sax 1.0.0

name: Publish release

on:
  push:
    tags:
      - "v*.*.*"

permissions:
  contents: read

jobs:
  verify:
    name: Verify release
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Install stable Rust
        uses: dtolnay/rust-toolchain@stable

      - name: Verify tag matches Cargo.toml version
        run: |
          cargo_version="$(cargo metadata --no-deps --format-version 1 | jq -r '.packages[0].version')"
          tag_version="${GITHUB_REF_NAME#v}"

          if [ "$cargo_version" != "$tag_version" ]; then
            echo "Tag version v$tag_version does not match Cargo.toml version $cargo_version"
            exit 1
          fi

      - name: Test
        run: cargo test --locked

  publish-crate:
    name: Publish to crates.io
    needs: verify
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Install stable Rust
        uses: dtolnay/rust-toolchain@stable

      - name: Publish
        run: cargo publish --locked --token "$CARGO_REGISTRY_TOKEN"
        env:
          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}

  publish-aur:
    name: Publish stable AUR package
    needs: verify
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Configure AUR SSH
        env:
          AUR_SSH_PRIVATE_KEY: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
        run: |
          test -n "$AUR_SSH_PRIVATE_KEY"
          mkdir -p ~/.ssh
          chmod 700 ~/.ssh
          printf '%s\n' "$AUR_SSH_PRIVATE_KEY" > ~/.ssh/aur
          chmod 600 ~/.ssh/aur
          ssh-keyscan aur.archlinux.org >> ~/.ssh/known_hosts
          cat >> ~/.ssh/config <<'EOF'
          Host aur.archlinux.org
            User aur
            IdentityFile ~/.ssh/aur
            IdentitiesOnly yes
          EOF

      - name: Prepare stable package
        run: |
          pkgver="${GITHUB_REF_NAME#v}"
          archive_url="https://github.com/${GITHUB_REPOSITORY}/archive/refs/tags/${GITHUB_REF_NAME}.tar.gz"
          curl -fsSL "$archive_url" -o release.tar.gz
          sha256="$(sha256sum release.tar.gz | cut -d ' ' -f1)"

          git clone ssh://aur@aur.archlinux.org/sax.git aur-repo
          cp packaging/aur/sax/PKGBUILD aur-repo/PKGBUILD
          sed -i "s/^pkgver=.*/pkgver=$pkgver/" aur-repo/PKGBUILD
          sed -i "s/^sha256sums=.*/sha256sums=('$sha256')/" aur-repo/PKGBUILD

      - name: Generate AUR metadata
        run: |
          docker run --rm \
            -e HOST_UID="$(id -u)" \
            -e HOST_GID="$(id -g)" \
            -v "$PWD/aur-repo:/pkg" \
            -w /pkg \
            archlinux:base-devel \
            bash -lc 'useradd -m builder && chown -R builder:builder /pkg && su builder -c "cd /pkg && makepkg --printsrcinfo > .SRCINFO" && chown -R "$HOST_UID:$HOST_GID" /pkg'

      - name: Push AUR package
        run: |
          git -C aur-repo config user.name "github-actions[bot]"
          git -C aur-repo config user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git -C aur-repo add PKGBUILD .SRCINFO

          if git -C aur-repo diff --cached --quiet; then
            echo "AUR package is already up to date."
            exit 0
          fi

          git -C aur-repo commit -m "Update sax to ${GITHUB_REF_NAME}"
          git -C aur-repo push