---
name: cloud-release
on:
  push:
    tags:
    - release/cloud/**
permissions:
  contents: read
env:
  VERSIONS_FILE: "VERSIONS.json"
jobs:
  get-dev-image:
    uses: ./.github/workflows/get_image.yaml
    with:
      image-base-name: "dev_image_with_extras"
  build-release:
    name: Build Release
    runs-on: oracle-16cpu-64gb-x86-64
    needs: get-dev-image
    permissions:
      contents: read
      packages: write
    container:
      image: ${{ needs.get-dev-image.outputs.image-with-tag }}
    steps:
    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
      with:
        fetch-depth: 0
    - name: Add pwd to git safe dir
      run: git config --global --add safe.directory `pwd`
    - name: Use github bazel config
      uses: ./.github/actions/bazelrc
      with:
        download_toplevel: 'true'
        BB_API_KEY: ${{ secrets.BB_IO_API_KEY }}
    - name: Import GPG key
      env:
        BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }}
      run: |
        echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import
    - name: Login to GHCR
      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ github.token }}
    - name: Build & Push Artifacts
      env:
        REF: ${{ github.event.ref }}
        BUILD_NUMBER: ${{ github.run_attempt }}
        JOB_NAME: ${{ github.job }}
        GH_API_KEY: ${{ secrets.GITHUB_TOKEN }}
        COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
        COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
        BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
        IMAGE_REPO: ${{ vars.IMAGE_REPO || 'ghcr.io/pixie-io' }}
        GH_REPO: ${{ github.repository }}
      shell: bash
      run: |
        export TAG_NAME="${REF#*/tags/}"
        export ARTIFACTS_DIR="$(pwd)/artifacts"
        mkdir -p "${ARTIFACTS_DIR}"
        ./ci/save_version_info.sh
        ./ci/cloud_build_release.sh
    - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
      with:
        name: cloud-artifacts
        path: artifacts/
  create-github-release:
    if: ${{ !contains(github.event.ref, '-') }}
    name: Create Release on Github
    runs-on: ubuntu-latest
    needs: build-release
    permissions:
      contents: write
    steps:
    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
      with:
        fetch-depth: 0
    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
    - name: Create Release
      env:
        REF: ${{ github.event.ref }}
        GH_TOKEN: ${{ secrets.BUILDBOT_GH_API_TOKEN }}
        GH_REPO: ${{ github.repository }}
      shell: bash
      run: |
        export TAG_NAME="${REF#*/tags/}"
        # actions/checkout doesn't get the tag annotation properly.
        git fetch origin tag "${TAG_NAME}" -f
        export changelog="$(git tag -l --format='%(contents)' "${TAG_NAME}")"
        gh release create "${TAG_NAME}" --title "Cloud ${TAG_NAME#release/cloud/}" \
          --notes $'Pixie Cloud Release:\n'"${changelog}"
        gh release upload "${TAG_NAME}" cloud-artifacts/*