goose/.github/workflows/release-goose2.yml

on:
  push:
    tags:
      - "v2.*"
  workflow_dispatch:
    inputs:
      version:
        description: "Version string (e.g. 2.0.0-rc.1). Used when testing from a branch."
        required: true
        type: string
      cli-run-id:
        description: "Run ID of a build-cli workflow to pull goose binaries from (skips CLI build step)"
        required: false
        type: string
        default: ""

name: "Release Goose 2"

permissions:
  id-token: write      # Sigstore OIDC signing + Azure OIDC (Windows signing)
  contents: write      # Creating releases + actions/checkout
  actions: read        # Downloading artifacts across workflow runs
  attestations: write  # SLSA build provenance attestations

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  prepare-version:
    name: Prepare Version
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.set-version.outputs.version }}
    steps:
      - name: Extract version
        id: set-version
        run: |
          if [ -n "${{ inputs.version }}" ]; then
            VERSION="${{ inputs.version }}"
          else
            # Strip the leading "v" from the tag (e.g. v2.0.0 → 2.0.0)
            VERSION="${GITHUB_REF_NAME#v}"
          fi
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
          echo "Release version: $VERSION"

  build-cli:
    if: inputs.cli-run-id == ''
    needs: [prepare-version]
    uses: ./.github/workflows/build-cli.yml
    with:
      version: ${{ needs.prepare-version.outputs.version }}

  bundle-goose2:
    needs: [prepare-version, build-cli]
    if: ${{ !cancelled() && needs.prepare-version.result == 'success' && (needs.build-cli.result == 'success' || needs.build-cli.result == 'skipped') }}
    uses: ./.github/workflows/bundle-goose2.yml
    permissions:
      id-token: write
      contents: read
      actions: read
    with:
      version: ${{ needs.prepare-version.outputs.version }}
      signing: true
      windows-signing: true
      environment: signing
      cli-run-id: ${{ inputs.cli-run-id != '' && inputs.cli-run-id || github.run_id }}
    secrets: inherit

  install-script:
    name: Upload Install Script
    runs-on: ubuntu-latest
    if: inputs.cli-run-id == ''
    needs: [build-cli]
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
        with:
          name: download_cli.sh
          path: download_cli.sh

  release:
    name: Release
    runs-on: ubuntu-latest
    needs: [prepare-version, build-cli, install-script, bundle-goose2]
    if: ${{ !cancelled() && needs.bundle-goose2.result == 'success' }}
    permissions:
      contents: write
      id-token: write
      actions: read
      attestations: write
    steps:
      - name: Download CLI artifacts
        if: needs.build-cli.result == 'success'
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          pattern: goose-*
          merge-multiple: true
          path: release

      - name: Download install script
        if: needs.install-script.result == 'success'
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: download_cli.sh
          path: release

      - name: Download macOS ARM64
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: Goose2-darwin-arm64
          path: release

      - name: Download macOS Intel
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: Goose2-darwin-x64
          path: release

      - name: Download Linux .deb
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: Goose2-linux-x64-deb
          path: release
        continue-on-error: true

      - name: Download Linux AppImage
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: Goose2-linux-x64-appimage
          path: release
        continue-on-error: true

      - name: Download Linux RPM
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: Goose2-linux-x64-rpm
          path: release
        continue-on-error: true

      - name: Download signed Windows NSIS installer
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: Goose2-windows-x64-nsis-signed
          path: release

      - name: Download signed Windows MSI installer
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: Goose2-windows-x64-msi-signed
          path: release

      - name: List downloaded artifacts
        run: |
          echo "=== All release artifacts ==="
          find release -type f | sort

      - name: Attest build provenance
        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
        with:
          subject-path: |
            release/goose-*.tar.bz2
            release/goose-*.tar.gz
            release/goose-*.zip
            release/**/*.dmg
            release/*.exe
            release/*.msi
            release/*.deb
            release/*.rpm
            release/*.AppImage
            release/download_cli.sh

      # Create/update the versioned pre-release (e.g. v2.0.0)
      - name: Release versioned
        uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          prerelease: true
          artifacts: |
            release/goose-*.tar.bz2
            release/goose-*.tar.gz
            release/goose-*.zip
            release/**/*.dmg
            release/*.exe
            release/*.msi
            release/*.deb
            release/*.rpm
            release/*.AppImage
            release/download_cli.sh
          allowUpdates: true
          omitBody: true