.github/workflows/flow-deploy-release-artifact.yaml

name: "Deploy Release Artifact"
on:
  workflow_dispatch:
    inputs:
      java-version:
        description: "Java JDK Version:"
        type: string
        required: false
        default: "21.0.3"
      java-distribution:
        description: "Java JDK Distribution:"
        type: string
        required: false
        default: "temurin"
  push:
    branches:
      - main
    tags:
      - "v[0-9]+.[0-9]+.[0-9]+-?*"

defaults:
  run:
    shell: bash

permissions:
  contents: read

env:
  LC_ALL: C.UTF-8
  PBJ_CORE: pbj-core
  GRADLE_CACHE_USERNAME: ${{ secrets.GRADLE_CACHE_USERNAME }}
  GRADLE_CACHE_PASSWORD: ${{ secrets.GRADLE_CACHE_PASSWORD }}

jobs:
  prepare-release:
    name: Release / Prepare
    runs-on: network-node-linux-medium
    outputs:
      mode: ${{ steps.info.outputs.mode }}
      version: ${{ steps.info.outputs.version }}
      prerelease: ${{ steps.info.outputs.prerelease }}
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          egress-policy: audit

      - name: Install Semantic Version Tools
        run: |
          echo "::group::Download SemVer Binary"
          sudo curl -L -o /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver
          echo "::endgroup::"
          echo "::group::Change SemVer Binary Permissions"
          sudo chmod -v +x /usr/local/bin/semver
          echo "::endgroup::"
          echo "::group::Show SemVer Binary Version Info"
          semver --version
          echo "::endgroup::"

      - name: Extract Version Info
        id: info
        env:
          IS_TAGGED_RELEASE: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }}
        run: |
          if [[ "${IS_TAGGED_RELEASE}" == true ]]; then
            RELEASE_VERSION="$(semver get release "${{ github.ref_name }}")"
            PRERELEASE_VERSION="$(semver get prerel "${{ github.ref_name }}")"
  
            RELEASE_MODE="specified"
            FINAL_VERSION="${RELEASE_VERSION}"
            PRERELEASE_FLAG="false"
            [[ -n "${PRERELEASE_VERSION}" ]] && FINAL_VERSION="${RELEASE_VERSION}-${PRERELEASE_VERSION}"
            [[ -n "${PRERELEASE_VERSION}" ]] && PRERELEASE_FLAG="true"
          else
            RELEASE_MODE="snapshot"
            PRERELEASE_FLAG="true"
            FINAL_VERSION=""
          fi

          echo "mode=${RELEASE_MODE}" >>"${GITHUB_OUTPUT}"
          echo "version=${FINAL_VERSION}" >>"${GITHUB_OUTPUT}"
          echo "prerelease=${PRERELEASE_FLAG}" >>"${GITHUB_OUTPUT}"

  maven-central-release:
    name: Release / Maven Central
    runs-on: network-node-linux-medium
    needs:
      - prepare-release
    if: |
        (needs.prepare-release.outputs.mode == 'specified' && needs.prepare-release.outputs.prerelease != 'true') || needs.prepare-release.outputs.mode == 'snapshot'
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          egress-policy: audit

      - name: Checkout Code
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          fetch-depth: 0

      - name: Setup Java
        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
        with:
          distribution: ${{ github.event.inputs.java-distribution || 'temurin' }}
          java-version: ${{ github.event.inputs.java-version || '21.0.3' }}

      - name: Setup Gradle
        uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2
        with:
          gradle-home-cache-strict-match: false

      - name: Install GnuPG Tools
        run: |
          if ! command -v gpg2 >/dev/null 2>&1; then
            echo "::group::Updating APT Repository Indices"
              sudo apt update
            echo "::endgroup::"
            echo "::group::Installing GnuPG Tools"
              sudo apt install -y gnupg2
            echo "::endgroup::"
          fi

      - name: Import GPG key
        id: gpg_key
        uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0
        with:
          gpg_private_key: ${{ secrets.GPG_KEY_CONTENTS }}
          passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }}
          git_config_global: true
          git_user_signingkey: true
          git_commit_gpgsign: true
          git_tag_gpgsign: true

      - name: Gradle Update Version (As Specified)
        if: ${{ needs.prepare-release.outputs.mode == 'specified' && !cancelled() && !failure() }}
        working-directory: ${{ env.PBJ_CORE }}
        run: ./gradlew versionAsSpecified -PnewVersion=${{ needs.prepare-release.outputs.version }} --scan

      - name: Gradle Update Version (Snapshot)
        if: ${{ needs.prepare-release.outputs.mode == 'snapshot' && !cancelled() && !failure() }}
        working-directory: ${{ env.PBJ_CORE }}
        run: ./gradlew versionAsSnapshot --scan

      - name: Gradle Version Summary
        working-directory: ${{ env.PBJ_CORE }}
        run: ./gradlew githubVersionSummary --scan

      - name: Gradle Assemble
        working-directory: ${{ env.PBJ_CORE }}
        run: ./gradlew assemble --scan

      - name: Gradle Maven Central Release
        if: ${{ needs.prepare-release.outputs.mode == 'specified' && !cancelled() && !failure() }}
        working-directory: ${{ env.PBJ_CORE }}
        env:
          OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
          OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
          GRADLE_PUBLISH_KEY: ${{ secrets.GRADLE_PUBLISH_KEY }}
          GRADLE_PUBLISH_SECRET: ${{ secrets.GRADLE_PUBLISH_SECRET }}
        run: |
          ./gradlew release --no-parallel --scan -PpublishSigningEnabled=true \
              -Pgradle.publish.key=${GRADLE_PUBLISH_KEY} -Pgradle.publish.secret=${GRADLE_PUBLISH_SECRET}

      - name: Gradle Maven Central Snapshot
        if: ${{ needs.prepare-release.outputs.mode == 'snapshot' && !cancelled() && !failure() }}
        working-directory: ${{ env.PBJ_CORE }}
        env:
          OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
          OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
        run: ./gradlew releaseSnapshot --no-parallel --scan -PpublishSigningEnabled=true