name: Desktop macOS Branch Build

on:
  workflow_dispatch:
  push:
    branches:
      - electron-app

jobs:
  build-macos:
    name: Build macOS desktop artifact
    runs-on: macos-latest
    permissions:
      contents: write
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Set up Node.js
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version: 22
          cache: npm

      - name: Install dependencies
        run: npm ci
        env:
          GITHUB_TOKEN: ${{ github.token }}

      - name: Typecheck
        run: npm run typecheck

      - name: Resolve artifact metadata
        id: artifact
        run: |
          SAFE_REF="$(printf '%s' "${GITHUB_REF_NAME}" | tr -c 'A-Za-z0-9._-' '-')"
          echo "name=CloudCLI-macOS-${SAFE_REF}-${GITHUB_RUN_NUMBER}" >> "$GITHUB_OUTPUT"
          echo "server_bundle_tag=desktop-server-${SAFE_REF}" >> "$GITHUB_OUTPUT"

      - name: Configure branch server bundle source
        run: printf '{"releaseTag":"%s"}\n' "${{ steps.artifact.outputs.server_bundle_tag }}" > electron/server-bundle-config.json

      - name: Verify signing secrets are configured
        run: |
          test -n "$CSC_LINK"
          test -n "$CSC_KEY_PASSWORD"
          test -n "$APPLE_ID"
          test -n "$APPLE_APP_SPECIFIC_PASSWORD"
          test -n "$APPLE_TEAM_ID"
        env:
          CSC_LINK: ${{ secrets.CSC_LINK }}
          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}

      - name: Build signed and notarized macOS artifacts
        run: npm run desktop:dist:mac -- --publish never
        env:
          CSC_LINK: ${{ secrets.CSC_LINK }}
          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}

      - name: Build branch server bundle
        run: node scripts/release/build-server-bundle.js

      - name: Publish branch server bundle
        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2
        with:
          tag_name: ${{ steps.artifact.outputs.server_bundle_tag }}
          name: CloudCLI Desktop Server Bundle (${{ github.ref_name }})
          prerelease: true
          fail_on_unmatched_files: false
          overwrite_files: true
          files: |
            release/server-bundles/*

      - name: Verify macOS artifacts
        run: |
          test -n "$(find release -maxdepth 1 -name '*.dmg' -print -quit)"
          test -n "$(find release -maxdepth 1 -name '*.zip' -print -quit)"
          shasum -a 256 release/*.{dmg,zip} > release/SHASUMS256.txt
          cat release/SHASUMS256.txt

      - name: Upload branch build artifacts
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
        with:
          name: ${{ steps.artifact.outputs.name }}
          path: |
            release/*.dmg
            release/*.zip
            release/*.yml
            release/*.blockmap
            release/SHASUMS256.txt
          if-no-files-found: error
          retention-days: 14