name: Build and upload binaries
on:
  release:
    types: [published]
  push:
  pull_request:
permissions:
  contents: read
jobs:
  build:
    name: Build binaries
    runs-on: ubuntu-latest
    environment: "Build, sign, release binaries"
    steps:
      - name: Install Go
        uses: actions/setup-go@v2
        with:
          go-version: 1.x
      - name: Checkout repository
        uses: actions/checkout@v2
        with:
          fetch-depth: 0
      - name: Build binaries
        run: |
          sudo apt-get update && sudo apt-get install -y osslsigncode
          cp LICENSE "$RUNNER_TEMP/LICENSE"
          echo -e "\n---\n" >> "$RUNNER_TEMP/LICENSE"
          curl "https://golang.org/LICENSE?m=text" >> "$RUNNER_TEMP/LICENSE"
          VERSION="$(git describe --tags)"
          function build_age() {
            DIR="$(mktemp -d)"
            mkdir "$DIR/age"
            cp "$RUNNER_TEMP/LICENSE" "$DIR/age"
            go build -o "$DIR/age" -ldflags "-X main.Version=$VERSION" -trimpath ./cmd/...
            if [ "$GOOS" == "windows" ]; then
              for exe in "$DIR"/age/*.exe; do
                /usr/bin/osslsigncode sign -t "http://timestamp.comodoca.com" \
                  -certs .github/workflows/certs/uitacllc.crt \
                  -key .github/workflows/certs/uitacllc.key \
                  -pass "${{ secrets.SIGN_PASS }}" \
                  -n age -in "$exe" -out "$exe.signed"
                mv "$exe.signed" "$exe"
              done
              ( cd "$DIR"; zip age.zip -r age )
              mv "$DIR/age.zip" "age-$VERSION-$GOOS-$GOARCH.zip"
            else
              tar -cvzf "age-$VERSION-$GOOS-$GOARCH.tar.gz" -C "$DIR" age
            fi
          }
          export CGO_ENABLED=0
          GOOS=linux GOARCH=amd64 build_age
          GOOS=linux GOARCH=arm GOARM=6 build_age
          GOOS=linux GOARCH=arm64 build_age
          GOOS=darwin GOARCH=amd64 build_age
          GOOS=darwin GOARCH=arm64 build_age
          GOOS=windows GOARCH=amd64 build_age
          GOOS=freebsd GOARCH=amd64 build_age
      - name: Upload workflow artifacts
        uses: actions/upload-artifact@v2
        with:
          name: age-binaries
          path: age-*
  upload:
    name: Upload release binaries
    if: ${{ github.event_name == 'release' }}
    needs: build
    permissions:
      contents: write
    runs-on: ubuntu-latest
    steps:
      - name: Download workflow artifacts
        uses: actions/download-artifact@v2
        with:
          name: age-binaries
      - name: Upload release artifacts
        uses: actions/github-script@v3
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const fs = require("fs").promises;
            const { repo: { owner, repo }, sha } = context;

            const release = await github.repos.getReleaseByTag({
              owner, repo,
              tag: process.env.GITHUB_REF.replace("refs/tags/", ""),
            });
            console.log("Release:", { release });

            for (let file of await fs.readdir(".")) {
              if (!file.startsWith("age-")) continue;
              console.log("Uploading", file);
              await github.repos.uploadReleaseAsset({
                owner, repo,
                release_id: release.data.id,
                name: file,
                data: await fs.readFile(file),
              });            
            }