name: GoReleaser Orbit

on:
  push:
   tags:
     - 'orbit-*'

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
  cancel-in-progress: true

defaults:
  run:
    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
    shell: bash

permissions:
  contents: read

jobs:
  goreleaser-macos:
    runs-on: macos-latest
    permissions:
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

      # Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
      # paid version. We pay for goreleaser, but using the closed source build would weaken our
      # supply-chain integrity goals, so we hack around it by replacing the tag.
      - name: Replace tag
        run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}

      - name: Import signing keys
        env:
          APPLE_APPLICATION_CERTIFICATE: ${{ secrets.APPLE_APPLICATION_CERTIFICATE }}
          APPLE_APPLICATION_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APPLICATION_CERTIFICATE_PASSWORD }}
          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
        run: |
          echo "$APPLE_APPLICATION_CERTIFICATE" | base64 --decode > certificate.p12
          security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
          security import certificate.p12 -k build.keychain -P $APPLE_APPLICATION_CERTIFICATE_PASSWORD -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
          security find-identity -vv
          rm certificate.p12

      - name: Set up Go
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: ${{ vars.GO_VERSION }}

      - name: Run GoReleaser
        run: go run github.com/goreleaser/goreleaser@56c9d09a1b925e2549631c6d180b0a1c2ebfac82 release --debug --rm-dist --skip-publish -f orbit/goreleaser-macos.yml # v1.20.0
        env:
          GITHUB_TOKEN: ${{ secrets.FLEET_RELEASE_GITHUB_PAT }}
          AC_USERNAME: ${{ secrets.APPLE_USERNAME }}
          AC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          AC_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
          CODESIGN_IDENTITY: 51049B247B25B3119FAE7E9C0CC4375A43E47237

      - name: Upload
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
        with:
          name: orbit-macos
          path: dist

  goreleaser-linux:
    runs-on: ubuntu-20.04
    permissions:
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

      # Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
      # paid version. We pay for goreleaser, but using the closed source build would weaken our
      # supply-chain integrity goals, so we hack around it by replacing the tag.
      - name: Replace tag
        run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}

      - name: Set up Go
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: ${{ vars.GO_VERSION }}

      - name: Run GoReleaser
        run: go run github.com/goreleaser/goreleaser@56c9d09a1b925e2549631c6d180b0a1c2ebfac82 release --debug --rm-dist --skip-publish -f orbit/goreleaser-linux.yml # v1.20.0

      - name: Upload
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
        with:
          name: orbit-linux
          path: dist

  goreleaser-windows:
    runs-on: windows-2022
    permissions:
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

      # Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
      # paid version. We pay for goreleaser, but using the closed source build would weaken our
      # supply-chain integrity goals, so we hack around it by replacing the tag.
      - name: Replace tag
        run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}

      - name: Set up Go
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: ${{ vars.GO_VERSION }}

      - name: Run GoReleaser
        run: go run github.com/goreleaser/goreleaser@56c9d09a1b925e2549631c6d180b0a1c2ebfac82 release --debug --rm-dist --skip-publish -f orbit/goreleaser-windows.yml # v1.20.0

      - name: Upload
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
        with:
          name: orbit-windows
          path: dist