name: Release
on:
  push:
    branches:
      - master
env:
  CARGO_INCREMENTAL: 0
  CARGO_NET_RETRY: 10
  RUST_BACKTRACE: short
  RUSTUP_MAX_RETRIES: 10
  MACOSX_DEPLOYMENT_TARGET: 10.7

jobs:
  # Update release PR
  release_please:
    name: Release Please
    runs-on: ubuntu-latest
    if: github.repository == 'starship/starship'
    outputs:
      release_created: ${{ steps.release.outputs.release_created }}
      tag_name: ${{ steps.release.outputs.tag_name }}
    steps:
      - uses: google-github-actions/release-please-action@v4
        id: release
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          release-type: rust

  # Build sources for every OS
  github_build:
    name: Build release binaries
    needs: release_please
    if: ${{ needs.release_please.outputs.release_created == 'true' }}
    strategy:
      fail-fast: false
      matrix:
        include:
          - target: x86_64-unknown-linux-gnu
            os: ubuntu-latest
            name: starship-x86_64-unknown-linux-gnu.tar.gz

          - target: x86_64-unknown-linux-musl
            os: ubuntu-latest
            name: starship-x86_64-unknown-linux-musl.tar.gz

          - target: i686-unknown-linux-musl
            os: ubuntu-latest
            name: starship-i686-unknown-linux-musl.tar.gz

          - target: aarch64-unknown-linux-musl
            os: ubuntu-latest
            name: starship-aarch64-unknown-linux-musl.tar.gz

          - target: arm-unknown-linux-musleabihf
            os: ubuntu-latest
            name: starship-arm-unknown-linux-musleabihf.tar.gz

          - target: x86_64-apple-darwin
            os: macos-latest
            name: starship-x86_64-apple-darwin.tar.gz

          - target: aarch64-apple-darwin
            os: macos-latest
            name: starship-aarch64-apple-darwin.tar.gz

          - target: x86_64-pc-windows-msvc
            os: windows-latest
            name: starship-x86_64-pc-windows-msvc.zip
            rustflags: -C target-feature=+crt-static

          - target: i686-pc-windows-msvc
            os: windows-latest
            name: starship-i686-pc-windows-msvc.zip
            rustflags: -C target-feature=+crt-static

          - target: aarch64-pc-windows-msvc
            os: windows-latest
            name: starship-aarch64-pc-windows-msvc.zip
            rustflags: -C target-feature=+crt-static

          - target: x86_64-unknown-freebsd
            os: ubuntu-latest
            name: starship-x86_64-unknown-freebsd.tar.gz

    runs-on: ${{ matrix.os }}
    continue-on-error: true
    env:
      RUSTFLAGS: ${{ matrix.rustflags || '' }}
    steps:
      - name: Setup | Checkout
        uses: actions/checkout@v4

      - name: Setup | Rust
        uses: dtolnay/rust-toolchain@master
        with:
          toolchain: stable
          target: ${{ matrix.target }}

      - name: Setup | Install cargo-wix [Windows]
        continue-on-error: true
        if: matrix.os == 'windows-latest'
        run: cargo install --version 0.3.4 cargo-wix
        env:
          # cargo-wix does not require static crt
          RUSTFLAGS: ""

      - name: Setup | Install cross [Linux]
        if: matrix.os == 'ubuntu-latest'
        uses: taiki-e/install-action@cross

      - name: Build | Build [Cargo]
        if: matrix.os != 'ubuntu-latest'
        run: cargo build --release --locked --target ${{ matrix.target }}

      - name: Build | Build [Cross]
        if: matrix.os == 'ubuntu-latest'
        run: cross build --release --locked --target ${{ matrix.target }}

      - name: Build | Installer [Windows]
        continue-on-error: true
        if: matrix.os == 'windows-latest'
        run: >
          cargo wix -v --no-build --nocapture -I install/windows/main.wxs
          --target ${{ matrix.target }}
          --output target/${{ matrix.target }}/release/starship-${{ matrix.target }}.msi

      - name: Sign | Upload [Windows]
        continue-on-error: true
        if: matrix.os == 'windows-latest'
        id: unsigned-artifacts
        uses: actions/upload-artifact@v4
        with:
          name: unsigned-${{ matrix.name }}
          path: |
            target/${{ matrix.target }}/release/starship.exe
            target/${{ matrix.target }}/release/starship-${{ matrix.target }}.msi

      - name: Sign | Sign [Windows]
        continue-on-error: true
        if: matrix.os == 'windows-latest'
        uses: signpath/github-action-submit-signing-request@v1
        with:
          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
          organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
          project-slug: 'starship'
          github-artifact-id: '${{ steps.unsigned-artifacts.outputs.artifact-id }}'
          signing-policy-slug: 'release-signing'
          wait-for-completion: true
          output-artifact-directory: 'target/${{ matrix.target }}/release'

      - name: Post Build | Prepare artifacts [Windows]
        if: matrix.os == 'windows-latest'
        run: |
          cd target/${{ matrix.target }}/release
          7z a ../../../${{ matrix.name }} starship.exe
          cd -

      - name: Post Build | Prepare artifacts [-nix]
        if: matrix.os != 'windows-latest'
        run: |
          cd target/${{ matrix.target }}/release
          tar czvf ../../../${{ matrix.name }} starship
          cd -

      - name: Release | Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.name }}
          path: ${{ matrix.name }}

      - name: Release | Upload installer artifacts [Windows]
        continue-on-error: true
        if: matrix.os == 'windows-latest'
        uses: actions/upload-artifact@v4
        with:
          name: starship-${{ matrix.target }}.msi
          path: target/${{ matrix.target }}/release/starship-${{ matrix.target }}.msi

  # Notarize starship binaries for MacOS and build notarized pkg installers
  notarize_and_pkgbuild:
    runs-on: macos-latest
    continue-on-error: true
    needs: [github_build, merge_crowdin_pr]
    strategy:
      fail-fast: false
      matrix:
        include:
          - target: x86_64-apple-darwin
            arch: x86_64
            name: starship-x86_64-apple-darwin.tar.gz
            pkgname: starship-x86_64-apple-darwin.pkg

          - target: aarch64-apple-darwin
            arch: aarch64
            name: starship-aarch64-apple-darwin.tar.gz
            pkgname: starship-aarch64-apple-darwin.pkg

    env:
      KEYCHAIN_FILENAME: app-signing.keychain-db
      KEYCHAIN_ENTRY: AC_PASSWORD
      STARSHIP_VERSION: ${{ needs.release_please.outputs.tag_name }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          # Required to include the recently merged Crowdin PR
          ref: master

      - name: Notarize | Set up secrets
        env:
          APP_CERTIFICATE_BASE64: ${{ secrets.APPLEDEV_APPSIGNKEY_BASE64 }}
          INSTALL_CERTIFICATE_BASE64: ${{ secrets.APPLEDEV_INSTALLERSIGNKEY_BASE64 }}
          P12_PASSWORD: ${{ secrets.APPLEDEV_SIGNKEY_PASS }}
          KEYCHAIN_PASSWORD: ${{ secrets.APPLEDEV_SIGNKEY_PASS }}
          APPLEID_USERNAME: ${{ secrets.APPLEDEV_ID_NAME }}
          APPLEID_TEAMID: ${{ secrets.APPLEDEV_TEAM_ID }}
          APPLEID_PASSWORD: ${{ secrets.APPLEDEV_PASSWORD }}
        run: |
          APP_CERTIFICATE_PATH="$RUNNER_TEMP/app_certificate.p12"
          INSTALL_CERTIFICATE_PATH="$RUNNER_TEMP/install_certificate.p12"
          KEYCHAIN_PATH="$RUNNER_TEMP/$KEYCHAIN_FILENAME"

          # import certificates from secrets
          echo -n "$APP_CERTIFICATE_BASE64" | base64 --decode --output $APP_CERTIFICATE_PATH
          echo -n "$INSTALL_CERTIFICATE_BASE64" | base64 --decode --output $INSTALL_CERTIFICATE_PATH

          # create temporary keychain
          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

          # import certificates to keychain
          security import $APP_CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security import $INSTALL_CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security list-keychain -d user -s $KEYCHAIN_PATH

          # Add Apple Developer ID credentials to keychain
          xcrun notarytool store-credentials "$KEYCHAIN_ENTRY" --team-id "$APPLEID_TEAMID" --apple-id "$APPLEID_USERNAME" --password "$APPLEID_PASSWORD" --keychain "$KEYCHAIN_PATH"

      - name: Setup | Node
        uses: actions/setup-node@v4
        with:
          node-version: 20

      - name: Notarize | Build docs
        run: |
          cd docs
          npm install
          npm run build

      - name: Notarize | Download artifacts
        uses: actions/download-artifact@v4
        with:
          name: ${{ matrix.name }}
          path: artifacts

      - name: Notarize | Unpack Binaries
        run: tar xf artifacts/${{ matrix.name }}

      - name: Notarize | Build, Sign, and Notarize Pkg
        run: bash install/macos_packages/build_and_notarize.sh starship docs ${{ matrix.arch }} ${{ matrix.pkgname }}

      - name: Notarize | Upload Notarized Flat Installer
        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.pkgname }}
          path: ${{ matrix.pkgname }}

      - name: Notarize | Package Notarized Binary
        run: tar czvf ${{ matrix.name }} starship

      - name: Notarize | Upload Notarized Binary
        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.name }}
          path: ${{ matrix.name }}
          overwrite: true

      - name: Cleanup Secrets
        if: ${{ always() }}
        run: |
          KEYCHAIN_PATH="$RUNNER_TEMP/$KEYCHAIN_FILENAME"
          security delete-keychain $KEYCHAIN_PATH

  # Create GitHub release with Rust build targets and release notes
  upload_artifacts:
    name: Add Build Artifacts to Release
    needs: [release_please, github_build, notarize_and_pkgbuild]
    runs-on: ubuntu-latest
    steps:
      - name: Setup | Artifacts
        uses: actions/download-artifact@v4

      - name: Setup | Checksums
        run: for file in starship-*/starship-*; do openssl dgst -sha256 -r "$file" | awk '{print $1}' > "${file}.sha256"; done

      - name: Setup | Publish Release
        run: gh release edit ${{ needs.release_please.outputs.tag_name }} --draft=false --repo=starship/starship
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Build | Add Artifacts to Release
        uses: softprops/action-gh-release@v2
        with:
          files: starship-*/starship-*
          tag_name: ${{ needs.release_please.outputs.tag_name }}

  # Publish starship to Crates.io
  cargo_publish:
    name: Publish Cargo Package
    runs-on: ubuntu-latest
    needs: [release_please, upload_artifacts]
    if: ${{ needs.release_please.outputs.release_created == 'true' }}
    steps:
      - name: Setup | Checkout
        uses: actions/checkout@v4

      - name: Setup | Rust
        uses: dtolnay/rust-toolchain@stable

      - name: Build | Publish
        run: cargo publish --token ${{ secrets.CARGO_REGISTRY_TOKEN }}

  update_brew_formula:
    name: Update Brew Formula
    runs-on: ubuntu-latest
    needs: [release_please, upload_artifacts]
    if: ${{ needs.release_please.outputs.release_created == 'true' }}
    steps:
      - uses: mislav/bump-homebrew-formula-action@v3.2
        with:
          formula-name: starship
          tag-name: ${{ needs.release_please.outputs.tag_name }}
        env:
          # Used for creating the formula update PR
          COMMITTER_TOKEN: ${{ secrets.GH_PAT }}
          # Used for verifying the SHA256 sum of the draft release
          GITHUB_TOKEN: ${{ secrets.GH_PAT }}

  winget_update:
    name: Update Winget Manifest
    runs-on: windows-latest
    needs: [release_please, github_build, upload_artifacts]
    if: ${{ needs.release_please.outputs.release_created == 'true' }}
    env:
      URL_64: https://github.com/starship/starship/releases/download/${{ needs.release_please.outputs.tag_name }}/starship-x86_64-pc-windows-msvc
      URL_32: https://github.com/starship/starship/releases/download/${{ needs.release_please.outputs.tag_name }}/starship-i686-pc-windows-msvc
      URL_ARM: https://github.com/starship/starship/releases/download/${{ needs.release_please.outputs.tag_name }}/starship-aarch64-pc-windows-msvc
    steps:
      # Publishing will fail if the repo is too far behind the upstream
      - run: gh repo sync matchai/winget-pkgs
        env:
          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
      - run: |
          $version = '${{ needs.release_please.outputs.tag_name }}'.replace('v', '')
          iwr https://aka.ms/wingetcreate/latest -OutFile wingetcreate.exe
          ./wingetcreate.exe update Starship.Starship -s -v $version `
            -u ${{ env.URL_64 }}.msi  ${{ env.URL_64 }}.zip `
               ${{ env.URL_32 }}.msi  ${{ env.URL_32 }}.zip `
               ${{ env.URL_ARM }}.msi ${{ env.URL_ARM }}.zip `
            -t ${{ secrets.GH_PAT }}

  choco_update:
    name: Update Chocolatey Package
    runs-on: windows-latest
    needs: [release_please, github_build, upload_artifacts]
    if: ${{ needs.release_please.outputs.release_created == 'true' }}
    steps:
      - name: Setup | Checkout
        uses: actions/checkout@v4
      - name: Setup | Artifacts
        uses: actions/download-artifact@v4
      - run: pwsh ./install/windows/choco/update.ps1
        env:
          STARSHIP_VERSION: ${{ needs.release_please.outputs.tag_name }}
          PUSH_TOKEN: ${{ secrets.CHOCO_TOKEN }}

  merge_crowdin_pr:
    name: Merge Crowdin PR
    runs-on: ubuntu-latest
    needs: release_please
    if: ${{ needs.release_please.outputs.release_created == 'true' }}
    continue-on-error: true
    steps:
      - name: Setup | Checkout
        uses: actions/checkout@v4
      - name: Merge | Merge Crowdin PR
        run: gh pr merge i18n_master --squash --repo=starship/starship
        env:
          GITHUB_TOKEN: ${{ secrets.GH_PAT }}

  publish_docs:
    name: Trigger docs deployment
    runs-on: ubuntu-latest
    needs: merge_crowdin_pr
    steps:
      - name: Setup | Checkout
        uses: actions/checkout@v4
      - name: Trigger workflow dispatch
        run: gh workflow run publish-docs.yml
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}