name: Build and Deploy
on:
    # Nightly build
    schedule:
        - cron: "0 9 * * *"
    # Release build
    release:
        types: [published]
    # Manual nightly & release
    workflow_dispatch:
        inputs:
            mode:
                description: What type of build to trigger. Release builds MUST be ran from the `master` branch.
                required: true
                default: nightly
                type: choice
                options:
                    - nightly
                    - release
            macos:
                description: Build macOS
                required: true
                type: boolean
                default: true
            windows:
                description: Build Windows
                required: true
                type: boolean
                default: true
            linux:
                description: Build Linux
                required: true
                type: boolean
                default: true
            deploy:
                description: Deploy artifacts
                required: true
                type: boolean
                default: true
run-name: Element ${{ inputs.mode != 'release' && github.event_name != 'release' && 'Nightly' || 'Desktop' }}
concurrency: ${{ github.workflow }}
env:
    R2_BUCKET: ${{ vars.R2_BUCKET }}
permissions: {} # Uses ELEMENT_BOT_TOKEN
jobs:
    prepare:
        uses: ./.github/workflows/build_prepare.yaml
        permissions:
            contents: read
        with:
            config: element.io/${{ inputs.mode || (github.event_name == 'release' && 'release') || 'nightly' }}
            version: ${{ (inputs.mode != 'release' && github.event_name != 'release') && 'develop' || '' }}
            nightly: ${{ inputs.mode != 'release' && github.event_name != 'release' }}
            deploy: ${{ inputs.deploy || (github.event_name != 'workflow_dispatch' && github.event.release.prerelease != true) }}
        secrets:
            CF_R2_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
            CF_R2_TOKEN: ${{ secrets.CF_R2_TOKEN }}

    windows:
        if: github.event_name != 'workflow_dispatch' || inputs.windows
        needs: prepare
        name: Windows ${{ matrix.arch }}
        strategy:
            matrix:
                arch: [ia32, x64]
        uses: ./.github/workflows/build_windows.yaml
        secrets: inherit
        with:
            sign: true
            arch: ${{ matrix.arch }}
            version: ${{ needs.prepare.outputs.nightly-version }}

    macos:
        if: github.event_name != 'workflow_dispatch' || inputs.macos
        needs: prepare
        name: macOS
        uses: ./.github/workflows/build_macos.yaml
        secrets: inherit
        with:
            sign: true
            base-url: https://packages.element.io/${{ needs.prepare.outputs.packages-dir }}
            version: ${{ needs.prepare.outputs.nightly-version }}

    linux:
        if: github.event_name != 'workflow_dispatch' || inputs.linux
        needs: prepare
        name: Linux ${{ matrix.arch }} (sqlcipher ${{ matrix.sqlcipher }})
        strategy:
            matrix:
                arch: [amd64, arm64]
                sqlcipher: [static]
        uses: ./.github/workflows/build_linux.yaml
        with:
            arch: ${{ matrix.arch }}
            config: ${{ needs.prepare.outputs.config }}
            sqlcipher: ${{ matrix.sqlcipher }}
            version: ${{ needs.prepare.outputs.nightly-version }}

    deploy:
        needs:
            - prepare
            - macos
            - linux
            - windows
        runs-on: ubuntu-24.04
        name: ${{ needs.prepare.outputs.deploy == 'true' && 'Deploy' || 'Deploy (dry-run)' }}
        if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled')
        environment: ${{ needs.prepare.outputs.deploy == 'true' && 'packages.element.io' || '' }}
        steps:
            - name: Download artifacts
              uses: actions/download-artifact@v4

            - name: Prepare artifacts for deployment
              run: |
                  # Windows
                  for arch in x64 ia32 arm64
                  do
                      if [ -d "win-$arch" ]; then
                          mkdir -p packages.element.io/{install,update}/win32/$arch
                          mv win-$arch/squirrel-windows*/*.exe "packages.element.io/install/win32/$arch/"
                          mv win-$arch/squirrel-windows*/*.nupkg "packages.element.io/update/win32/$arch/"
                          mv win-$arch/squirrel-windows*/RELEASES "packages.element.io/update/win32/$arch/"
                      fi
                  done

                  # macOS
                  if [ -d macos ]; then
                      mkdir -p packages.element.io/{install,update}/macos
                      mv macos/*.dmg packages.element.io/install/macos/
                      mv macos/*-mac.zip packages.element.io/update/macos/
                      mv macos/*.json packages.element.io/update/macos/
                  fi

                  # Linux
                  if [ -d linux-amd64-sqlcipher-static ]; then
                      mkdir -p packages.element.io/install/linux/glibc-x86-64
                      mv linux-amd64-sqlcipher-static/*.tar.gz packages.element.io/install/linux/glibc-x86-64
                  fi
                  if [ -d linux-arm64-sqlcipher-static ]; then
                      mkdir -p packages.element.io/install/linux/glibc-aarch64
                      mv linux-arm64-sqlcipher-static/*.tar.gz packages.element.io/install/linux/glibc-aarch64
                  fi

            # We don't wish to store the installer for every nightly ever, so we only keep the latest
            - name: "[Nightly] Strip version from installer file"
              if: needs.prepare.outputs.nightly-version != ''
              run: |
                  # Windows
                  for arch in x64 ia32 arm64
                  do
                      [ -d "win-$arch" ] && mv packages.element.io/install/win32/$arch/{*,"Element Nightly Setup"}.exe
                  done

                  # macOS
                  [ -d macos ] && mv packages.element.io/install/macos/{*,"Element Nightly"}.dmg

                  # Linux
                  [ -d linux-amd64-sqlcipher-static ] && mv packages.element.io/install/linux/glibc-x86-64/{*,element-desktop-nightly}.tar.gz
                  [ -d linux-arm64-sqlcipher-static ] && mv packages.element.io/install/linux/glibc-aarch64/{*,element-desktop-nightly}.tar.gz

            - name: "[Release] Prepare release latest symlink"
              if: needs.prepare.outputs.nightly-version == ''
              run: |
                  # Windows
                  for arch in x64 ia32 arm64
                  do
                      if [ -d "win-$arch" ]; then
                          pushd packages.element.io/install/win32/$arch
                          ln -s "$(find . -type f -iname "*.exe" | xargs -0 -n1 -- basename)" "Element Setup.exe"
                          popd
                      fi
                  done

                  # macOS
                  if [ -d macos ]; then
                      pushd packages.element.io/install/macos
                      ln -s "$(find . -type f -iname "*.dmg" | xargs -0 -n1 -- basename)" "Element.dmg"
                      popd
                  fi

                  # Linux
                  if [ -d linux-amd64-sqlcipher-static ]; then
                      pushd packages.element.io/install/linux/glibc-x86-64
                      ln -s "$(find . -type f -iname "*.tar.gz" | xargs -0 -n1 -- basename)" "element-desktop.tar.gz"
                      popd
                  fi
                  if [ -d linux-arm64-sqlcipher-static ]; then
                      pushd packages.element.io/install/linux/glibc-aarch64
                      ln -s "$(find . -type f -iname "*.tar.gz" | xargs -0 -n1 -- basename)" "element-desktop.tar.gz"
                      popd
                  fi

            - name: Stash packages.element.io
              if: needs.prepare.outputs.deploy == 'false'
              uses: actions/upload-artifact@v4
              with:
                  name: packages.element.io
                  path: packages.element.io

            - name: Deploy artifacts
              if: needs.prepare.outputs.deploy == 'true'
              run: |
                  aws s3 cp --recursive packages.element.io/ s3://$R2_BUCKET/$DEPLOYMENT_DIR --endpoint-url $R2_URL --region auto
              env:
                  AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
                  AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}
                  R2_URL: ${{ vars.CF_R2_S3_API }}
                  DEPLOYMENT_DIR: ${{ needs.prepare.outputs.packages-dir }}

            - name: Notify packages.element.io of new files
              if: needs.prepare.outputs.deploy == 'true'
              uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
              with:
                  token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                  repository: element-hq/packages.element.io
                  event-type: packages-index

            - name: Find debs
              id: deb
              if: needs.linux.result == 'success'
              run: |
                  for arch in amd64 arm64
                  do
                      echo "$arch=$(ls linux-$arch-sqlcipher-static/*.deb | tail -n1)" >> $GITHUB_OUTPUT
                  done

            - name: Stash debs
              if: needs.prepare.outputs.deploy == 'false' && needs.linux.result == 'success'
              uses: actions/upload-artifact@v4
              with:
                  name: debs
                  path: |
                      ${{ steps.deb.outputs.amd64 }}
                      ${{ steps.deb.outputs.arm64 }}

            - name: Publish amd64 deb to packages.element.io
              uses: element-hq/packages.element.io@master
              if: needs.prepare.outputs.deploy == 'true' && needs.linux.result == 'success'
              with:
                  file: ${{ steps.deb.outputs.amd64 }}
                  github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                  bucket-api: ${{ vars.CF_R2_S3_API }}
                  bucket-key-id: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
                  bucket-access-key: ${{ secrets.CF_R2_TOKEN }}

            - name: Publish arm64 deb to packages.element.io
              uses: element-hq/packages.element.io@master
              if: needs.prepare.outputs.deploy == 'true' && needs.linux.result == 'success'
              with:
                  file: ${{ steps.deb.outputs.arm64 }}
                  github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                  bucket-api: ${{ vars.CF_R2_S3_API }}
                  bucket-key-id: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
                  bucket-access-key: ${{ secrets.CF_R2_TOKEN }}

    deploy-ess:
        needs: deploy
        runs-on: ubuntu-24.04
        name: Deploy builds to ESS
        if: needs.prepare.outputs.deploy == 'true' && github.event_name == 'release'
        env:
            BUCKET_NAME: "element-desktop-msi.onprem.element.io"
            AWS_REGION: "eu-central-1"
        permissions:
            id-token: write # This is required for requesting the JWT
        steps:
            - name: Configure AWS credentials
              uses: aws-actions/configure-aws-credentials@v4
              with:
                  role-to-assume: arn:aws:iam::264135176173:role/Push-ElementDesktop-MSI
                  role-session-name: githubaction-run-${{ github.run_id }}
                  aws-region: ${{ env.AWS_REGION }}

            - name: Download artifacts
              uses: actions/download-artifact@v4
              with:
                  pattern: win-*

            - name: Copy files to S3
              run: |
                  PREFIX="${VERSION%.*}"
                  for file in win-*/*.msi; do
                      filename=$(basename "$file")
                      aws s3 cp "$file" "s3://${{ env.BUCKET_NAME }}/$PREFIX/$filename"
                  done
              env:
                  VERSION: ${{ github.event.release.tag_name }}