name: Release

on:
  push:
    tags:
      - 'V*'

permissions:
  contents: read

jobs:
  build:
    name: Build
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        include:
          - os: macos-latest
            target: release-amd64
            artifact_name: binaries-amd64
          - os: macos-latest
            target: release-arm64
            artifact_name: binaries-arm64
    steps:
      - name: Checkout code
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4

      - name: Set up Go
        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5
        with:
          go-version-file: go.mod

      - name: Build Binaries
        run: |
          make ${{ matrix.target }}
          ls -l bin/

      - name: Package binaries for Homebrew
        run: |
          cd bin
          # Package binaries into tar.gz for Homebrew resource
          if [[ "${{ matrix.target }}" == "release-arm64" ]]; then
            tar -czf binaries-darwin-arm64.tar.gz analyze-darwin-arm64 status-darwin-arm64
            ls -lh binaries-darwin-arm64.tar.gz
          else
            tar -czf binaries-darwin-amd64.tar.gz analyze-darwin-amd64 status-darwin-amd64
            ls -lh binaries-darwin-amd64.tar.gz
          fi

      - name: Upload artifacts
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: ${{ matrix.artifact_name }}
          path: bin/*-darwin-*
          retention-days: 1

  release:
    name: Publish Release
    needs: build
    runs-on: ubuntu-latest
    permissions:
      contents: write
      attestations: write
      id-token: write
    steps:
      - name: Download all artifacts
        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
        with:
          path: bin
          pattern: binaries-*
          merge-multiple: true

      - name: Display structure of downloaded files
        run: ls -R bin/

      - name: Generate release checksums
        run: |
          cd bin
          mapfile -t release_files < <(find . -maxdepth 1 -type f -printf '%P\n' | sort)
          if [[ ${#release_files[@]} -eq 0 ]]; then
            echo "No release assets found"
            exit 1
          fi
          sha256sum "${release_files[@]}" > SHA256SUMS
          cat SHA256SUMS

      - name: Generate artifact attestation
        uses: actions/attest-build-provenance@v4
        with:
          subject-path: |
            bin/analyze-darwin-*
            bin/status-darwin-*
            bin/binaries-darwin-*.tar.gz
            bin/SHA256SUMS

      - name: Create Release
        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
        if: startsWith(github.ref, 'refs/tags/')
        with:
          name: ${{ github.ref_name }}
          files: bin/*
          generate_release_notes: false
          draft: false
          prerelease: false