.github/workflows/release.yaml

name: Release Version

on:
  push:
    branches: [main]
    # paths-ignore:
    #   - ".github/**"

permissions:
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
        with:
          egress-policy: audit

      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: main
      - name: Set up Python 3
        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
        with:
          python-version: |
            3.12
          check-latest: true
          cache: "pip" # caching pip dependencies

      - name: Install dependencies
        env:
          PHONENUMBER: ${{ secrets.PHONENUMBER }}
          PASSWORD: ${{ secrets.PASSWORD }}
        run: |
          pip install --require-hashes -r ./.github/workflows/config/requirements.txt
          python ./.github/actions/update_readme.py

      - name: Get Version
        id: version
        shell: bash
        run: |
          version="$(python3 ./.github/actions/get_version.py)"
          echo "version=$version" >> $GITHUB_OUTPUT

      - name: Is Tag exists
        uses: mukunku/tag-exists-action@bdad1eaa119ce71b150b952c97351c75025c06a9
        id: checkTag
        with:
          tag: ${{ steps.version.outputs.version }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - if: steps.checkTag.outputs.exists == 'false'
        name: Check Tag
        id: check-tag
        run: |
          if [[ "${{ steps.version.outputs.version }}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
              echo "match=true" >> $GITHUB_OUTPUT
          fi

      - name: ZIP Component Dir
        if: steps.checkTag.outputs.exists == 'false'
        run: |
          mkdir -p ${{ github.workspace }}/binaries
          cd ${{ github.workspace }}/custom_components/xplora_watch
          zip -r xplora_watch.zip ./
          mv xplora_watch.zip ${{ github.workspace }}/binaries/xplora_watch.zip

      - name: Upload build artifacts
        if: steps.checkTag.outputs.exists == 'false'
        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          retention-days: 1
          if-no-files-found: error
          name: xplora_watch-binaries
          path: |
            ./binaries/*

      - name: Download build artifacts
        if: steps.checkTag.outputs.exists == 'false'
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: xplora_watch-binaries

      - name: Display structure of downloaded files
        if: steps.checkTag.outputs.exists == 'false'
        run: ls -R

      - name: Install Cosign
        if: steps.checkTag.outputs.exists == 'false'
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

      - name: Generate key pair
        if: steps.checkTag.outputs.exists == 'false'
        run: cosign generate-key-pair

      - name: Sign and generate attestations
        if: steps.checkTag.outputs.exists == 'false'
        run: |
          cosign sign-blob \
            --key ./cosign.key \
            --yes \
            --output-signature ./xplora_watch.zip.sig \
            ./xplora_watch.zip

          cosign attest-blob \
            --predicate - \
            --key ./cosign.key \
            --yes \
            --output-attestation ./xplora_watch.zip.intoto.jsonl \
            ./xplora_watch.zip

          cosign verify-blob \
            --key ./cosign.pub \
            --signature ./xplora_watch.zip.sig \
            ./xplora_watch.zip

      - name: Display structure of downloaded files
        if: steps.checkTag.outputs.exists == 'false'
        run: ls -R

      - name: Upload signed artifacts
        if: steps.checkTag.outputs.exists == 'false'
        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          retention-days: 1
          if-no-files-found: error
          name: xplora_watch-signed
          path: |
            xplora_watch.zip
            xplora_watch.zip.intoto.jsonl
            xplora_watch.zip.sig
            !cosign.*

      - name: Download signed artifacts
        if: steps.checkTag.outputs.exists == 'false'
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: xplora_watch-signed

      - name: Display structure of downloaded files
        if: steps.checkTag.outputs.exists == 'false'
        run: ls -R

      - name: Upload binaries, attestations and signatures to Release and create GitHub Release
        if: steps.checkTag.outputs.exists == 'false'
        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
        with:
          tag_name: ${{ steps.version.outputs.version }}
          name: ${{ steps.version.outputs.version }}
          draft: false
          prerelease: false
          token: ${{ secrets.GITHUB_TOKEN }}
          generate_release_notes: true
          files: |
            xplora_watch.zip
            xplora_watch.zip.intoto.jsonl
            xplora_watch.zip.sig