# Expected secrets
# MAVEN_CENTRAL_USERNAME - Username for Maven Central.
# MAVEN_CENTRAL_PASSWORD - Password for Maven Central.
# MAVEN_SIGNING_KEY_ASCII - GPG key without a password which has ASCII-armored and then BASE64-encoded.

name: Deploy Release

on:
  workflow_dispatch:

concurrency: deploy_release

jobs:
  validate_gradle_wrapper:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout
        timeout-minutes: 1
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
      # Gradle Wrapper validation can be flaky
      # https://github.com/gradle/wrapper-validation-action/issues/40
      - name: Gradle Wrapper Validation
        timeout-minutes: 1
        uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4

  check_secrets:
    environment: deployment
    permissions:
      contents: read
    runs-on: ubuntu-latest
    outputs:
      has-secrets: ${{ steps.check_secrets.outputs.defined }}
    steps:
      - id: check_secrets
        env:
          MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
          MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
          MAVEN_SIGNING_KEY: ${{ secrets.MAVEN_SIGNING_KEY_ASCII }}
        if: "${{ env.MAVEN_CENTRAL_USERNAME != '' && env.MAVEN_CENTRAL_PASSWORD != '' && env.MAVEN_SIGNING_KEY != '' }}"
        run: echo "defined=true" >> $GITHUB_OUTPUT

  deploy_release:
    environment: deployment
    needs: [validate_gradle_wrapper, check_secrets]
    if: needs.check_secrets.outputs.has-secrets == 'true'
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout
        timeout-minutes: 1
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
      - name: Setup
        id: setup
        timeout-minutes: 50
        uses: ./.github/actions/setup
      - name: Deploy to Maven Local
        timeout-minutes: 25
        env:
          ORG_GRADLE_PROJECT_IS_SNAPSHOT: false
          ORG_GRADLE_PROJECT_ZCASH_ASCII_GPG_KEY: ${{ secrets.MAVEN_SIGNING_KEY_ASCII }}
        run: |
          ./gradlew publishReleasePublicationToMavenLocalRepository --no-parallel
      # Note that GitHub Actions appears to have issues with environment variables that contain periods,
      # so the GPG variables are done as command line arguments instead.
      - name: Deploy to Maven Central
        timeout-minutes: 8
        env:
          ORG_GRADLE_PROJECT_IS_SNAPSHOT: false
          ORG_GRADLE_PROJECT_ZCASH_MAVEN_PUBLISH_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
          ORG_GRADLE_PROJECT_ZCASH_MAVEN_PUBLISH_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
          ORG_GRADLE_PROJECT_ZCASH_ASCII_GPG_KEY: ${{ secrets.MAVEN_SIGNING_KEY_ASCII }}
        run: |
          ./gradlew publishReleasePublicationToMavenCentralRepository --no-parallel
      - name: Collect Artifacts
        timeout-minutes: 1
        if: ${{ always() }}
        env:
          ARTIFACTS_DIR_PATH: ${{ format('{0}/artifacts', env.home) }}
          BINARIES_ZIP_PATH: ${{ format('{0}/artifacts/release_binaries.zip', env.home) }}
        run: |
          mkdir ${ARTIFACTS_DIR_PATH}

          zip -r ${BINARIES_ZIP_PATH} . -i *build/outputs/*
      - name: Upload Artifacts
        if: ${{ always() }}
        uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
        timeout-minutes: 10
        with:
          name: Release binaries
          path: ~/artifacts