name: Deployment
run-name: ${{ inputs.tag_name }} / go ${{ inputs.go_version }}

concurrency:
  group: ${{ github.workflow }}-${{ github.ref_name }}
  cancel-in-progress: true

permissions:
  contents: write

on:
  workflow_dispatch:
    inputs:
      tag_name:
        required: true
        type: string
      go_version:
        default: "1.21"
        type: string

jobs:
  windows:
    runs-on: windows-latest
    environment: production
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up Go
        uses: actions/setup-go@v4
        with:
          go-version: ${{ inputs.go_version }}
      - name: Install GoReleaser
        uses: goreleaser/goreleaser-action@v5
        with:
          version: "~1.17.1"
          install-only: true
      - name: Install Azure Code Signing Client
        shell: pwsh
        env:
          ACS_DIR: ${{ runner.temp }}\acs
          ACS_ZIP: ${{ runner.temp }}\acs.zip
          CORRELATION_ID: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
        run: |
          Invoke-WebRequest -Uri https://www.nuget.org/api/v2/package/Azure.CodeSigning.Client/1.0.38 -OutFile $Env:ACS_ZIP -Verbose
          Expand-Archive $acsZip -Destination $Env:ACS_DIR acsDir -Force -Verbose

          # Replace ancient signtool in scripts with one that supports ACS
          Copy-Item -Path "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\*" -Include signtool.exe,signtool.exe.manifest,Microsoft.Windows.Build.Signing.mssign32.dll.manifest,mssign32.dll,Microsoft.Windows.Build.Signing.wintrust.dll.manifest,wintrust.dll,Microsoft.Windows.Build.Appx.AppxSip.dll.manifest,AppxSip.dll,Microsoft.Windows.Build.Appx.AppxPackaging.dll.manifest,AppxPackaging.dll,Microsoft.Windows.Build.Appx.OpcServices.dll.manifest,OpcServices.dll -Destination scripts -Verbose

          # Generate metadata file for signtool
          @{
            CertificateProfileName = "GitHubInc"
            CodeSigningAccountName = "GitHubInc"
            CorrelationId = $Env:CORRELATION_ID
            Description = "GitHub CLI"
            Endpoint =  "https://wus.codesigning.azure.net/

            # Unused metadata configuration:
            # AppendSignature
            # DescriptionUrl
            # EnhancedKeyUsage
            # ExcludeAzureCliCredential
            # ExcludeAzurePowerShellCredential
            # ExcludeEnvironmentCredential
            # ExcludeInteractiveBrowserCredential
            # ExcludeManagedIdentityCredential
            # ExcludeSharedTokenCacheCredential
            # ExcludeVisualStudioCodeCredential
            # ExcludeVisualStudioCredential
            # FileDigest
            # FilesCatalog
            # FilesFolder
            # FilesFolderDepth
            # FilesFolderFilter
            # FilesFolderRecurse
            # GenerateDigestPath
            # GenerateDigestXml
            # GeneratePageHashes
            # GeneratePkcs7
            # IngestDigestPath
            # Pkcs7Oid
            # Pkcs7Options
            # SignDigest
            # SuppressPageHashes
            # Timeout
            # TimestampDigest
            # TimestampRfc3161
          } | ConvertTo-Json | Out-File -FilePath $Env:METADATA_PATH
      - name: Build release binaries
        shell: bash
        env:
          DLIB_PATH: ${{ runner.temp }}\acs\bin/x64/Azure.CodeSigning.Dlib.dll
          METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
          TAG_NAME: ${{ inputs.tag_name }}
        run: script/release-hsm --local "$TAG_NAME" --platform windows --config .goreleaser-hsm.yml
      - name: Set up MSBuild
        id: setupmsbuild
        uses: microsoft/setup-msbuild@v1.3.1
      - name: Build MSI
        shell: bash
        env:
          MSBUILD_PATH: ${{ steps.setupmsbuild.outputs.msbuildPath }}
        run: |
          for ZIP_FILE in dist/gh_*_windows_*.zip; do
            MSI_NAME="$(basename "$ZIP_FILE" ".zip")"
            MSI_VERSION="$(cut -d_ -f2 <<<"$MSI_NAME" | cut -d- -f1)"
            case "$MSI_NAME" in
            *_386 )
              source_dir="$PWD/dist/windows_windows_386"
              platform="x86"
              ;;
            *_amd64 )
              source_dir="$PWD/dist/windows_windows_amd64_v1"
              platform="x64"
              ;;
            *_arm64 )
              echo "skipping building MSI for arm64 because WiX 3.11 doesn't support it: https://github.com/wixtoolset/issues/issues/6141" >&2
              continue
              #source_dir="$PWD/dist/windows_windows_arm64"
              #platform="arm64"
              ;;
            * )
              printf "unsupported architecture: %s\n" "$MSI_NAME" >&2
              exit 1
              ;;
            esac
            "${MSBUILD_PATH}\MSBuild.exe" ./build/windows/gh.wixproj -p:SourceDir="$source_dir" -p:OutputPath="$PWD/dist" -p:OutputName="$MSI_NAME" -p:ProductVersion="${MSI_VERSION#v}" -p:Platform="$platform"
          done
      - name: Sign .msi release binaries
        uses: azure/azure-code-signing-action@6c86237186b7eed50c9e8a3a6e42131bcc5e4601
        with:
            azure-tenant-id: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO_TENANT_ID }}
            azure-client-id: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO_CLIENT_ID }}
            azure-client-secret: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO }}
            endpoint: https://wus.codesigning.azure.net/
            code-signing-account-name: GitHubInc
            certificate-profile-name: GitHubInc
            files-folder: ${{ github.workspace }}/dist
            files-folder-filter: msi
            file-digest: SHA256
            timestamp-rfc3161: http://timestamp.acs.microsoft.com
            timestamp-digest: SHA256
      - uses: actions/upload-artifact@v3
        with:
          name: windows
          if-no-files-found: error
          retention-days: 7
          path: |
            dist/*.zip
            dist/*.msi