.github/workflows/deploy.yml

name: Deploy CKAN + NetKAN

on:
  push:
    branches:
      - master
  workflow_dispatch:
  repository_dispatch:
    types:
      - deploy

concurrency: deploy

env:
  AWS_S3_BUCKET: ksp-ckan

jobs:
  sign-assets:
    uses: ./.github/workflows/sign.yml
    secrets: inherit

  check-dev-build:
    runs-on: ubuntu-latest
    outputs:
      dev-build: ${{ steps.check-version.outputs.dev-build }}
    if: github.event_name != 'repository_dispatch'
    steps:
      - uses: actions/checkout@v4
      - name: Treat as dev build if final piece of version is odd
        id: check-version
        shell: bash
        run: |
          VERSION=$(egrep '^\s*\#\#\s+v.*$' CHANGELOG.md | head -1 | sed -e 's/^\s*\#\#\s\+v//' -e 's/-.*$//')
          if [[ $VERSION =~ [13579]$ ]]
          then
            echo 'dev-build=true' >> $GITHUB_OUTPUT
          fi

  upload-release-s3:
    needs:
      - sign-assets
    if: github.event_name != 'repository_dispatch'
    runs-on: ubuntu-latest
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1
      - uses: actions/checkout@v4
      - name: Download repack artifact to get netkan.exe
        uses: actions/download-artifact@v4
        with:
          name: Release-repack-unsigned
          path: _build/repack
      - name: Download signed artifact
        uses: actions/download-artifact@v4
        with:
          name: signed
          path: _build/signed
      - name: Put signed exes into repack path
        run: |
          mkdir -p _build/repack/Release
          cp _build/signed/*.exe _build/repack/Release
      - uses: actions/setup-python@v5
        with:
          python-version: 3.11
      - name: Create a version.json file for dev builds on S3
        shell: bash
        run: |
          export PIP_ROOT_USER_ACTION=ignore
          pip install gitpython
          git config --global --add safe.directory '*'
          python bin/version_info.py > _build/repack/Release/version.json
      - name: Push ckan.exe, AutoUpdater.exe, netkan.exe, and version.json to S3
        run: aws s3 sync _build/repack/Release s3://${AWS_S3_BUCKET} --follow-symlinks

  upload-dmg:
    needs:
      - check-dev-build
      - sign-assets
    runs-on: ubuntu-latest
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    if: github.event_name != 'repository_dispatch' && needs.check-dev-build.outputs.dev-build
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1
      - name: Install OSX build dependencies
        run: sudo apt-get install -y libplist-utils xorriso
      - uses: actions/checkout@v4
      - name: Download signed artifact
        uses: actions/download-artifact@v4
        with:
          name: signed
          path: _build/signed
      - name: Put signed exe into repack path
        run: |
          mkdir -p _build/repack/Release
          cp _build/signed/ckan.exe _build/repack/Release
      - name: Build dmg
        run: ./build osx --configuration=Release --exclusive
      - name: Push dmg to S3
        run: aws s3 cp _build/osx/CKAN.dmg s3://${AWS_S3_BUCKET} --follow-symlinks

  upload-deb:
    needs:
      - check-dev-build
      - sign-assets
    runs-on: ubuntu-latest
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    if: github.event_name != 'repository_dispatch' && needs.check-dev-build.outputs.dev-build
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1
      - uses: actions/checkout@v4
      - name: Download signed artifact
        uses: actions/download-artifact@v4
        with:
          name: signed
          path: _build/signed
      - name: Put signed exe into repack path
        run: |
          mkdir -p _build/repack/Release
          cp _build/signed/ckan.exe _build/repack/Release
      - name: Build deb
        env:
          CODENAME: nightly
        run: ./build deb --configuration=Release --exclusive
      - name: Import GPG key
        env:
          DEBIAN_PRIVATE_KEY: ${{ secrets.DEBIAN_PRIVATE_KEY }}
        run: |
          echo "$DEBIAN_PRIVATE_KEY" | base64 --decode | gpg --batch --import
          gpg --list-secret-keys --keyid-format LONG
        if: ${{ env.DEBIAN_PRIVATE_KEY }}
      - name: Sign deb release
        env:
          CODENAME: nightly
          DEBIAN_PRIVATE_KEY: ${{ secrets.DEBIAN_PRIVATE_KEY }}
        run: ./build deb-sign --configuration=Release --exclusive
        if: ${{ env.DEBIAN_PRIVATE_KEY }}
      - name: Push deb to S3
        run: aws s3 sync _build/deb/apt-repo-root s3://${AWS_S3_BUCKET}/deb --follow-symlinks
      - name: Push nightly APT repo to S3
        run: aws s3 sync _build/deb/apt-repo-dist s3://${AWS_S3_BUCKET}/deb/dists/nightly --follow-symlinks
      - name: CKAN-ModInstaller repo dispatch
        env:
          REPO_ACCESS_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }}
        if: env.REPO_ACCESS_TOKEN
        uses: peter-evans/repository-dispatch@v3
        with:
          repository: KSP-CKAN/CKAN-ModInstaller
          event-type: deploy
          token: ${{ secrets.REPO_ACCESS_TOKEN }}

  upload-rpm:
    needs:
      - check-dev-build
      - sign-assets
    runs-on: ubuntu-latest
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    if: github.event_name != 'repository_dispatch' && needs.check-dev-build.outputs.dev-build
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1
      - uses: actions/checkout@v4
      - name: Install rpm build dependencies
        run: sudo apt-get install -y createrepo-c
      - name: Download signed artifact
        uses: actions/download-artifact@v4
        with:
          name: signed
          path: _build/signed
      - name: Put signed exe into repack path
        run: |
          mkdir -p _build/repack/Release
          cp _build/signed/ckan.exe _build/repack/Release
      - name: Build rpm
        run: ./build rpm --configuration=Release --exclusive
      - name: Import GPG key
        env:
          DEBIAN_PRIVATE_KEY: ${{ secrets.DEBIAN_PRIVATE_KEY }}
        run: |
          echo "$DEBIAN_PRIVATE_KEY" | base64 --decode | gpg --batch --import
          gpg --list-secret-keys --keyid-format LONG
        if: ${{ env.DEBIAN_PRIVATE_KEY }}
      - name: Build nightly RPM repo
        env:
          CODENAME: nightly
          DEBIAN_PRIVATE_KEY: ${{ secrets.DEBIAN_PRIVATE_KEY }}
        run: ./build rpm-repo --configuration=Release --exclusive
        if: ${{ env.DEBIAN_PRIVATE_KEY }}
      - name: Push nightly PRM repo to S3
        run: aws s3 sync _build/rpm/repo s3://${AWS_S3_BUCKET}/rpm/nightly --follow-symlinks

  upload-inflator:
    needs:
      - sign-assets
    if: github.event_name != 'repository_dispatch'
    runs-on: ubuntu-latest
    steps:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Download Inflator image artifact
        uses: actions/download-artifact@v4
        with:
          name: inflator-image
          path: /tmp
      - name: Load Inflator image
        run: docker load --input /tmp/inflator-image.tar
      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
      - name: Push Inflator image to Docker Hub
        run: docker push kspckan/inflator:latest
      - name: Redeploy Inflator containers
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: us-west-2
        shell: bash
        run: |
          docker image pull -q kspckan/netkan
          for CONTAINER in InflatorKsp InflatorKsp2
          do
            docker run -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_DEFAULT_REGION kspckan/netkan redeploy-service --cluster NetKANCluster --service-name $CONTAINER &
          done
          wait

  upload-metadata-tester:
    needs:
      - sign-assets
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Download repack artifact
        uses: actions/download-artifact@v4
        with:
          name: Release-repack-unsigned
          path: _build/repack/
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
      - name: Generate metadata tester Docker image and publish to Hub
        uses: docker/build-push-action@v5
        with:
          file: Dockerfile.metadata
          context: _build/repack/Release
          tags: kspckan/metadata
          push: true

  notify-discord:
    needs:
      - sign-assets
      - upload-release-s3
      - upload-dmg
      - upload-deb
      - upload-rpm
      - upload-inflator
      - upload-metadata-tester
    if: always()
    uses: ./.github/workflows/notify.yml
    with:
      name: ${{ github.workflow }}
      success: ${{ !contains(needs.*.result, 'failure') }}
    secrets: inherit