# Build the punktfunk-host RPM and publish it to Gitea's RPM package registry, so Bazzite /
# Fedora Atomic hosts layer + update it with rpm-ostree. Counterpart to deb.yml (apt). Runs in
# the Fedora 43 builder image (ci/fedora-rpm.Dockerfile) so the RPM's auto library Requires
# (libavcodec.so.NN, …) match the target's sonames.
#
# Registry (public, unom org), group "bazzite":
#   repo file  https://git.unom.io/api/packages/unom/rpm/bazzite.repo
# Box setup (once): see packaging/rpm/README.md
#
# REGISTRY_TOKEN: repo Actions secret, a PAT with write:package scope (shared with docker.yml).
name: rpm

on:
  push:
    branches: [main]
    # Single project version: a `vX.Y.Z` tag is THE release. main publishes to the `*-canary` rpm
    # groups, tags to the base groups (`bazzite`/`fedora-44`) — separate repos, so the old
    # version-shadow (a release outranking rolling builds in one group) is structurally gone.
    tags: ['v*']
  workflow_dispatch:

env:
  REGISTRY: git.unom.io
  OWNER: unom

jobs:
  build-publish:
    runs-on: ubuntu-24.04
    # One RPM per target whose ffmpeg soname must match (a binary RPM is soname-coupled to its
    # base): Fedora 43 == Bazzite (libavcodec.so.61), Fedora 44 == the Fedora KDE spin (.so.62).
    # Each builds in its matching builder image and publishes to its own registry group.
    strategy:
      fail-fast: false
      matrix:
        include:
          - image: punktfunk-fedora-rpm     # Fedora 43 == Bazzite base
            group: bazzite
          - image: punktfunk-fedora44-rpm   # Fedora 44 == Fedora KDE spin
            group: fedora-44
    container:
      image: git.unom.io/unom/${{ matrix.image }}:latest
    timeout-minutes: 90
    env:
      CARGO_HOME: /usr/local/cargo
    steps:
      - uses: actions/checkout@v4

      # rpmbuild + git archive need the checkout trusted; cache the crates download.
      # The client link deps are also baked into the fedora-rpm image, but this job runs
      # against the image from the PREVIOUS push (docker.yml bootstrap note) — keep it
      # green across image changes; a no-op once the image has them.
      - name: Prep
        run: |
          git config --global --add safe.directory "$PWD"
          dnf -y install gtk4-devel libadwaita-devel SDL3-devel
          # bun builds the punktfunk-web console (--with web). Baked into the image; install it
          # here too so the job stays green against the PREVIOUS image (docker.yml bootstrap note).
          command -v bun >/dev/null || {
            dnf -y install unzip
            curl -fsSL https://bun.sh/install | bash
            install -m0755 "$HOME/.bun/bin/bun" /usr/local/bin/bun
          }
          bun --version
      - uses: actions/cache@v4
        with:
          path: /usr/local/cargo/registry
          key: cargo-home-${{ hashFiles('Cargo.lock') }}
          restore-keys: cargo-home-

      - name: Version + channel
        # vX.Y.Z tag -> X.Y.Z-1 in the base group (a real release); main push -> 0.3.0-0.ciN.g<sha>
        # in the `<base>-canary` group, whose "0." release sorts below the eventual 0.3.0-1 yet
        # climbs by run number. The canary base stays one minor ahead of the latest stable so a
        # stable->canary box re-point still moves forward. The spec %build stamps
        # PUNKTFUNK_BUILD_VERSION from these macros into the binary (--version provenance).
        run: |
          SHORT=$(echo "$GITHUB_SHA" | cut -c1-8)
          case "$GITHUB_REF" in
            refs/tags/v*) V="${GITHUB_REF_NAME#v}"; R="1"; GROUP="${{ matrix.group }}" ;;
            *)            V="0.3.0"; R="0.ci${GITHUB_RUN_NUMBER}.g${SHORT}"; GROUP="${{ matrix.group }}-canary" ;;
          esac
          echo "PF_VERSION=$V" >> "$GITHUB_ENV"
          echo "PF_RELEASE=$R" >> "$GITHUB_ENV"
          echo "GROUP=$GROUP" >> "$GITHUB_ENV"
          echo "rpm $V-$R -> group '$GROUP'"

      - name: Build RPM
        # PF_WITH_WEB=1 → also build the noarch punktfunk-web subpackage (the publish loop below
        # globs it in; the host RPM Recommends it). Needs bun (ensured in Prep).
        run: PF_VERSION="$PF_VERSION" PF_RELEASE="$PF_RELEASE" PF_WITH_WEB=1 bash packaging/rpm/build-rpm.sh

      - name: Sign RPMs (dormant until RPM_GPG_PRIVATE_KEY is set — see packaging/rpm/README.md)
        env:
          RPM_GPG_PRIVATE_KEY: ${{ secrets.RPM_GPG_PRIVATE_KEY }}
          RPM_GPG_PASSPHRASE: ${{ secrets.RPM_GPG_PASSPHRASE }}
        run: bash packaging/rpm/sign-rpms.sh

      - name: Publish to the Gitea RPM registry
        env:
          TOKEN: ${{ secrets.REGISTRY_TOKEN }}
        run: |
          # Publish only the main package (skip -debuginfo/-debugsource subpackages).
          for rpm in dist/*.rpm; do
            case "$rpm" in *debuginfo*|*debugsource*) echo "skip $rpm"; continue;; esac
            echo "uploading $rpm"
            curl -fsS --user "enricobuehler:$TOKEN" --upload-file "$rpm" \
              "https://$REGISTRY/api/packages/$OWNER/rpm/$GROUP/upload"
          done
          echo "published to $OWNER/rpm/$GROUP"

      # On a real release, also attach the .rpms to the unified Gitea Release. Both Fedora bases
      # (bazzite=F43, fedora-44) build the SAME filename, so suffix the asset with the base to keep
      # both on the release; canary builds live in the `*-canary` rpm groups (no release page).
      - name: Attach .rpms to the Gitea release (stable tags only)
        if: startsWith(gitea.ref, 'refs/tags/v')
        env:
          GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
        run: |
          . scripts/ci/gitea-release.sh
          RID=$(ensure_release "$GITHUB_REF_NAME" "$GITHUB_REF_NAME" auto)
          for rpm in dist/*.rpm; do
            case "$rpm" in *debuginfo*|*debugsource*) continue;; esac
            base="$(basename "$rpm" .rpm)"
            upsert_asset "$RID" "$rpm" "${base}.${{ matrix.group }}.rpm"
          done