name: Release

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

on:
  push:
    tags:
      - 'v*'

jobs:
  app-token:
    uses: nocobase/nocobase/.github/workflows/get-nocobase-app-token.yml@main
    secrets: inherit
  publish-npm:
    runs-on: ubuntu-latest
    container: node:18
    needs: app-token
    steps:
      - name: Decrypt app token
        id: app-token
        shell: bash
        run: |
          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
          BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode);
          APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
      - name: Checkout
        uses: actions/checkout@v3
      - name: Send curl request and parse response
        env:
          PKG_USERNAME: ${{ secrets.PKG_USERNAME }}
          PKG_PASSWORD: ${{ secrets.PKG_PASSWORD }}
        run: |
          mkdir git-ci-cache
          apt-get update && apt-get install -y jq
          response1=$(curl -s 'https://pkg.nocobase.com/-/verdaccio/sec/login' \
            -H 'content-type: application/json' \
            --data-raw '{"username":"'$PKG_USERNAME'","password":"'$PKG_PASSWORD'"}')
          token1=$(echo $response1 | jq -r '.token')
          response2=$(curl -s 'https://pkg-src.nocobase.com/-/verdaccio/sec/login' \
            -H 'content-type: application/json' \
            --data-raw '{"username":"'$PKG_USERNAME'","password":"'$PKG_PASSWORD'"}')
          token2=$(echo $response2 | jq -r '.token')
          echo "PKG_NOCOBASE_TOKEN=$token1" >> $GITHUB_ENV
          echo "PKG_SRC_NOCOBASE_TOKEN=$token2" >> $GITHUB_ENV
      - name: yarn install and build
        run: |
          yarn config set registry https://registry.npmjs.org/
          yarn install
          yarn build
      - name: publish npmjs.org
        continue-on-error: true
        run: |
          git config --global user.email "test@mail.com"
          git config --global user.name "test"
          git config --global --add safe.directory /__w/nocobase/nocobase
          echo "# test" >> Release.md
          git add .
          git commit -m "chore(versions): test publish packages xxx"
          npm config set access public
          npm config set registry https://registry.npmjs.org/
          npm config set //registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}
          yarn config set access public
          yarn config set registry https://registry.npmjs.org/
          yarn config set //registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}
          npm whoami
          yarn release:force --no-verify-access --no-git-reset --registry https://registry.npmjs.org/
      - name: Checkout pro-plugins
        uses: actions/checkout@v3
        with:
          repository: nocobase/pro-plugins
          path: packages/pro-plugins
          token: ${{ steps.app-token.outputs.token }}
      - name: Clone pro repos
        shell: bash
        run: |
          for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }}
          do
          git clone -b main https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/nocobase/$repo.git packages/pro-plugins/@nocobase/$repo
          done
      - name: Build Pro plugins
        continue-on-error: true
        run: |
          yarn config set registry https://registry.npmjs.org/
          yarn install
          yarn build packages/pro-plugins
      - name: publish pkg.nocobase.com
        run: |
          git reset --hard
          npm config set //pkg.nocobase.com/:_authToken=${{ env.PKG_NOCOBASE_TOKEN }}
          yarn release:force --no-verify-access --no-git-reset --registry https://pkg.nocobase.com
      - name: publish pkg-src.nocobase.com
        run: |
          git reset --hard
          bash generate-npmignore.sh ignore-src
          npm config set //pkg-src.nocobase.com/:_authToken=${{ env.PKG_SRC_NOCOBASE_TOKEN }}
          yarn release:force --no-verify-access --no-git-reset --registry https://pkg-src.nocobase.com
  push-docker:
    runs-on: ubuntu-latest
    needs: publish-npm
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v4
        with:
          images: |
            nocobase/nocobase
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
      - name: Login to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to Aliyun Container Registry (Public)
        uses: docker/login-action@v2
        with:
          registry: ${{ secrets.ALI_DOCKER_PUBLIC_REGISTRY }}
          username: ${{ secrets.ALI_DOCKER_USERNAME }}
          password: ${{ secrets.ALI_DOCKER_PASSWORD }}
      - name: Build and push
        uses: docker/build-push-action@v3
        with:
          context: ./docker/nocobase
          platforms: linux/amd64,linux/arm64
          push: true
          tags: nocobase/nocobase:latest,${{ steps.meta.outputs.tags }},${{ secrets.ALI_DOCKER_PUBLIC_REGISTRY }}/nocobase/nocobase:latest,${{ secrets.ALI_DOCKER_PUBLIC_REGISTRY }}/${{ steps.meta.outputs.tags }}