #       C983 8F10 4021 F59E E6F6  BCBE B199 D034 7FDA 14A4
      # uid           [ultimate] Code signing for Artichoke Ruby <codesign@artichokeruby.org>
      # sub   cv25519 2021-01-03 [E]
      #       7719 1B6D 83B2 F4E8 5197  125B A9A3 F70E 710A 15AA
      # sub   ed25519 2021-01-03 [S]
      #       1C4A 856A CF86 EC1E E841  180F AF57 A37C AC06 1452
      # ```
      - name: Import GPG key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@72b6676b71ab476b77e676928516f6982eef7a41 # v5.3.0
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
          fingerprint: 1C4A856ACF86EC1EE841180FAF57A37CAC061452

      - name: List keys
        run: gpg -K

      - name: Install musl x86_64
        if: matrix.build == 'linux-x64-musl'
        run: |
          sudo apt update
          sudo apt install musl-tools

      - name: Install gcc aarch64 cross compiler
        if: matrix.build == 'linux-arm64'
        run: |
          sudo apt update
          sudo apt install gcc-aarch64-linux-gnu binutils-aarch64-linux-gnu
          # https://github.com/rust-lang/rust-bindgen/issues/1229
          echo 'BINDGEN_EXTRA_CLANG_ARGS=--sysroot=/usr/aarch64-linux-gnu' >> $GITHUB_ENV
          # https://github.com/rust-lang/rust/issues/28924
          echo 'CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc' >> $GITHUB_ENV

      - name: Build release artifacts
        working-directory: artichoke
        run: cargo build --verbose --release --target ${{ matrix.target }}

      - name: Install Python dependencies
        if: runner.os == 'macOS'
        run: |
          python3 -m venv --upgrade-deps venv
          ./venv/bin/pip install --upgrade pip wheel
          ./venv/bin/pip install --require-hashes -r requirements.txt

      # This will codesign binaries in place which means that the tarballed
      # binaries will be codesigned as well.
      - name: Run Apple Codesigning and Notarization
        id: apple_codesigning
        if: runner.os == 'macOS'
        run: |
          ./venv/bin/python3 macos_sign_and_notarize.py "artichoke-nightly-${{ matrix.target }}" \
            --binary "artichoke/target/${{ matrix.target }}/release/artichoke" \
            --binary "artichoke/target/${{ matrix.target }}/release/airb" \
            --resource artichoke/LICENSE \
            --resource artichoke/README.md \
            --resource THIRDPARTY.txt \
            --dmg-icon-url "https://artichoke.github.io/logo/Artichoke-dmg.icns"
        env:
          MACOS_NOTARIZE_APP_PASSWORD: ${{ secrets.MACOS_NOTARIZE_APP_PASSWORD }}
          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
          MACOS_CERTIFICATE_PASSPHRASE: ${{ secrets.MACOS_CERTIFICATE_PASSPHRASE }}

      - name: GPG sign Apple DMG
        id: apple_codesigning_gpg
        if: runner.os == 'macOS'
        run: |
          python3 gpg_sign.py "artichoke-nightly-${{ matrix.target }}" \
            --artifact "${{ steps.apple_codesigning.outputs.asset }}"

      - name: Upload release archive
        uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0
        if: runner.os == 'macOS'
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          tag: ${{ steps.release_info.outputs.version }}
          draft: true
          allowUpdates: true
          omitBodyDuringUpdate: true
          omitNameDuringUpdate: true
          omitPrereleaseDuringUpdate: true
          artifacts: ${{ steps.apple_codesigning.outputs.asset }}
          artifactContentType: ${{ steps.apple_codesigning.outputs.content_type }}

      - name: Upload release signature
        uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0
        if: runner.os == 'macOS'
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          tag: ${{ steps.release_info.outputs.version }}
          draft: true
          allowUpdates: true
          omitBodyDuringUpdate: true
          omitNameDuringUpdate: true
          omitPrereleaseDuringUpdate: true
          artifacts: ${{ steps.apple_codesigning_gpg.outputs.signature }}
          artifactContentType: "text/plain"

      - name: Build archive
        shell: bash
        id: build
        run: |
          staging="artichoke-nightly-${{ matrix.target }}"
          mkdir -p "$staging"/
          cp artichoke/{README.md,LICENSE} THIRDPARTY.txt "$staging/"
          if [ "${{ runner.os }}" = "Windows" ]; then
            cp "artichoke/target/${{ matrix.target }}/release/artichoke.exe" "$staging/"
            cp "artichoke/target/${{ matrix.target }}/release/airb.exe" "$staging/"
            7z a "$staging.zip" "$staging"
            echo "asset=$staging.zip" >> $GITHUB_OUTPUT
            echo "content_type=application/zip" >> $GITHUB_OUTPUT
          else
            cp "artichoke/target/${{ matrix.target }}/release/artichoke" "$staging/"
            cp "artichoke/target/${{ matrix.target }}/release/airb" "$staging/"
            tar czf "$staging.tar.gz" "$staging"
            echo "asset=$staging.tar.gz" >> $GITHUB_OUTPUT
            echo "content_type=application/gzip" >> $GITHUB_OUTPUT
          fi

      - name: GPG sign archive
        id: gpg_signing
        run: python3 gpg_sign.py "artichoke-nightly-${{ matrix.target }}" --artifact "${{ steps.build.outputs.asset }}"

      - name: Upload release archive
        uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          tag: ${{ steps.release_info.outputs.version }}
          draft: true
          allowUpdates: true
          omitBodyDuringUpdate: true
          omitNameDuringUpdate: true
          omitPrereleaseDuringUpdate: true
          artifacts: ${{ steps.build.outputs.asset }}
          artifactContentType: ${{ steps.build.outputs.content_type }}

      - name: Upload release signature
        uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          tag: ${{ steps.release_info.outputs.version }}
          draft: true
          allowUpdates: true
          omitBodyDuringUpdate: true
          omitNameDuringUpdate: true
          omitPrereleaseDuringUpdate: true
          artifacts: ${{ steps.gpg_signing.outputs.signature }}
          artifactContentType: "text/plain"

  package-source-archive:
    name: Package Source Archive
    needs: ["create-release"]
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
      matrix:
        archive:
          - tar.gz
          - zip

    steps:
      - name: Checkout repository
        uses: actions/checkout@v3.5.3

      - name: Get release download URL
        uses: actions/download-artifact@v3.0.2
        with:
          name: artifacts
          path: artifacts

      - name: Set release upload URL and release version
        shell: bash
        id: release_info
        run: |
          release_upload_url="$(cat artifacts/release-upload-url)"
          release_version="$(cat artifacts/release-version)"
          release_commit="$(cat artifacts/release-commit-hash)"

          echo "Release upload url: ${release_upload_url}"
          echo "Release version: ${release_version}"
          echo "Release commit: ${release_commit}"

          echo "upload_url=${release_upload_url}" >> $GITHUB_OUTPUT
          echo "version=${release_version}" >> $GITHUB_OUTPUT
          echo "commit=${release_commit}" >> $GITHUB_OUTPUT

      - name: Clone Artichoke
        uses: actions/checkout@v3.5.3
        with:
          repository: artichoke/artichoke
          path: artichoke
          ref: ${{ steps.release_info.outputs.commit }}

      - name: Setup Python
        uses: actions/setup-python@v4.6.1

      # ```
      # $ gpg --fingerprint --with-subkey-fingerprints codesign@artichokeruby.org
      # pub   ed25519 2021-01-03 [SC]
      #       C983 8F10 4021 F59E E6F6  BCBE B199 D034 7FDA 14A4
      # uid           [ultimate] Code signing for Artichoke Ruby <codesign@artichokeruby.org>
      # sub   cv25519 2021-01-03 [E]
      #       7719 1B6D 83B2 F4E8 5197  125B A9A3 F70E 710A 15AA
      # sub   ed25519 2021-01-03 [S]
      #       1C4A 856A CF86 EC1E E841  180F AF57 A37C AC06 1452
      # ```
      - name: Import GPG key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@72b6676b71ab476b77e676928516f6982eef7a41 # v5.3.0
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
          fingerprint: 1C4A856ACF86EC1EE841180FAF57A37CAC061452

      - name: List keys
        run: gpg -K

      - name: Build source archive
        run: |
          git -C artichoke archive \
            --format ${{ matrix.archive }} \
            -9 \
            --output=`pwd`/artichoke-nightly.source.${{ matrix.archive }} \
            ${{ steps.release_info.outputs.commit }}

      - name: Install Python dependencies
        if: runner.os == 'macOS'
        run: |
          python3 -m venv --upgrade-deps venv
          ./venv/bin/pip install --upgrade pip wheel
          ./venv/bin/pip install --require-hashes -r requirements.txt

      - name: Build archive
        shell: bash
        id: build
        run: |
          if [ "${{ matrix.archive }}" = "zip" ]; then
            echo "asset=artichoke-nightly.source.zip" >> $GITHUB_OUTPUT
            echo "content_type=application/zip" >> $GITHUB_OUTPUT
          else
            echo "asset=artichoke-nightly.source.tar.gz" >> $GITHUB_OUTPUT
            echo "content_type=application/gzip" >> $GITHUB_OUTPUT
          fi

      - name: GPG sign archive
        id: gpg_signing
        run: python3 gpg_sign.py "artichoke-nightly-${{ matrix.archive }}" --artifact "${{ steps.build.outputs.asset }}"

      - name: Upload release archive
        uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          tag: ${{ steps.release_info.outputs.version }}
          draft: true
          allowUpdates: true
          omitBodyDuringUpdate: true
          omitNameDuringUpdate: true
          omitPrereleaseDuringUpdate: true
          artifacts: ${{ steps.build.outputs.asset }}
          artifactContentType: ${{ steps.build.outputs.content_type }}

      - name: Upload release signature
        uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          tag: ${{ steps.release_info.outputs.version }}
          draft: true
          allowUpdates: true
          omitBodyDuringUpdate: true
          omitNameDuringUpdate: true
          omitPrereleaseDuringUpdate: true
          artifacts: ${{ steps.gpg_signing.outputs.signature }}
          artifactContentType: "text/plain"

  finalize-release:
    name: Publish Release
    needs: ["build-release", "package-source-archive"]
    runs-on: ubuntu-latest
    steps:
      - name: Get release download URL
        uses: actions/download-artifact@v3.0.2
        with:
          name: artifacts
          path: artifacts

      - name: Set publish_info
        id: publish_info
        run: echo "release_tag=$(cat artifacts/release-version)" >> $GITHUB_OUTPUT

      - name: Publish release
        uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          tag: ${{ steps.publish_info.outputs.release_tag }}
          draft: false
          allowUpdates: true
          omitBodyDuringUpdate: true
          omitNameDuringUpdate: true
          omitPrereleaseDuringUpdate: true

      - uses: eregon/keep-last-n-releases@c662ecf90e35b1070a4894539d8804a286e55151 # v1
        if: github.event_name == 'schedule'
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          n: 7