name: Release

on: 
  push:
    tags:
      - '*'
jobs:
  test:
#     runs-on: macOS-latest
    runs-on: macos-15
    timeout-minutes: 10
    steps:
    - uses: actions/checkout@v5
    - name: Setup Signing
      env: 
        SIGNING_DATA: ${{ secrets.SIGNING_DATA }}
        SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
        HOST_PROFILE_DATA: ${{ secrets.HOST_PROFILE_DATA }}
        AGENT_PROFILE_DATA: ${{ secrets.AGENT_PROFILE_DATA }}
        APPLE_API_KEY_DATA: ${{ secrets.APPLE_API_KEY_DATA }}
        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
      run: ./.github/scripts/signing.sh
    - name: Set Environment
      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
    - name: Test
      run: swift test --build-system swiftbuild --package-path Sources/Packages
  build:
#     runs-on: macOS-latest
    runs-on: macos-15
    permissions:
      id-token: write
      contents: write
      attestations: write
    timeout-minutes: 10
    steps:
    - uses: actions/checkout@v5
    - name: Setup Signing
      env: 
        SIGNING_DATA: ${{ secrets.SIGNING_DATA }}
        SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
        HOST_PROFILE_DATA: ${{ secrets.HOST_PROFILE_DATA }}
        AGENT_PROFILE_DATA: ${{ secrets.AGENT_PROFILE_DATA }}
        APPLE_API_KEY_DATA: ${{ secrets.APPLE_API_KEY_DATA }}
        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
      run: ./.github/scripts/signing.sh
    - name: Set Environment
      run: sudo xcrun xcode-select -s /Applications/Xcode_26.0.app
    - name: Update Build Number
      env:
        TAG_NAME: ${{ github.ref }}
        RUN_ID: ${{ github.run_id }}
      run: |
            export CLEAN_TAG=$(echo $TAG_NAME | sed -e 's/refs\/tags\/v//')
            sed -i '' -e "s/GITHUB_CI_VERSION/$CLEAN_TAG/g" Sources/Config/Config.xcconfig
            sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Sources/Config/Config.xcconfig
            sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Secretive/Credits.rtf
    - name: Build
      run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
    - name: Create ZIPs
      run: |
            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive/Products/Applications/Secretive.app ./Secretive.zip
            ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive ./Xcode_Archive.zip
    - name: Notarize
      env: 
        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
        APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
      run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
    - name: Attest
      id: attest
      uses: actions/attest-build-provenance@v2
      with:
        subject-path: 'Secretive.zip, Xcode_Archive.zip'
    - name: Create Release
      run: |
            sed -i.tmp "s/RUN_ID/$RUN_ID/g" .github/templates/release.md
            sed -i.tmp "s/ATTESTATION_ID/$ATTESTATION_ID/g" .github/templates/release.md
            gh release create $TAG_NAME -d -F .github/templates/release.md
            gh release upload Secretive.zip
            gh release upload Xcode_Archive.zip
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        TAG_NAME: ${{ github.ref }}
        RUN_ID: ${{ github.run_id }}
        ATTESTATION_ID: ${{ steps.attest.outputs.attestation-id }}
    - name: Upload App to Artifacts
      uses: actions/upload-artifact@v4
      with:
        name: Secretive.zip
        path: Secretive.zip
    - name: Upload Archive to Artifacts
      uses: actions/upload-artifact@v4
      with:
        name: Xcode_Archive.zip
        path: Xcode_Archive.zip