name: Release

on:
  push:
    tags:
      - 'v*'
  workflow_dispatch:

concurrency:
  group: release-${{ github.ref }}
  cancel-in-progress: false

permissions:
  contents: write

jobs:
  goreleaser:
    # Guard: only run goreleaser in the canonical repository (not in forks)
    if: ${{ github.repository == 'steveyegge/beads' }}
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version: '1.24'

      - name: Install cross-compilation toolchains and signing tools
        run: |
          sudo apt-get update
          sudo apt-get install -y gcc-mingw-w64-x86-64 gcc-aarch64-linux-gnu osslsigncode

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser
          version: '~> v2'
          args: >
            release --clean
            ${{ github.repository != 'steveyegge/beads' && '--skip=publish --skip=announce' || '' }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # Windows code signing (optional - signing is skipped if not set)
          WINDOWS_SIGNING_CERT_PFX_BASE64: ${{ secrets.WINDOWS_SIGNING_CERT_PFX_BASE64 }}
          WINDOWS_SIGNING_CERT_PASSWORD: ${{ secrets.WINDOWS_SIGNING_CERT_PASSWORD }}

  publish-pypi:
    runs-on: ubuntu-latest
    needs: goreleaser
    if: ${{ always() && github.repository == 'steveyegge/beads' }}
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: '3.11'

      - name: Install uv
        run: pip install uv

      - name: Build package
        run: |
          cd integrations/beads-mcp
          uv build

      - name: Publish to PyPI
        env:
          TWINE_USERNAME: __token__
          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
        run: |
          cd integrations/beads-mcp
          uv tool run twine upload dist/*

  publish-npm:
    runs-on: ubuntu-latest
    needs: goreleaser
    if: ${{ github.repository == 'steveyegge/beads' }}
    permissions:
      contents: read
      id-token: write  # Required for npm provenance/trusted publishing
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Set up Node.js
        uses: actions/setup-node@v6
        with:
          node-version: '22'
          registry-url: 'https://registry.npmjs.org'

      - name: Update npm for OIDC trusted publishing
        run: npm install -g npm@latest  # Requires npm >= 11.5.1 for trusted publishing

      - name: Publish to npm
        run: |
          cd npm-package
          npm publish --access public
          # Uses OIDC trusted publishing - no token needed
          # Provenance attestations are automatic with trusted publishing

  update-homebrew:
    runs-on: ubuntu-latest
    needs: goreleaser
    if: ${{ github.repository == 'steveyegge/beads' }}
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Get release info
        id: release
        run: |
          TAG="${GITHUB_REF#refs/tags/}"
          echo "tag=${TAG}" >> $GITHUB_OUTPUT
          echo "version=${TAG#v}" >> $GITHUB_OUTPUT

      - name: Download checksums
        run: |
          curl -sL "https://github.com/steveyegge/beads/releases/download/${{ steps.release.outputs.tag }}/checksums.txt" -o checksums.txt

      - name: Extract checksums
        id: checksums
        run: |
          echo "darwin_amd64=$(grep 'darwin_amd64.tar.gz' checksums.txt | awk '{print $1}')" >> $GITHUB_OUTPUT
          echo "darwin_arm64=$(grep 'darwin_arm64.tar.gz' checksums.txt | awk '{print $1}')" >> $GITHUB_OUTPUT
          echo "linux_amd64=$(grep 'linux_amd64.tar.gz' checksums.txt | awk '{print $1}')" >> $GITHUB_OUTPUT
          echo "linux_arm64=$(grep 'linux_arm64.tar.gz' checksums.txt | awk '{print $1}')" >> $GITHUB_OUTPUT

      - name: Update Homebrew formula
        run: |
          mkdir -p Formula
          cat > Formula/bd.rb <<'EOF'
          class Bd < Formula
            desc "AI-supervised issue tracker for coding workflows"
            homepage "https://github.com/steveyegge/beads"
            version "${{ steps.release.outputs.version }}"
            license "MIT"

            on_macos do
              if Hardware::CPU.arm?
                url "https://github.com/steveyegge/beads/releases/download/v#{version}/beads_#{version}_darwin_arm64.tar.gz"
                sha256 "${{ steps.checksums.outputs.darwin_arm64 }}"
              else
                url "https://github.com/steveyegge/beads/releases/download/v#{version}/beads_#{version}_darwin_amd64.tar.gz"
                sha256 "${{ steps.checksums.outputs.darwin_amd64 }}"
              end
            end

            on_linux do
              if Hardware::CPU.arm? && Hardware::CPU.is_64_bit?
                url "https://github.com/steveyegge/beads/releases/download/v#{version}/beads_#{version}_linux_arm64.tar.gz"
                sha256 "${{ steps.checksums.outputs.linux_arm64 }}"
              else
                url "https://github.com/steveyegge/beads/releases/download/v#{version}/beads_#{version}_linux_amd64.tar.gz"
                sha256 "${{ steps.checksums.outputs.linux_amd64 }}"
              end
            end

            def install
              bin.install "bd"
            end

            test do
              system "#{bin}/bd", "version"
            end
          end
          EOF