# This workflow relies on actions/cache to store the hak dependency artifacts as they take a long time to build
# Due to this extra care must be taken to only ever run all build_* scripts against the same branch to ensure
# the correct cache scoping, and additional care must be taken to not run untrusted actions on the develop branch.
on:
    workflow_call:
        secrets:
            APPLE_ID:
                required: false
            APPLE_ID_PASSWORD:
                required: false
            APPLE_TEAM_ID:
                required: false
            APPLE_CSC_KEY_PASSWORD:
                required: false
            APPLE_CSC_LINK:
                required: false
        inputs:
            version:
                type: string
                required: false
                description: "Version string to override the one in package.json, used for non-release builds"
            sign:
                type: string
                required: false
                description: "Whether to sign & notarise the build, requires 'packages.element.io' environment"
            base-url:
                type: string
                required: false
                description: "The URL to which the output will be deployed."
jobs:
    build:
        runs-on: macos-14 # M1
        environment: ${{ inputs.sign && 'packages.element.io' || '' }}
        steps:
            - uses: actions/checkout@v4

            - uses: actions/download-artifact@v4
              with:
                  name: webapp

            - name: Cache .hak
              id: cache
              uses: actions/cache@v4
              with:
                  key: ${{ runner.os }}-${{ hashFiles('hakHash', 'electronVersion') }}
                  path: |
                      ./.hak

            - name: Install Rust
              if: steps.cache.outputs.cache-hit != 'true'
              run: |
                  rustup toolchain install stable --profile minimal --no-self-update
                  rustup default stable
                  rustup target add aarch64-apple-darwin
                  rustup target add x86_64-apple-darwin

            # M1 macos-14 comes without Python preinstalled
            - uses: actions/setup-python@v5
              with:
                  python-version: "3.12"

            - uses: actions/setup-node@v4
              with:
                  node-version-file: package.json
                  cache: "yarn"

            # Does not need branch matching as only analyses this layer
            - name: Install Deps
              run: "yarn install --frozen-lockfile"

            - name: Build Natives
              if: steps.cache.outputs.cache-hit != 'true'
              run: |
                  # Python 3.12 drops distutils which keytar relies on
                  pip3 install setuptools
                  yarn build:native:universal

            - name: "[Nightly] Resolve version"
              if: inputs.version != ''
              run: |
                  echo "ED_NIGHTLY=${{ inputs.version }}" >> $GITHUB_ENV

            # We split these because electron-builder gets upset if we set CSC_LINK even to an empty string
            - name: "[Signed] Build App"
              if: inputs.sign != ''
              run: |
                  yarn build:universal --publish never
              env:
                  ED_NOTARYTOOL_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
                  APPLE_ID: ${{ secrets.APPLE_ID }}
                  APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
                  CSC_KEY_PASSWORD: ${{ secrets.APPLE_CSC_KEY_PASSWORD }}
                  CSC_LINK: ${{ secrets.APPLE_CSC_LINK }}

            - name: Check app was signed & notarised successfully
              if: inputs.sign != ''
              run: |
                  hdiutil attach dist/*.dmg -mountpoint /Volumes/Element
                  codesign -dv --verbose=4 /Volumes/Element/*.app
                  spctl -a -vvv -t install /Volumes/Element/*.app
                  hdiutil detach /Volumes/Element

            - name: "[Unsigned] Build App"
              if: inputs.sign == ''
              run: |
                  yarn build:universal --publish never
              env:
                  CSC_IDENTITY_AUTO_DISCOVERY: false

            - name: Generate releases.json
              if: inputs.base-url
              run: |
                  PKG_JSON_VERSION=$(cat package.json | jq -r .version)
                  LATEST=$(find dist -type f -iname "*-mac.zip" | xargs -0 -n1 -- basename)
                  # Encode spaces in the URL as Squirrel.Mac complains about bad JSON otherwise
                  URL="${{ inputs.base-url }}/update/macos/${LATEST// /%20}"

                  jq -n --arg version "${VERSION:-$PKG_JSON_VERSION}" --arg url "$URL" '
                    {
                      currentRelease: $version,
                      releases: [{
                        version: $version,
                        updateTo: {
                          version: $version,
                          url: $url,
                        },
                      }],
                    }
                  ' > dist/releases.json
                  jq -n --arg url "$URL" '
                    { url: $url }
                  ' > dist/releases-legacy.json
              env:
                  VERSION: ${{ inputs.version }}

            # We exclude mac-universal as the unpacked app takes forever to upload and zip and dmg already contains it
            - name: Upload Artifacts
              uses: actions/upload-artifact@v4
              with:
                  name: macos
                  path: |
                      dist
                      !dist/mac-universal/**
                  retention-days: 1