# Expected secrets
# GOOGLE_PLAY_CLOUD_PROJECT - Google Cloud project associated with Google Play
# GOOGLE_PLAY_SERVICE_ACCOUNT - Email address of service account
# GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER - Workload identity provider to generate temporary service account key
# UPLOAD_KEYSTORE_BASE_64 - The upload signing key for the app
# UPLOAD_KEYSTORE_PASSWORD - The password for UPLOAD_KEYSTORE_BASE_64
# UPLOAD_KEY_ALIAS - The key alias inside UPLOAD_KEYSTORE_BASE_64
# UPLOAD_KEY_ALIAS_PASSWORD - The password for the key alias

name: Deploy

on:
  workflow_dispatch:
  push:
    branches:
      - main
    paths-ignore:
      - '.github/ISSUE_TEMPLATE/*'
      - '.github/PULL_REQUEST_TEMPLATE.md'
      - 'LICENSE'
      - 'README.md'
      - 'docs/**'

concurrency: deploy

jobs:
  validate_gradle_wrapper:
    permissions:
      contents: read
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        timeout-minutes: 1
        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      # Gradle Wrapper validation can be flaky
      # https://github.com/gradle/wrapper-validation-action/issues/40
      - name: Gradle Wrapper Validation
        timeout-minutes: 1
        uses: gradle/wrapper-validation-action@55e685c48d84285a5b0418cd094606e199cca3b6

  check_secrets:
    environment: deployment
    permissions:
      contents: read
    runs-on: ubuntu-latest
    outputs:
      has-secrets: ${{ steps.check_secrets.outputs.defined }}
    steps:
      - id: check_secrets
        env:
          GOOGLE_PLAY_CLOUD_PROJECT: ${{ secrets.GOOGLE_PLAY_CLOUD_PROJECT }}
          GOOGLE_PLAY_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT }}
          GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER }}
        if: "${{ env.GOOGLE_PLAY_CLOUD_PROJECT != '' && env.GOOGLE_PLAY_SERVICE_ACCOUNT != '' && env.GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER != '' }}"
        run: echo "::set-output name=defined::true"

  build_and_deploy:
    if: needs.check_secrets.outputs.has-secrets == 'true'
    needs: [validate_gradle_wrapper, check_secrets]
    environment: deployment
    permissions:
      contents: read
      id-token: write
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        timeout-minutes: 1
        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - name: Setup
        id: setup
        timeout-minutes: 12
        uses: ./.github/actions/setup
      - name: Authenticate to Google Cloud for Google Play
        id: auth_google_play
        uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d
        with:
          create_credentials_file: true
          project_id: ${{ secrets.GOOGLE_PLAY_CLOUD_PROJECT }}
          service_account: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT }}
          workload_identity_provider: ${{ secrets.GOOGLE_PLAY_WORKLOAD_IDENTITY_PROVIDER }}
          access_token_lifetime: '1500s'
      - name: Export Signing Key
        env:
          SIGNING_KEYSTORE_BASE_64: ${{ secrets.UPLOAD_KEYSTORE_BASE_64 }}
          SIGNING_KEY_PATH: ${{ format('{0}/release.jks', env.home) }}
        shell: bash
        run: |
          echo ${SIGNING_KEYSTORE_BASE_64} | base64 --decode > ${SIGNING_KEY_PATH}
      - name: Upload to Play Store
        timeout-minutes: 25
        env:
          ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_SERVICE_KEY_FILE_PATH: ${{ steps.auth_google_play.outputs.credentials_file_path }}
          ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEYSTORE_PATH: ${{ format('{0}/release.jks', env.home) }}
          ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEYSTORE_PASSWORD: ${{ secrets.UPLOAD_KEYSTORE_PASSWORD }}
          ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEY_ALIAS: ${{ secrets.UPLOAD_KEY_ALIAS }}
          ORG_GRADLE_PROJECT_ZCASH_RELEASE_KEY_ALIAS_PASSWORD: ${{ secrets.UPLOAD_KEY_ALIAS_PASSWORD }}
          ORG_GRADLE_PROJECT_ZCASH_GOOGLE_PLAY_DEPLOY_MODE: deploy
        run: |
          ./gradlew :app:assembleDebug :app:publishBundle :app:packageZcashmainnetReleaseUniversalApk
      - name: Collect Artifacts
        timeout-minutes: 1
        env:
          ARTIFACTS_DIR_PATH: ${{ format('{0}/artifacts', env.home) }}
          BINARIES_ZIP_PATH: ${{ format('{0}/artifacts/binaries.zip', env.home) }}
          MAPPINGS_ZIP_PATH: ${{ format('{0}/artifacts/mappings.zip', env.home) }}
        run: |
          mkdir ${ARTIFACTS_DIR_PATH}
          zip -r ${BINARIES_ZIP_PATH} . -i app/build/outputs/apk/\*/\*.apk app/build/outputs/universal_apk/\*/\*.apk app/build/outputs/bundle/\*/\*.aab
          zip -r ${MAPPINGS_ZIP_PATH} . -i app/build/outputs/mapping/\*/mapping.txt
      - name: Upload Artifacts
        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb
        timeout-minutes: 1
        with:
          name: Binaries
          path: ~/artifacts

# Due to how the Gradle publishing plugin works, this scan happens after the upload to Google Play.
# Rather than being preventative, this is primarily an "early warning system" to verify that our
# binaries aren't being misclassified as malware.
  antivirus:
    needs: [build_and_deploy]
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout
        timeout-minutes: 1
        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - name: Download release artifact
        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7
        with:
          name: Binaries
      - name: Unzip artifacts
        timeout-minutes: 1
        run: |
          unzip binaries.zip
      - name: Antivirus
        timeout-minutes: 12
        with:
          path-to-scan: .
        uses: ./.github/actions/antivirus