.github/workflows/release-draft-binaries.yml

name: Create Draft Release

on:
  workflow_dispatch:
    inputs:
      git_tag:
        description: Git Tag To Release From. Last Git Tag Is Used If Omitted
        required: false
      release_branch:
        description: Release Branch Where Recent Bump Occurred
        required: true

permissions:
  contents: read

defaults:
  run:
    shell: bash

jobs:
  create_release:
    permissions:
      contents: write

    name: Initiate Draft Release
    runs-on: ubuntu-22.04
    environment: release
    outputs:
      upload_url: ${{ steps.release_upload_url.outputs.upload_url }}
      version: ${{ steps.release_version.outputs.version }}
      tag_name: ${{ steps.release_version.outputs.tag_name }}
    env:
      BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }}
      AWS_REGION: ${{ vars.AWS_REGION }}
      AWS_ROLE: ${{ vars.AWS_ROLE }}

    steps:
      - name: Checkout Ockam
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          fetch-depth: 0
          ref: ${{ github.event.inputs.release_branch }}

      - name: Import GPG key
        uses: build-trust/.github/actions/import_gpg@ae127cb92387ed76f24d4d1c6d6bfc2d382f7946
        with:
          gpg_private_key: '${{ secrets.GPG_PRIVATE_KEY }}'
          gpg_password: '${{ secrets.GPG_PASSPHRASE }}'
          gpg_name: '${{ secrets.GPG_USER_NAME }}'
          gpg_email: '${{ secrets.GPG_EMAIL }}'

      - name: Get Release Text
        id: release_version
        env:
          GIT_TAG: '${{ github.event.inputs.git_tag }}'
        run: |
          cargo install tomlq@0.1.0
          set -x
          source tools/scripts/release/crates-to-publish.sh

          # Add Ockam as first crate
          ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml")
          name=$(eval "tomlq package.name -f implementations/rust/ockam/ockam/Cargo.toml")

          text="Ockam $ockam_version"

          text="$text

          # Homebrew

          To install this release using Homebrew:

          \`\`\`bash
          brew install build-trust/ockam/ockam
          \`\`\`"

          # Install Docker image
          text="$text

          # Docker

          To use the Docker OCI package:

          \`\`\`bash
          docker pull ghcr.io/build-trust/ockam:$ockam_version
          \`\`\`"

          text="$text

          # Curl Install

          To install this release using curl:

          \`\`\`bash
          curl --proto '=https' --tlsv1.2 -sSfL https://install.command.ockam.io | bash
          \`\`\`"

          text="$text

          # Rust Crates

          To use Ockam as a Rust library, run the following command within your project directory:

          \`\`\`bash
          cargo add ockam@$ockam_version
          \`\`\`

          The following crates were published as part of this release:
          - \`$name $ockam_version\` ([Documentation](https://docs.rs/$name/$ockam_version/$name/), \
            [CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))"

          for crate in ${updated_crates[@]}; do
            version=$(eval "tomlq package.version -f $crate/Cargo.toml")
            name=$(eval "tomlq package.name -f $crate/Cargo.toml")

            if [[ $name == "ockam" ]]; then
              echo "Skipping ockam crate"
              continue
            fi

            text="$text
          - \`$name $version\` ([Documentation](https://docs.rs/$name/$version/$name/), \
            [CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))";
          done

          echo "version=$ockam_version" >> $GITHUB_OUTPUT
          echo "tag_name=ockam_v$ockam_version" >> $GITHUB_OUTPUT

          echo "$text" > release_note.md
          cat release_note.md

          # Check if a recent tag has been created and delete upstream
          if git tag | grep "ockam_v$ockam_version"; then
            git tag -d "ockam_v$ockam_version"
            git push --delete origin "ockam_v$ockam_version"
          fi

          # Add tag
          git tag -s ockam_v$ockam_version -m "Ockam Release"
          git push --tags

      - name: Create GitHub release
        id: release_upload_url
        uses: actions/create-release@4c11c9fe1dcd9636620a16455165783b20fc7ea0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          release_name: 'Ockam v${{ steps.release_version.outputs.version }}'
          tag_name: '${{ steps.release_version.outputs.tag_name }}'
          body_path: 'release_note.md'
          prerelease: true

      - name: Echo Link
        run: echo "${{ steps.release_upload_url.outputs.html_url }}"


  build_release:
    name: Build Binaries
    needs: create_release
    environment: release
    env:
      DEVELOPMENT_TEAM: ${{ vars.DEVELOPMENT_TEAM }}
      PROVISIONING_PROFILE_SPECIFIER: ${{ vars.PROVISIONING_PROFILE_SPECIFIER }}
      CODE_SIGN_IDENTITY: ${{ vars.CODE_SIGN_IDENTITY }}
      NOTARIZATION_EMAIL: ${{ vars.NOTARIZATION_EMAIL }}
      NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
      BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }}
      AWS_REGION: ${{ vars.AWS_REGION }}
      AWS_ROLE: ${{ vars.AWS_ROLE }}

    permissions:
      contents: write
      id-token: write # This is required for requesting the JWT

    strategy:
      fail-fast: false
      matrix:
        build: [linux_arm64, linux_86, linux_armv7, macos_silicon, macos_86]
        include:
        - build: linux_arm64
          os: ubuntu-22.04
          toolchain: stable
          target: aarch64-unknown-linux-musl
          build_app: false
          use-cross-build: true
        - build: linux_armv7
          os: ubuntu-22.04
          toolchain: stable
          target: armv7-unknown-linux-musleabihf
          use-cross-build: true
          build_app: false
        - build: linux_86
          os: ubuntu-22.04
          toolchain: stable
          target: x86_64-unknown-linux-musl
          use-cross-build: true
          build_app: false
        - build: linux_86_gnu
          os: ubuntu-22.04
          toolchain: stable
          target: x86_64-unknown-linux-gnu
          use-cross-build: false
          build_app: false
        - build: linux_aarch64_gnu
          os: ubuntu-22.04
          toolchain: stable
          target: aarch64-unknown-linux-gnu
          use-cross-build: true
          build_app: false
        - build: macos_silicon
          os: macos-14
          toolchain: stable
          target: aarch64-apple-darwin
          use-cross-build: false
          build_app: true
        - build: macos_86
          os: macos-14
          toolchain: stable
          target: x86_64-apple-darwin
          use-cross-build: false
          build_app: true
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout repository
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        ref: ${{ github.event.inputs.release_branch }}

    - name: Echo Link
      run: echo "${{ needs.create_release.outputs.upload_url }}"

    - uses: ./.github/actions/build_binaries
      with:
        use_cross_build: ${{ matrix.use-cross-build }}
        toolchain: ${{ matrix.toolchain }}
        target: ${{ matrix.target }}
        platform_operating_system: ${{ matrix.os }}
        build_app: ${{ matrix.build_app }}

    - name: Copy Artifacts
      run: |
        set -x

        cp target/${{ matrix.target }}/release/ockam_command ockam.${{ matrix.target }}
        echo "ASSET_OCKAM_CLI=ockam.${{ matrix.target }}" >> $GITHUB_ENV
        ls $GITHUB_WORKSPACE

    - name: Install Cosign
      uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
      with:
        cosign-release: 'v2.0.0'

    - name: Sign Binaries
      env:
        PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
        COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
      run: |
        cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_CLI }}" > "${{ env.ASSET_OCKAM_CLI }}.sig"

    - name: Upload CLI release archive to AWS
      uses: ./.github/actions/aws_upload
      with:
        aws_role: ${{ env.AWS_ROLE }}
        aws_role_session_name: aws_upload
        aws_region: ${{ env.AWS_REGION }}
        bucket_name: ${{ env.BUCKET_NAME }}
        file_name: ${{ env.ASSET_OCKAM_CLI }}
        release_version: "v${{ needs.create_release.outputs.version }}"

    - name: Upload CLI Signature to AWS
      uses: ./.github/actions/aws_upload
      with:
        aws_role: ${{ env.AWS_ROLE }}
        aws_role_session_name: aws_upload
        aws_region: ${{ env.AWS_REGION }}
        bucket_name: ${{ env.BUCKET_NAME }}
        file_name: ${{ env.ASSET_OCKAM_CLI }}.sig
        release_version: "v${{ needs.create_release.outputs.version }}"

  build_elixir_nifs:
    name: Build Elixir NIFs
    needs: create_release
    environment: release
    permissions:
      contents: write
      id-token: write # This is required for requesting the JWT

    env:
      BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }}
      AWS_REGION: ${{ vars.AWS_REGION }}
      AWS_ROLE: ${{ vars.AWS_ROLE }}

    strategy:
      fail-fast: false
      matrix:
        job:
          - { target: aarch64-unknown-linux-gnu   , os: ubuntu-22.04 , use-cross: true }
          - { target: x86_64-unknown-linux-gnu    , os: ubuntu-22.04  }
          - { target: aarch64-apple-darwin        , os: macos-14      }
          - { target: x86_64-apple-darwin         , os: macos-14      }

    runs-on: ${{ matrix.job.os }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          ref: ${{ github.event.inputs.release_branch }}

      - name: Install Rust toolchain
        run: |
          # This will allow us update to rust version indicated in our rust-toolchain.toml file
          rustup show
          rustup target add ${{ matrix.job.target }}

      - name: Install Cross
        if: matrix.job.use-cross == true
        run: cargo install --version 0.2.4 cross

      - shell: bash
        if: matrix.job.target == 'ubuntu-22.04'
        run: |
          set -x
          use_cross_build=${{ matrix.job.use-cross }}
          if [[ $use_cross_build != true ]]; then
            sudo apt update
            sudo apt -y --no-install-recommends install libclang-dev clang
          fi

      - name: Build NIFs
        run: |
          set -ex

          if [[ '${{ matrix.job.use-cross }}' == 'true' ]]; then
            # When building using cross use rust crypto (slower) since the cross image doesn't have an up-to-date libclang
            cross build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release --no-default-features -F rust-crypto
            exit
          fi

          rustup target add ${{ matrix.job.target }}
          cargo build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release  --no-default-features -F aws-lc

      - name: List
        run: |
          ls target/${{ matrix.job.target }}/release/

      - name: Rename Build
        run: |
          cargo install tomlq@0.1.0
          ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml")

          final_name="libockam_rust_elixir_nifs-v${ockam_version}-nif-2.15-${{ matrix.job.target }}.so"
          if [[ "${{ matrix.job.target }}" == *"darwin"* ]]; then
          cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.dylib "$final_name"
          else
          cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.so "$final_name"
          fi

          tar -zcvf "${final_name}.tar.gz" "$final_name"
          echo "FILE_NAME=${final_name}.tar.gz" >> $GITHUB_ENV

      - name: Install Cosign
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
        with:
          cosign-release: 'v2.0.0'

      - name: Sign NIFs
        env:
          PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
          COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
        run: |
          cosign sign-blob --yes --key env://PRIVATE_KEY ${{ env.FILE_NAME }} > "${{ env.FILE_NAME }}.sig"

      - name: Upload NIF to AWS
        uses: ./.github/actions/aws_upload
        with:
          aws_role: ${{ env.AWS_ROLE }}
          aws_role_session_name: aws_upload
          aws_region: ${{ env.AWS_REGION }}
          bucket_name: ${{ env.BUCKET_NAME }}
          file_name: "${{ env.FILE_NAME }}"
          release_version: "v${{ needs.create_release.outputs.version }}"

      - name: Upload NIF Signature to AWS
        uses: ./.github/actions/aws_upload
        with:
          aws_role: ${{ env.AWS_ROLE }}
          aws_role_session_name: aws_upload
          aws_region: ${{ env.AWS_REGION }}
          bucket_name: ${{ env.BUCKET_NAME }}
          file_name: "${{ env.FILE_NAME }}.sig"
          release_version: "v${{ needs.create_release.outputs.version }}"

  sign_release:
    name: Sign All Assets
    needs: [build_release, create_release, build_elixir_nifs]
    runs-on: ubuntu-22.04
    environment: release
    permissions:
      contents: write
      id-token: write # This is required for requesting the JWT
    env:
      BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }}
      AWS_REGION: ${{ vars.AWS_REGION }}
      AWS_ROLE: ${{ vars.AWS_ROLE }}

    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          ref: ${{ github.event.inputs.release_branch }}
          path: aws

      - name: Download Assets From AWS
        uses: ./aws/.github/actions/aws_upload
        with:
          aws_role: ${{ env.AWS_ROLE }}
          aws_role_session_name: aws_upload
          aws_region: ${{ env.AWS_REGION }}
          bucket_name: ${{ env.BUCKET_NAME }}
          release_version: "v${{ needs.create_release.outputs.version }}"
          download_release_dir: "."

      - name: Generate File SHASum
        run: shasum -a 256 *ockam* > sha256sums.txt

      - name: Install Cosign
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
        with:
          cosign-release: 'v2.0.0'

      - name: Sign Files
        env:
          PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
          COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
        run: cosign sign-blob --yes --key env://PRIVATE_KEY sha256sums.txt > sha256sums.txt.sig

      - name: Upload SHASum File to AWS
        uses: ./aws/.github/actions/aws_upload
        with:
          aws_role: ${{ env.AWS_ROLE }}
          aws_role_session_name: aws_upload
          aws_region: ${{ env.AWS_REGION }}
          bucket_name: ${{ env.BUCKET_NAME }}
          file_name: sha256sums.txt
          release_version: "v${{ needs.create_release.outputs.version }}"

      - name: Upload SHASum Signature File to AWS
        uses: ./aws/.github/actions/aws_upload
        with:
          aws_role: ${{ env.AWS_ROLE }}
          aws_role_session_name: aws_upload
          aws_region: ${{ env.AWS_REGION }}
          bucket_name: ${{ env.BUCKET_NAME }}
          file_name: sha256sums.txt.sig
          release_version: "v${{ needs.create_release.outputs.version }}"