# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/github-workflow.json
name: .NET

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

env:
  DOTNET_NOLOGO: true
  DOTNET_CLI_TELEMETRY_OPTOUT: true
  DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
  NUGET_XMLDOC_MODE: ''
  DOTNET_MULTILEVEL_LOOKUP: 0

jobs:
  build-windows:
    runs-on: windows-latest
    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0 # so that NerdBank.GitVersioning has access to history
    - uses: actions/setup-dotnet@v4
      with:
        dotnet-version: '8.0.x'
    - name: Restore dependencies
      run: dotnet restore
    - name: Test
      run: dotnet test
    - name: Publish
      run: dotnet publish Example
    - name: Run example
      run: ".\\Example\\bin\\Release\\net8.0\\win-x64\\Example.exe"

  build:
    strategy:
      matrix:
        config:
          - Release
          - Debug

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0 # so that NerdBank.GitVersioning has access to history
    - name: Install Nix
      uses: cachix/install-nix-action@v30
      with:
        extra_nix_config: |
          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
    - name: Restore dependencies
      run: nix develop --command dotnet restore
    - name: Build
      run: nix develop --command dotnet build --no-restore --configuration ${{matrix.config}}
    - name: Test
      run: nix develop --command dotnet test --no-build --verbosity normal --configuration ${{matrix.config}}
    - name: Publish example
      run: nix develop --command dotnet publish --no-build --verbosity normal --configuration ${{matrix.config}} Example
    - name: Run example self-contained
      run: "./Example/bin/${{matrix.config}}/*/*/Example"

  build-nix:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install Nix
        uses: cachix/install-nix-action@v30
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
      - name: Build
        run: nix build
      - name: Reproducibility check
        run: nix build --rebuild

  check-dotnet-format:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install Nix
        uses: cachix/install-nix-action@v30
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
      - name: Run Fantomas
        run: nix run .#fantomas -- --check .

  check-nix-format:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install Nix
        uses: cachix/install-nix-action@v30
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
      - name: Run Alejandra
        run: nix develop --command alejandra --check .

  linkcheck:
    name: Check links
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Install Nix
        uses: cachix/install-nix-action@v30
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
      - name: Run link checker
        run: nix develop --command markdown-link-check README.md

  flake-check:
    name: Check flake
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Install Nix
        uses: cachix/install-nix-action@v30
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
      - name: Flake check
        run: nix flake check

  nuget-pack:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0 # so that NerdBank.GitVersioning has access to history
    - name: Install Nix
      uses: cachix/install-nix-action@v30
      with:
        extra_nix_config: |
          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
    - name: Restore dependencies
      run: nix develop --command dotnet restore
    - name: Build
      run: nix develop --command dotnet build --no-restore --configuration Release
    - name: Pack
      run: nix develop --command dotnet pack --configuration Release
    - name: Upload NuGet artifact
      uses: actions/upload-artifact@v4
      with:
        name: nuget-package
        path: WoofWare.DotnetRuntimeLocator/bin/Release/WoofWare.DotnetRuntimeLocator.*.nupkg

  expected-pack:
    needs: [nuget-pack]
    runs-on: ubuntu-latest
    steps:
      - name: Download NuGet artifact
        uses: actions/download-artifact@v4
        with:
          name: nuget-package
          path: packed
      - name: Check NuGet contents
        # Verify that there is exactly one nupkg in the artifact that would be NuGet published
        run: if [[ $(find packed -maxdepth 1 -name 'WoofWare.DotnetRuntimeLocator.*.nupkg' -printf c | wc -c) -ne "1" ]]; then exit 1; fi

  github-release-dry-run:
    needs: [nuget-pack]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Download NuGet artifact
        uses: actions/download-artifact@v4
        with:
          name: nuget-package
      - name: Tag and release
        env:
          DRY_RUN: 1
          GITHUB_TOKEN: mock-token
        run: sh .github/workflows/tag.sh

  all-required-checks-complete:
    if: ${{ always() }}
    needs: [check-dotnet-format, check-nix-format, build, build-nix, linkcheck, flake-check, nuget-pack, expected-pack, github-release-dry-run, build-windows]
    runs-on: ubuntu-latest
    steps:
      - uses: G-Research/common-actions/check-required-lite@2b7dc49cb14f3344fbe6019c14a31165e258c059
        with:
          needs-context: ${{ toJSON(needs) }}

  attestation:
    runs-on: ubuntu-latest
    needs: [all-required-checks-complete]
    if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }}
    permissions:
      id-token: write
      attestations: write
      contents: read
    steps:
      - name: Download NuGet artifact
        uses: actions/download-artifact@v4
        with:
          name: nuget-package
          path: packed
      - name: Attest Build Provenance
        uses: actions/attest-build-provenance@c4fbc648846ca6f503a13a2281a5e7b98aa57202 # v2.0.1
        with:
          subject-path: "packed/WoofWare.DotnetRuntimeLocator.*.nupkg"

  nuget-publish:
    runs-on: ubuntu-latest
    if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }}
    needs: [attestation]
    environment: main-deploy
    permissions:
      id-token: write
      attestations: write
      contents: read
    steps:
      - uses: actions/checkout@v4
      - name: Install Nix
        uses: cachix/install-nix-action@v30
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
      - name: Download NuGet artifact
        uses: actions/download-artifact@v4
        with:
          name: nuget-package
          path: packed
      - name: Identify .NET
        id: identify-dotnet
        run: nix develop --command bash -c "echo dotnet=$(which dotnet) >> $GITHUB_OUTPUT"
      - name: Publish NuGet package
        uses: G-Research/common-actions/publish-nuget@2b7dc49cb14f3344fbe6019c14a31165e258c059
        with:
          package-name: WoofWare.DotnetRuntimeLocator
          nuget-key: ${{ secrets.NUGET_API_KEY }}
          nupkg-dir: packed/
          dotnet: ${{ steps.identify-dotnet.outputs.dotnet }}

  github-release:
    runs-on: ubuntu-latest
    if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }}
    needs: [all-required-checks-complete]
    environment: main-deploy
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
      - name: Download NuGet artifact
        uses: actions/download-artifact@v4
        with:
          name: nuget-package
      - name: Tag and release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: sh .github/workflows/tag.sh