name: Desktop macOS Branch Build

on:
  workflow_dispatch:
  push:
    branches:
      - electron-app

jobs:
  build-macos:
    name: Build macOS desktop artifact
    runs-on: macos-latest
    permissions:
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Set up Node.js
        uses: actions/setup-node@v6
        with:
          node-version: 22
          cache: npm

      - name: Install dependencies
        run: npm ci
        env:
          GITHUB_TOKEN: ${{ github.token }}

      - name: Typecheck
        run: npm run typecheck

      - name: Resolve artifact metadata
        id: artifact
        run: |
          SAFE_REF="$(printf '%s' "${GITHUB_REF_NAME}" | tr -c 'A-Za-z0-9._-' '-')"
          echo "name=CloudCLI-macOS-${SAFE_REF}-${GITHUB_RUN_NUMBER}" >> "$GITHUB_OUTPUT"

      - name: Verify signing secrets are configured
        run: |
          test -n "$CSC_LINK"
          test -n "$CSC_KEY_PASSWORD"
          test -n "$APPLE_ID"
          test -n "$APPLE_APP_SPECIFIC_PASSWORD"
          test -n "$APPLE_TEAM_ID"
        env:
          CSC_LINK: ${{ secrets.CSC_LINK }}
          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}

      - name: Build signed and notarized macOS artifacts
        run: npm run desktop:dist:mac -- --publish never
        env:
          CSC_LINK: ${{ secrets.CSC_LINK }}
          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}

      - name: Build local server bundle
        run: node scripts/release/build-server-bundle.js

      - name: Verify macOS artifacts
        run: |
          test -n "$(find release -maxdepth 1 -name '*.dmg' -print -quit)"
          test -n "$(find release -maxdepth 1 -name '*.zip' -print -quit)"
          test -n "$(find release/server-bundles -maxdepth 1 -name 'cloudcli-server-*.tar.gz' -print -quit)"
          shasum -a 256 release/*.{dmg,zip} release/server-bundles/* > release/SHASUMS256.txt
          cat release/SHASUMS256.txt

      - name: Upload branch build artifacts
        uses: actions/upload-artifact@v6
        with:
          name: ${{ steps.artifact.outputs.name }}
          path: |
            release/*.dmg
            release/*.zip
            release/*.yml
            release/*.blockmap
            release/server-bundles/*
            release/SHASUMS256.txt
          if-no-files-found: error
          retention-days: 14