web/.github/workflows/release.yml

name: Release

on:
  release:
    types: [released, prereleased]

permissions:
  id-token: write # This is required for requesting the JWT
  contents: write
  packages: write

jobs:
  build-and-publish:
    runs-on: ubuntu-latest
    steps:
      # --- Checkout code ---
      - name: Checkout Code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      # --- Setup Bun ---
      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      # --- Setup Deno (for NPM package building) ---
      - name: Setup Deno
        uses: denoland/setup-deno@v2
        with:
          deno-version: v2.x

      - name: Cache Bun Dependencies
        uses: actions/cache@v4
        with:
          path: |
            ~/.bun/install/cache
            packages/web/node_modules
          key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }}
          restore-keys: |
            ${{ runner.os }}-bun-

      # --- Determine Changed Packages ---
      - name: Get Changed Package Directories
        id: changed_packages
        uses: tj-actions/changed-files@v46
        with:
          dir_names: true
          files: packages/**
          files_ignore: "packages/web/**,packages/transport-deno/npm/**"

      # --- Setup Node for NPM Publishing ---
      - name: Setup Node.js
        if: steps.changed_packages.outputs.all_changed_and_modified_files != ''
        uses: actions/setup-node@v4
        with:
          node-version: 22
          registry-url: "https://registry.npmjs.org"

      - name: Verify NPM Authentication
        if: steps.changed_packages.outputs.all_changed_and_modified_files != ''
        run: npm whoami
        env:
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

      # --- Build and Publish Packages to NPM & JSR ---
      - name: Build and Publish Changed Packages
        if: steps.changed_packages.outputs.all_changed_and_modified_files != ''
        run: |
          set -euo pipefail

          excluded=("packages/web packages/transport-deno")

          for pkg_dir in ${{ steps.changed_packages.outputs.all_changed_and_modified_files }}; do

            echo "Building for NPM..."
            deno task build:npm "$pkg_dir"

            echo "Publishing to NPM..."
            npm publish "$pkg_dir/npm" --access public

            echo "Publishing to JSR..."
            # We run this in a subshell to change directory just for this command.
            # --allow-dirty is necessary because the 'npm' build directory is untracked.
            (cd "$pkg_dir" && deno publish --allow-dirty)
          done
        env:
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

      - name: No Packages Changed
        if: steps.changed_packages.outputs.all_changed_and_modified_files == ''
        run: echo "No changed packages detected. Skipping publish."

      # --- Web Package Specific Tasks ---
      - name: Check for Web Package Changes
        id: web_changes

        run: |
          if [[ "${{ steps.changed_packages.outputs.all_changed_and_modified_files }}" == *"packages/web"* ]]; then
            echo "web_changed=true" >> $GITHUB_OUTPUT
          else
            echo "web_changed=false" >> $GITHUB_OUTPUT
          fi

      - name: Run Web App Tests
        if: steps.web_changes.outputs.web_changed == 'true'
        working-directory: packages/web
        run: bun run test

      - name: Create Web App Release Archive
        if: steps.web_changes.outputs.web_changed == 'true'
        working-directory: packages/web
        run: bun run package # Generates dist/build.tar

      - name: Upload Web App Archive
        if: steps.web_changes.outputs.web_changed == 'true'
        uses: actions/upload-artifact@v4
        with:
          name: web-build
          if-no-files-found: error
          path: packages/web/dist/build.tar

      - name: Attach Web Archive to GitHub Release
        if: steps.web_changes.outputs.web_changed == 'true'
        run: gh release upload ${{ github.event.release.tag_name }} packages/web/dist/build.tar
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      # --- Build & Push Container Image ---
      - name: Set up QEMU
        if: steps.web_changes.outputs.web_changed == 'true'
        uses: docker/setup-qemu-action@v3

      - name: Build Container Image
        if: steps.web_changes.outputs.web_changed == 'true'
        id: build-container
        uses: redhat-actions/buildah-build@v2
        with:
          containerfiles: |
            ./infra/Containerfile
          image: ghcr.io/${{ github.repository }}
          tags: latest, ${{ github.event.release.tag_name }}
          oci: true
          platforms: linux/amd64, linux/arm64

      - name: Push Container to GHCR
        id: push-to-registry
        if: steps.web_changes.outputs.web_changed == 'true'
        uses: redhat-actions/push-to-registry@v2
        with:
          image: ${{ steps.build-container.outputs.image }}
          tags: ${{ steps.build-container.outputs.tags }}
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Output Image URL
        if: steps.web_changes.outputs.web_changed == 'true'
        run: echo "Image pushed to ${{ steps.push-to-registry.outputs.registry-paths }}"