agent-shield 0.8.4

name: Release

on:
  push:
    tags: ["v*"]

permissions:
  contents: write

env:
  CARGO_TERM_COLOR: always
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

jobs:
  version-check:
    name: Check release invariants
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v6

      - name: Ensure release invariants
        run: .github/scripts/check-release-invariants.sh "$GITHUB_REF_NAME"

  build:
    name: Build (${{ matrix.target }})
    needs: version-check
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        include:
          - target: x86_64-unknown-linux-gnu
            os: ubuntu-latest
            archive: tar.gz
          - target: aarch64-unknown-linux-gnu
            os: ubuntu-latest
            archive: tar.gz
            cross: true
          - target: x86_64-apple-darwin
            os: macos-latest
            archive: tar.gz
          - target: aarch64-apple-darwin
            os: macos-latest
            archive: tar.gz
          - target: x86_64-pc-windows-msvc
            os: windows-latest
            archive: zip

    steps:
      - uses: actions/checkout@v6

      - uses: dtolnay/rust-toolchain@stable
        with:
          targets: ${{ matrix.target }}

      - uses: Swatinem/rust-cache@v2
        with:
          key: ${{ matrix.target }}

      # Cross-compilation for aarch64-linux
      - name: Install cross
        if: matrix.cross
        run: cargo install cross --locked

      - name: Build (native)
        if: "!matrix.cross"
        run: cargo build --release --target ${{ matrix.target }} --features full

      - name: Build (cross)
        if: matrix.cross
        run: cross build --release --target ${{ matrix.target }} --features full

      - name: Smoke check wrap command (unix)
        if: matrix.cross == false && runner.os != 'Windows'
        run: |
          target/${{ matrix.target }}/release/agentshield --help | grep wrap

      - name: Smoke check wrap command (windows)
        if: matrix.cross == false && runner.os == 'Windows'
        shell: pwsh
        run: |
          target\${{ matrix.target }}\release\agentshield.exe --help | Select-String wrap

      - name: Package (unix)
        if: matrix.archive == 'tar.gz'
        run: |
          BINARY=target/${{ matrix.target }}/release/agentshield
          ARCHIVE=agentshield-${{ github.ref_name }}-${{ matrix.target }}.tar.gz
          tar czf "$ARCHIVE" -C "$(dirname $BINARY)" "$(basename $BINARY)"
          shasum -a 256 "$ARCHIVE" > "$ARCHIVE.sha256"
          echo "ARCHIVE=$ARCHIVE" >> $GITHUB_ENV

      - name: Package (windows)
        if: matrix.archive == 'zip'
        shell: pwsh
        run: |
          $BINARY = "target/${{ matrix.target }}/release/agentshield.exe"
          $ARCHIVE = "agentshield-${{ github.ref_name }}-${{ matrix.target }}.zip"
          Compress-Archive -Path $BINARY -DestinationPath $ARCHIVE
          $HASH = (Get-FileHash -Algorithm SHA256 $ARCHIVE).Hash.ToLower()
          "$HASH  $ARCHIVE" | Out-File -Encoding ascii "$ARCHIVE.sha256"
          "ARCHIVE=$ARCHIVE" | Out-File -Append -Encoding ascii $env:GITHUB_ENV

      - name: Upload artifact
        uses: actions/upload-artifact@v7
        with:
          name: agentshield-${{ matrix.target }}
          path: |
            agentshield-*.tar.gz
            agentshield-*.zip
            agentshield-*.sha256

  release:
    name: Create Release
    needs: build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - name: Download all artifacts
        uses: actions/download-artifact@v7
        with:
          path: artifacts
          merge-multiple: true

      - name: List artifacts
        run: ls -la artifacts/

      - name: Create GitHub Release
        uses: softprops/action-gh-release@v3
        with:
          generate_release_notes: true
          files: |
            artifacts/agentshield-*.tar.gz
            artifacts/agentshield-*.zip
            artifacts/agentshield-*.sha256