name: Upload release

concurrency:
  group: upload-release

on:
  workflow_call:
  push:
    branches:
      # NOTE: make sure any branches here are also valid directory names,
      # otherwise creating the directory and uploading to s3 will fail
      - "detsys-main"
  pull_request:
    types:
      - opened
      - reopened
      - synchronize
      - labeled
  release:
    types:
      - released

permissions:
  id-token: "write"
  contents: "read"

jobs:
  build-x86_64-linux:
    uses: ./.github/workflows/build.yml
    with:
      os: blacksmith-32vcpu-ubuntu-2204
      system: x86_64-linux
      run_tests: false

  build-aarch64-linux:
    uses: ./.github/workflows/build.yml
    with:
      os: blacksmith-32vcpu-ubuntu-2204-arm
      system: aarch64-linux
      run_tests: false

  build-x86_64-darwin:
    uses: ./.github/workflows/build.yml
    with:
      os: macos-13
      system: x86_64-darwin
      run_tests: false

  build-aarch64-darwin:
    uses: ./.github/workflows/build.yml
    with:
      os: macos-latest
      system: aarch64-darwin
      run_tests: false

  release:
    runs-on: ubuntu-latest
    needs:
      - build-x86_64-linux
      - build-aarch64-linux
      - build-x86_64-darwin
      - build-aarch64-darwin
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - uses: "DeterminateSystems/nix-installer-action@main"
        with:
          determinate: true

      - name: Create artifacts directory
        run: mkdir -p ./artifacts

      - name: Fetch artifacts
        uses: actions/download-artifact@v4
        with:
          path: downloaded
      - name: Move downloaded artifacts to artifacts directory
        run: |
          for dir in ./downloaded/*; do
            arch="$(basename "$dir")"
            mv "$dir"/*.xz ./artifacts/"${arch}"
          done

      - name: Build fallback-paths.nix
        run: |
          nix build .#fallbackPathsNix --out-link fallback
          cat fallback > ./artifacts/fallback-paths.nix

      - uses: DeterminateSystems/push-artifact-ids@main
        with:
          s3_upload_role: ${{ secrets.AWS_S3_UPLOAD_ROLE_ARN }}
          bucket: ${{ secrets.AWS_S3_UPLOAD_BUCKET_NAME }}
          directory: ./artifacts
          ids_project_name: determinate-nix
          ids_binary_prefix: determinate-nix
          skip_acl: true
          allowed_branches: '["detsys-main"]'

  publish:
    needs:
      - release
    if: (!github.repository.fork && (github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || startsWith(github.ref, 'refs/tags/')))
    environment: ${{ github.event_name == 'release' && 'production' || '' }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@main
      - uses: "DeterminateSystems/flakehub-push@main"
        with:
          rolling: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
          visibility: "public"
          tag: "${{ github.ref_name }}"