# Expected secrets
# MAVEN_CENTRAL_USERNAME - Username for Maven Central.
# MAVEN_CENTRAL_PASSWORD - Password for Maven Central.
# MAVEN_SIGNING_KEYRING_FILE_BASE64 - Base64 encoded GPG keyring file.
# MAVEN_SIGNING_KEY_ID - ID for the key in the GPG keyring file.
# MAVEN_SIGNING_PASSWORD - Password for the key in the GPG keyring file.

name: Deploy Release

on:
  workflow_dispatch:

concurrency: deploy_release

jobs:
  validate_gradle_wrapper:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout
        timeout-minutes: 1
        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
      # Gradle Wrapper validation can be flaky
      # https://github.com/gradle/wrapper-validation-action/issues/40
      - name: Gradle Wrapper Validation
        timeout-minutes: 1
        uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b

  deploy_release:
    environment: deployment
    needs: validate_gradle_wrapper
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout
        timeout-minutes: 1
        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
      - name: Setup
        id: setup
        timeout-minutes: 30
        uses: ./.github/actions/setup
      - name: Export Maven Signing Key
        env:
          MAVEN_SIGNING_KEYRING_FILE_BASE64: ${{ secrets.MAVEN_SIGNING_KEYRING_FILE_BASE64 }}
          GPG_KEY_PATH: ${{ format('{0}/keyring.gpg', env.home) }}
        shell: bash
        run: |
          echo ${MAVEN_SIGNING_KEYRING_FILE_BASE64} | base64 --decode > ${GPG_KEY_PATH}
      # While not strictly necessary, this sanity checks the build before attempting to upload.
      # This adds minimal additional build time, since most of the work is cached and re-used
      # in the next step.
      - name: Deploy to Maven Local
        timeout-minutes: 25
        env:
          ORG_GRADLE_PROJECT_IS_SNAPSHOT: false
          ORG_GRADLE_PROJECT_RELEASE_SIGNING_ENABLED: false
        run: |
          ./gradlew publishToMavenLocal --no-parallel
      - name: Deploy to Maven Central
        timeout-minutes: 8
        env:
          ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
          ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
          ORG_GRADLE_PROJECT_IS_SNAPSHOT: false
          ORG_GRADLE_PROJECT_RELEASE_SIGNING_ENABLED: true
          GPG_KEY_PATH: ${{ format('{0}/keyring.gpg', env.home) }}
          GPG_KEY_ID: ${{ secrets.MAVEN_SIGNING_KEY_ID }}
          GPG_PASSWORD: ${{ secrets.MAVEN_SIGNING_PASSWORD }}
        run: |
          ./gradlew publish -Psigning.secretKeyRingFile=$GPG_KEY_PATH -Psigning.keyId=$GPG_KEY_ID -Psigning.password=$GPG_PASSWORD --no-parallel
          ./gradlew closeAndReleaseRepository --no-parallel
      - name: Collect Artifacts
        timeout-minutes: 1
        if: ${{ always() }}
        env:
          ARTIFACTS_DIR_PATH: ${{ format('{0}/artifacts', env.home) }}
          BINARIES_ZIP_PATH: ${{ format('{0}/artifacts/release_binaries.zip', env.home) }}
        run: |
          mkdir ${ARTIFACTS_DIR_PATH}

          zip -r ${BINARIES_ZIP_PATH} . -i *build/outputs/*
      - name: Upload Artifacts
        if: ${{ always() }}
        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
        timeout-minutes: 1
        with:
          name: Release binaries
          path: ~/artifacts