name: build

on:
  workflow_call:
    inputs:
      projects:
        required: true
        type: string
      platform:
        required: true
        type: string

jobs:
  get-platform:
    runs-on: ubuntu-latest
    outputs:
      os: ${{ steps.platform.outputs.os }}
      build-os: ${{ steps.platform.outputs.build-os }}
      container: ${{ steps.platform.outputs.container }}
      test-matrix: ${{ steps.platform.outputs.test-matrix }}
      cache-set: ${{ steps.platform.outputs.cache-set }}
    steps:
      - uses: teaxyz/brewkit/actions/get-platform@v0
        id: platform
        with:
          platform: ${{ inputs.platform }}

  build:
    runs-on: ${{ fromJson(needs.get-platform.outputs.build-os) }}
    container: ${{ fromJson(needs.get-platform.outputs.container) }}
    needs: [get-platform]
    steps:
      - uses: actions/checkout@v3

      - uses: teaxyz/brewkit/actions/setup-brewkit@v0
        id: tea
        with:
          prefix: /opt

      - name: sanitize macOS runners
        if: fromJson(needs.get-platform.outputs.build-os) == 'macos-11'
        run: sudo mv /usr/local/bin/* /tmp/

      # setup macOS codesigning
      - uses: teaxyz/brewkit/actions/setup-codesign@v0
        if: startsWith(inputs.platform, 'darwin+') && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
        with:
            p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }}
            p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}

      - run: pkg build ${{ inputs.projects }}
        id: build
        env:
          GITHUB_TOKEN: ${{ github.token }}
          FORCE_UNSAFE_CONFIGURE: 1  # some configure scripts refuse to run as root
          APPLE_IDENTITY: ${{ secrets.APPLE_IDENTITY || '-' }}

      - run: |
          ABS_PATHS=$(echo $PATHS | tr ' ' '\n' | sed -e "s_^_$TEA_PREFIX/_" | tr '\n' ' ')
          echo "paths=$ABS_PATHS" >> $GITHUB_OUTPUT
        if: startsWith(inputs.platform, 'darwin+')
        id: absolute-paths
        env:
          PATHS: ${{ steps.build.outputs.relative-paths }}
          TEA_PREFIX: ${{ steps.tea.outputs.prefix }}

      # cache data we'll need in the bottling job
      - name: assemble artifact metadata
        run: |
          echo ${{ steps.build.outputs.pkgs }} >built
          echo ${{ steps.build.outputs.srcs-relative-paths }} >srcs
        working-directory: ${{ steps.tea.outputs.prefix }}

      # tarring ourselves ∵ GHA-artifacts (ludicrously) lose permissions
      # /ref https://github.com/actions/upload-artifact/issues/38
      - name: create artifacts.tgz
        run:
          tar czvf $GITHUB_WORKSPACE/artifacts.tgz
            ${{ steps.build.outputs.relative-paths }}
            ${{ steps.build.outputs.srcs-relative-paths }}
            built srcs
        working-directory: ${{ steps.tea.outputs.prefix }}

      - name: upload artifacts
        uses: actions/upload-artifact@v3
        with:
          name: ${{ inputs.platform }}
          path: artifacts.tgz
          if-no-files-found: error

  test:
    needs: [get-platform, build]
    runs-on: ${{ matrix.platform.os }}
    strategy:
      matrix:
        platform: ${{ fromJson(needs.get-platform.outputs.test-matrix) }}
    name:
      test ${{ matrix.name-extra }}
    outputs:
      HAS_SECRETS: ${{ env.HAS_SECRETS }}
    container: ${{ matrix.platform.container }}
    steps:
      - uses: actions/checkout@v3
      - uses: teaxyz/brewkit/actions/setup-brewkit@v0

      - uses: teaxyz/setup@v0
        with:
          srcroot: null

      - uses: actions/download-artifact@v3
        with:
          name: ${{ inputs.platform }}

      - name: clean destination
        # Note: needed when changing a directory to a symlink, for example in
        # https://github.com/teaxyz/pantry/pull/435
        run: |
          tar tzf $GITHUB_WORKSPACE/artifacts.tgz | \
            awk '{ print length, $0 }' | \
            sort -n -s -r | \
            cut -d" " -f2- | \
            xargs rm -rf
        working-directory: ${{ env.TEA_PREFIX }}

      - name: extract bottles
        run: tar xzvf artifacts.tgz -C $TEA_PREFIX

      - run: pkg test ${{ inputs.projects }}
        env:
          GITHUB_TOKEN: ${{ github.token }}
          # FIXME: this shouldn't be necessary, but it currently is for the
          # ubuntu+container test matrix entries. :/
          TEA_PANTRY_PATH: ${{ github.workspace }}

      - name: '[post]'
        run:
          echo "HAS_SECRETS=$HAS_SECRETS" >>$GITHUB_ENV
        env:
          HAS_SECRETS: ${{ secrets.AWS_S3_CACHE != null }}

  stage:
    needs: [test]
    # this only works for PRs from our team to our repo (security! :( )
    if: startsWith(github.ref, 'refs/pull/') && github.repository_owner == 'teaxyz' && needs.test.outputs.HAS_SECRETS == 'true'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/download-artifact@v3
        with:
          name: ${{ inputs.platform }}

      - uses: teaxyz/brewkit/actions/stage-build-artifacts@v0
        with:
          platform: ${{ inputs.platform }}
          AWS_S3_BUCKET: ${{ secrets.AWS_S3_CACHE }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}