name: Tauri Release

on:
  push:
    tags:
      - "v*"
  workflow_dispatch:

permissions:
  contents: write

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  build-and-release:
    name: Release (${{ matrix.platform }})
    strategy:
      fail-fast: false
      matrix:
        include:
          - platform: macos-latest
            target: aarch64-apple-darwin
          - platform: macos-latest
            target: x86_64-apple-darwin
          - platform: ubuntu-22.04
            target: x86_64-unknown-linux-gnu
          - platform: windows-latest
            target: x86_64-pc-windows-msvc

    runs-on: ${{ matrix.platform }}
    timeout-minutes: 60

    steps:
      - uses: actions/checkout@v4

      - name: Extract version from tag
        id: version
        shell: bash
        run: |
          TAG="${GITHUB_REF_NAME}"
          VERSION="${TAG#v}"
          # Strip pre-release/build metadata for MSI (only supports numeric X.Y.Z)
          NUMERIC_VERSION="${VERSION%%-*}"
          NUMERIC_VERSION="${NUMERIC_VERSION%%+*}"
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
          echo "numeric_version=$NUMERIC_VERSION" >> "$GITHUB_OUTPUT"
          echo "Resolved version: $VERSION (MSI: $NUMERIC_VERSION)"

      - name: Sync version to tauri.conf.json and Cargo.toml
        shell: bash
        run: |
          VERSION="${{ steps.version.outputs.version }}"
          TAURI_CONF="apps/desktop/src-tauri/tauri.conf.json"
          CARGO_TOML="apps/desktop/src-tauri/Cargo.toml"

          node -e "
            const fs = require('fs');
            const conf = JSON.parse(fs.readFileSync('$TAURI_CONF', 'utf8'));
            conf.version = '$VERSION';
            fs.writeFileSync('$TAURI_CONF', JSON.stringify(conf, null, 2) + '\n');
          "

          sed -i.bak "s/^version = \".*\"/version = \"$VERSION\"/" "$CARGO_TOML"
          rm -f "$CARGO_TOML.bak"

          echo "Updated $TAURI_CONF version to $VERSION"
          echo "Updated $CARGO_TOML version to $VERSION"

      - uses: pnpm/action-setup@v4
        with:
          version: 10

      - uses: actions/setup-node@v4
        with:
          node-version: lts/*
          cache: pnpm

      - name: Install Rust stable
        uses: dtolnay/rust-toolchain@stable
        with:
          targets: ${{ matrix.target }}

      - name: Rust cache
        uses: swatinem/rust-cache@v2
        with:
          workspaces: apps/desktop/src-tauri -> target

      - name: Install Linux dependencies
        if: matrix.platform == 'ubuntu-22.04'
        run: |
          sudo apt-get update
          sudo apt-get install -y \
            libwebkit2gtk-4.1-dev \
            libappindicator3-dev \
            librsvg2-dev \
            patchelf

      - name: Install JS dependencies
        run: pnpm install --frozen-lockfile

      # macOS code signing with certificate secrets.
      - name: Prepare macOS code signing
        if: ${{ matrix.platform == 'macos-latest' && secrets.APPLE_CERTIFICATE != '' && secrets.APPLE_CERTIFICATE_PASSWORD != '' }}
        env:
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
        run: |
          set -euo pipefail
          KEYCHAIN_PASSWORD="github-actions-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT:-1}"
          echo "$APPLE_CERTIFICATE" | base64 --decode > "$RUNNER_TEMP/certificate.p12"
          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
          security set-keychain-settings -t 3600 -u build.keychain
          security import "$RUNNER_TEMP/certificate.p12" -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
          curl -fsSL -o "$RUNNER_TEMP/DeveloperIDG2CA.cer" https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer
          security add-certificates -k build.keychain "$RUNNER_TEMP/DeveloperIDG2CA.cer"
          security find-identity -v -p codesigning build.keychain
          IDENTITY=$(security find-identity -v -p codesigning build.keychain | awk -F'"' '/Developer ID Application/ { print $2; exit }')
          if [[ -z "$IDENTITY" ]]; then
            echo "No Developer ID Application identity in build keychain"
            exit 1
          fi
          echo "APPLE_SIGNING_IDENTITY=$IDENTITY" >> "$GITHUB_ENV"

      - name: Prepare Tauri build args
        id: tauri-args
        shell: bash
        run: |
          ARGS="--target ${{ matrix.target }}"
          if [[ "${{ matrix.platform }}" == "windows-latest" ]]; then
            MSI_VERSION="${{ steps.version.outputs.numeric_version }}"
            ARGS="$ARGS --config {\"bundle\":{\"windows\":{\"wix\":{\"version\":\"$MSI_VERSION\"}}}}"
          fi
          echo "args=$ARGS" >> "$GITHUB_OUTPUT"

      - name: Build and release Tauri app
        uses: tauri-apps/tauri-action@v0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          projectPath: apps/desktop
          args: ${{ steps.tauri-args.outputs.args }}
          tauriScript: pnpm tauri
          tagName: ${{ github.ref_name }}
          releaseName: "Memoh Desktop ${{ github.ref_name }}"
          releaseBody: "See the [full changelog](https://github.com/${{ github.repository }}/blob/main/CHANGELOG.md) for details."
          releaseDraft: true
          prerelease: false