name: Test Installers Build

on:
  workflow_dispatch:
  release:
    types: [created]

permissions:
  contents: read

jobs:
  read_versions:
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.versionNumber.outputs.versionNumber }}
      versionMac: ${{ steps.versionNumberMac.outputs.versionNumberMac }}
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
        with:
          egress-policy: audit

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      # Get version number
      - name: Get version number
        id: versionNumber
        run: |
          VERSION=$(grep "^version =" build.gradle | awk -F'"' '{print $2}')
          echo "versionNumber=$VERSION" >> $GITHUB_OUTPUT

      - name: Get version number mac
        id: versionNumberMac
        run: |
          VERSION=$(grep "^version =" build.gradle | awk -F'"' '{print $2}')
          CURRENT_YEAR=$(date +'%Y')
          IFS='.' read -r -a VERSION_PARTS <<< "$VERSION"
          MAC_VERSION="$CURRENT_YEAR.${VERSION_PARTS[1]:-0}.${VERSION_PARTS[2]:-0}"
          echo "versionNumberMac=$MAC_VERSION" >> $GITHUB_OUTPUT

  build-portable:
    needs: read_versions
    runs-on: ubuntu-latest
    strategy:
      matrix:
        enable_security: [true, false]
        include:
          - enable_security: true
            file_suffix: "-with-login"
          - enable_security: false
            file_suffix: ""
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
        with:
          egress-policy: audit

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up JDK 21
        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
        with:
          java-version: "21"
          distribution: "temurin"

      - uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
        with:
          gradle-version: 8.12

      - name: Generate jar (With Security=${{ matrix.enable_security }})
        run: ./gradlew clean createExe
        env:
          DOCKER_ENABLE_SECURITY: ${{ matrix.enable_security }}
          STIRLING_PDF_DESKTOP_UI: false

      - name: Rename binaries
        run: |
          mkdir ./binaries
          mv ./build/launch4j/Stirling-PDF.exe ./binaries/win-Stirling-PDF-portable-Server${{ matrix.file_suffix }}.exe
          mv ./build/libs/Stirling-PDF-${{ needs.read_versions.outputs.version }}.jar ./binaries/Stirling-PDF${{ matrix.file_suffix }}.jar

      - name: Upload build artifacts
        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          retention-days: 1
          if-no-files-found: error
          name: stirling${{ matrix.file_suffix }}-binaries
          path: |
            ./binaries/*

  sign_verify-portable:
    needs: [build-portable, read_versions]
    runs-on: ubuntu-latest
    strategy:
      matrix:
        enable_security: [true, false]
        include:
          - enable_security: true
            file_suffix: "with-login-"
          - enable_security: false
            file_suffix: ""
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
        with:
          egress-policy: audit

      - name: Download build artifacts
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: stirling-${{ matrix.file_suffix }}binaries

      - name: Display structure of downloaded files
        run: ls -R

      - name: Upload signed artifacts
        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          retention-days: 1
          if-no-files-found: error
          name: stirling-${{ matrix.file_suffix }}signed
          path: |
            ./*
            !cosign.*

  build-installers:
    needs: read_versions
    strategy:
      matrix:
        include:
          - os: windows-latest
            platform: win-
          - os: macos-latest
            platform: mac-
          # - os: ubuntu-latest
          #   platform: linux-
    runs-on: ${{ matrix.os }}
    permissions:
      contents: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
        with:
          egress-policy: audit

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up JDK 21
        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
        with:
          java-version: "21"
          distribution: "temurin"

      - uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
        with:
          gradle-version: 8.12

      # Install Windows dependencies
      - name: Install WiX Toolset
        if: matrix.os == 'windows-latest'
        run: |
          curl -L -o wix.exe https://github.com/wixtoolset/wix3/releases/download/wix3141rtm/wix314.exe
          .\wix314.exe /install /quiet

      # Build installer
      - name: Build Installer
        run: ./gradlew build jpackage -x test --info
        env:
          DOCKER_ENABLE_SECURITY: false
          STIRLING_PDF_DESKTOP_UI: true
          BROWSER_OPEN: true

      # Rename and collect artifacts based on OS
      - name: Prepare artifacts
        id: prepare
        shell: bash
        run: |
          mkdir ./binaries
          if [ "${{ matrix.os }}" = "windows-latest" ]; then
            mv "./build/jpackage/Stirling-PDF-${{ needs.read_versions.outputs.version }}.exe" "./binaries/Stirling-PDF-win-installer.exe"
          elif [ "${{ matrix.os }}" = "macos-latest" ]; then
            mv "./build/jpackage/Stirling-PDF-${{ needs.read_versions.outputs.versionMac }}.dmg" "./binaries/Stirling-PDF-mac-installer.dmg"
          else
            mv "./build/jpackage/stirling-pdf_${{ needs.read_versions.outputs.version }}-1_amd64.deb" "./binaries/Stirling-PDF-linux-installer.deb"
          fi

      - name: Display structure of downloaded files
        run: ls -R ./binaries

      - name: Upload build artifacts
        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          retention-days: 1
          if-no-files-found: error
          name: ${{ matrix.platform }}binaries
          path: |
            ./binaries/*

  sign_verify:
    needs: [read_versions, build-installers]
    strategy:
      matrix:
        include:
          - os: windows-latest
            platform: win-
          - os: macos-latest
            platform: mac-
          # - os: ubuntu-latest
          #   platform: linux-
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
        with:
          egress-policy: audit

      - name: Download build artifacts
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: ${{ matrix.platform }}binaries

      - name: Display structure of downloaded files
        run: ls -R

      - name: Install Cosign
        if: matrix.os == 'windows-latest'
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

      - name: Generate key pair
        if: matrix.os == 'windows-latest'
        run: cosign generate-key-pair

      - name: Sign and generate attestations
        if: matrix.os == 'windows-latest'
        run: |
          cosign sign-blob \
            --key ./cosign.key \
            --yes \
            --output-signature ./Stirling-PDF-win-installer.exe.sig \
            ./Stirling-PDF-win-installer.exe

          cosign attest-blob \
            --predicate - \
            --key ./cosign.key \
            --yes \
            --output-attestation ./Stirling-PDF-win-installer.exe.intoto.jsonl \
            ./Stirling-PDF-win-installer.exe

          cosign verify-blob \
            --key ./cosign.pub \
            --signature ./Stirling-PDF-win-installer.exe.sig \
            ./Stirling-PDF-win-installer.exe

      - name: Display structure of downloaded files
        run: ls -R

      - name: Upload signed artifacts
        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          retention-days: 1
          if-no-files-found: error
          name: ${{ matrix.platform }}signed
          path: |
            ./Stirling-PDF-${{ matrix.platform }}installer.*
            !cosign.*

  create-release:
    needs: [read_versions, sign_verify, sign_verify-portable]
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
        with:
          egress-policy: audit

      - name: Download signed artifacts
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      - name: Display structure of downloaded files
        run: ls -R
      - name: Upload binaries, attestations and signatures to Release and create GitHub Release
        uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0
        with:
          tag_name: v${{ needs.read_versions.outputs.version }}
          generate_release_notes: true
          files: |
            ./*signed/*