name: build

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions:
  contents: read

on:
  workflow_dispatch:
  push:
    branches:
      - 'main'
    tags:
      - 'v*'
  pull_request:

env:
  DESTDIR: ./bin
  GO_VERSION: 1.26.3

jobs:
  validate:
    runs-on: ubuntu-24.04
    timeout-minutes: 30 # guardrails timeout for the whole job
    strategy:
      fail-fast: false
      matrix:
        target:
          - lint
          - validate-vendor
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      -
        name: Run
        run: |
          make ${{ matrix.target }}

  test:
    runs-on: ${{ matrix.os }}
    timeout-minutes: 30 # guardrails timeout for the whole job
    strategy:
      fail-fast: false
      matrix:
        os:
          - ubuntu-24.04
          - ubuntu-22.04
          - macOS-15-intel
          - macOS-15
          - macOS-14
          - windows-2022
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GO_VERSION }}
      -
        name: Install deps (ubuntu)
        if: startsWith(matrix.os, 'ubuntu-')
        run: |
          sudo apt-get update
          sudo apt-get install -y dbus-x11 gnome-keyring libsecret-1-dev pass
      -
        name: Install deps (macOS)
        if: startsWith(matrix.os, 'macOS-')
        run: |
          brew install pass
      -
        name: GPG conf
        if: ${{ !startsWith(matrix.os, 'windows-') }}
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        id: gpg
        with:
          script: |
            const fs = require('fs');
            const gnupgfolder = `${require('os').homedir()}/.gnupg`;
            if (!fs.existsSync(gnupgfolder)){
              fs.mkdirSync(gnupgfolder);
            }
            fs.copyFile('.github/workflows/fixtures/gpg.conf', `${gnupgfolder}/gpg.conf`, (err) => {
              if (err) throw err;
            });
            core.setOutput('key', fs.readFileSync('.github/workflows/fixtures/7D851EB72D73BDA0.key', {encoding: 'utf8'}));
            core.setOutput('passphrase', fs.readFileSync('.github/workflows/fixtures/7D851EB72D73BDA0.pass', {encoding: 'utf8'}));
      -
        name: Import GPG key
        if: ${{ !startsWith(matrix.os, 'windows-') }}
        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
        with:
          gpg_private_key: ${{ steps.gpg.outputs.key }}
          passphrase: ${{ steps.gpg.outputs.passphrase }}
          trust_level: 5
      -
        name: Init pass
        if: ${{ !startsWith(matrix.os, 'windows-') }}
        run: |
          pass init 7D851EB72D73BDA0
        shell: bash
      -
        name: Test
        run: |
          make test COVERAGEDIR=${{ env.DESTDIR }}
        shell: bash
      -
        name: Upload coverage
        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          files: ${{ env.DESTDIR }}/coverage.txt
          token: ${{ secrets.CODECOV_TOKEN }}

  test-sandboxed:
    runs-on: ubuntu-24.04
    timeout-minutes: 30 # guardrails timeout for the whole job
    steps:
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      -
        name: Test
        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
        with:
          targets: test
          set: |
            *.cache-from=type=gha,scope=test
            *.cache-to=type=gha,scope=test,mode=max
      -
        name: Upload coverage
        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          files: ${{ env.DESTDIR }}//coverage.txt
          token: ${{ secrets.CODECOV_TOKEN }}

  build:
    runs-on: ubuntu-24.04
    timeout-minutes: 30 # guardrails timeout for the whole job
    permissions:
      # required to create GitHub release
      contents: write
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      -
        name: Build
        run: |
          make release
        env:
          CACHE_FROM: type=gha,scope=build
          CACHE_TO: type=gha,scope=build,mode=max
      -
        name: List artifacts
        run: |
          tree -nh ${{ env.DESTDIR }}
      -
        name: Check artifacts
        run: |
          find ${{ env.DESTDIR }} -type f -exec file -e ascii -e text -- {} +
      -
        name: Upload artifacts
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: docker-credential-helpers
          path: ${{ env.DESTDIR }}/*
          if-no-files-found: error
      -
        name: GitHub Release
        if: startsWith(github.ref, 'refs/tags/v')
        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda  # v3.0.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          draft: true
          files: ${{ env.DESTDIR }}/*

  build-deb:
    runs-on: ubuntu-24.04
    timeout-minutes: 30 # guardrails timeout for the whole job
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
      -
        name: Build
        run: |
          make deb