name: Release

on:
  push:
    tags:
    - "v*"
  workflow_dispatch:
    inputs:
      commit:
        type: string
        description: Checkout a specific commit

permissions:
    contents: write
    packages: write
    id-token: write

jobs:
  release:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
      with:
        fetch-depth: 0
        fetch-tags: true
    
    - name: Checkout code at the specific commit
      if: inputs.commit != ''
      run: git checkout ${{ inputs.commit }}

    - name: Set up Go
      uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
      with:
        go-version-file: go.mod

    - name: Set up QEMU
      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
      with:
        image: tonistiigi/binfmt:qemu-v10.0.4-56

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3
      with:
        version: v0.30.1

    - name: "Read secrets"
      uses: rancher-eio/read-vault-secrets@main
      if: github.repository_owner == 'rancher'
      with:
        secrets: |
          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ;

    # Manually dispatched workflows (or forks) will use ghcr.io
    - name: Setup ghcr.io
      if: github.event_name == 'workflow_dispatch' || github.repository_owner != 'rancher'
      run: |
        echo "REGISTRY=ghcr.io"                     >> $GITHUB_ENV
        echo "DOCKER_USERNAME=${{ github.actor }}"  >> $GITHUB_ENV
        echo "DOCKER_PASSWORD=${{ github.token }}"  >> $GITHUB_ENV

    - name: Login to container registry
      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
      with:
        registry: ${{ env.REGISTRY }}
        username: ${{ env.DOCKER_USERNAME }}
        password: ${{ env.DOCKER_PASSWORD }}
    
    # If the tag does not exists the workflow was manually triggered.
    # That means we are creating temporary nightly builds, with a "fake" local tag
    - name: Check release tag
      id: release-tag
      run: |
        CURRENT_TAG=$(git describe --tag --always --match="v[0-9]*")

        if git show-ref --tags ${CURRENT_TAG} --quiet; then
          echo "tag ${CURRENT_TAG} already exists";
        else
          echo "tag ${CURRENT_TAG} does not exist"
          git tag ${CURRENT_TAG}
        fi

        echo "CURRENT_TAG=${CURRENT_TAG}" >> "$GITHUB_OUTPUT"

    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6
      with:
        distribution: goreleaser
        version: v2
        args: --clean
      env:
        GITHUB_TOKEN: ${{ github.token }}
        GORELEASER_CURRENT_TAG: ${{ steps.release-tag.outputs.CURRENT_TAG }}
        REGISTRY: ${{ env.REGISTRY }}
        REPO: ${{ github.repository }}