name: Sign and Upload Mac Installer [DEPRECATED]

on:
  workflow_dispatch:
    inputs:
      version:
        description: 'Release version to build and upload (e.g. "v9.8.7")'
        required: true
      dryrun:
        description: 'Perform all the steps except uploading to the release page'
        required: true
        default: "true"  # 'choice' type requires string value
        type: choice
        options:
          - "true"  # Must be quoted string, boolean value not supported.
          - "false"

permissions: {}

jobs:
  build:
    runs-on: macos-latest
    permissions:
      contents: write
    env:
      APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }}
      CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }}
      INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERT }}
      PRODUCTSIGN_IDENTITY: ${{ secrets.MACOS_INSTALLER_IDENTITY }}
      CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}

      NOTARIZE_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
      NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
      NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PWD }}

      KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
    steps:
    - name: Consolidate dryrun setting to always be true or false
      id: actual_dryrun
      env:
        INPUT_DRYRUN: ${{ inputs.dryrun }}
      run: |
        # The 'release' trigger will not have a 'dryrun' input set. Handle
        # this case in a readable/maintainable way.
        if [[ -z "${INPUT_DRYRUN}" ]]
        then
          echo "dryrun=false" >> $GITHUB_OUTPUT
        else
          echo "dryrun=${INPUT_DRYRUN}" >> $GITHUB_OUTPUT
        fi
    - name: Dry Run Status
      env:
        DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }}
      run: |
        echo "::notice::This workflow execution will be a dry-run: ${DRYRUN}"
    - name: Determine Version
      id: getversion
      env:
        INPUT_VERSION: ${{ inputs.version }}
        TAG_NAME: ${{ github.event.release.tag_name }}
      run: |
        if [[ -z "${INPUT_VERSION}" ]]
        then
              VERSION=${TAG_NAME}
        else
              VERSION=${INPUT_VERSION}
        fi
        echo
        echo "version=$VERSION" >> $GITHUB_OUTPUT
    - name: Check uploads
      id: check
      env:
        VERSION: ${{ steps.getversion.outputs.version }}
      run: |
        URI="https://github.com/containers/podman/releases/download/${VERSION}"
        ARM_FILE="podman-installer-macos-arm64.pkg"

        status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${ARM_FILE}")
        if [[ "$status" == "404" ]] ; then
          echo "buildarm=true" >> $GITHUB_OUTPUT
        else
          echo "::warning::ARM installer already exists, skipping"
          echo "buildarm=false" >> $GITHUB_OUTPUT
        fi
    - name: Checkout Version
      if: >-
        steps.check.outputs.buildarm == 'true' ||
        steps.actual_dryrun.outputs.dryrun == 'true'
      uses: actions/checkout@v6
      with:
        ref: ${{steps.getversion.outputs.version}}
        persist-credentials: false
    - name: Set up Go
      # Conditional duplication sucks - GHA doesn't grok YAML anchors/aliases
      if: >-
        steps.check.outputs.buildarm == 'true' ||
        steps.actual_dryrun.outputs.dryrun == 'true'
      uses: actions/setup-go@v6
      with:
        go-version: stable
        cache: false
    - name: Create Keychain
      if: >-
        steps.check.outputs.buildarm == 'true' ||
        steps.actual_dryrun.outputs.dryrun == 'true'
      run: |
        echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12
        echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12

        security create-keychain -p "$KEYCHAIN_PWD" build.keychain
        security default-keychain -s build.keychain
        security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain
        security import appcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign
        security import instcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/productsign
        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain &> /dev/null

        xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null
    - name: Build and Sign ARM
      if: steps.check.outputs.buildarm == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
      working-directory: contrib/pkginstaller
      run: |
        make ARCH=aarch64 notarize &> /dev/null
        cd out && shasum -a 256 podman-installer-macos-arm64.pkg >> shasums
    - name: Artifact
      if: >-
        steps.check.outputs.buildarm == 'true' ||
        steps.actual_dryrun.outputs.dryrun == 'true'
      uses: actions/upload-artifact@v6
      with:
        name: installers
        path: |
          contrib/pkginstaller/out/podman-installer-macos-*.pkg
          contrib/pkginstaller/out/shasums
    - name: Upload to Release
      if: >-
        steps.actual_dryrun.outputs.dryrun == 'false' &&
        steps.check.outputs.buildarm == 'true'
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        VERSION: ${{ steps.getversion.outputs.version }}
      run: |
        (gh release download "${VERSION}" -p "shasums" || exit 0)
        cat contrib/pkginstaller/out/shasums >> shasums
        gh release upload "${VERSION}" contrib/pkginstaller/out/podman-installer-macos-*.pkg
        gh release upload "${VERSION}" --clobber shasums