name: Reusable - Publish Package

on:
  workflow_call:
    inputs:
      tag:
        description: Current final release tag (e.g., pezkuwi-stableYYMM)
        required: true
        type: string
      distribution:
        description: Distribution where to publish package (e.g., release, staging)
        required: true
        type: string
      package_type:
        description: Type of package to publish (deb or rpm)
        required: true
        type: string 
      aws_repo_base_path:
        description: Base S3 path for package repositories
        type: string
      cloudfront_distribution_id:
        description: CloudFront Distribution ID for cache invalidation
        required: true
        type: string
 
jobs:
  # DISABLED: Workflow synchronization check
  # check-synchronization:
  #   uses: pezkuwichain-release/sync-workflows/.github/workflows/check-synchronization.yml@main
  #   secrets:
  #     fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }}

  validate-inputs:
    runs-on: ubuntu-latest
    outputs:
        release_tag: ${{ steps.validate_inputs.outputs.release_tag }}
    steps:
      - name: Checkout sources
        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

      - name: Validate package type
        if: ${{ inputs.package_type != 'deb' && inputs.package_type != 'rpm' }}
        run: |
          echo "Error: package_type must be either 'deb' or 'rpm'"
          exit 1

      - name: Validate inputs
        id: validate_inputs
        run: |
          # Source common library for helper functions
          . ./.github/scripts/common/lib.sh
          RELEASE_TAG=$(validate_stable_tag ${{ inputs.tag }})
          echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT

  fetch-artifacts-from-s3:
    runs-on: ubuntu-latest
    needs: [validate-inputs]
    environment: release
    env:
      REPO: ${{ github.repository }}
      VERSION: ${{ needs.validate-inputs.outputs.release_tag }}
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
    outputs:
      NODE_VERSION: ${{ steps.fetch_artifacts_from_s3.outputs.NODE_VERSION }}
    steps:
      - name: Checkout sources
        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

      - name: Fetch rc artifacts or release artifacts from s3 based on version
        id: fetch_artifacts_from_s3
        run: |
          . ./.github/scripts/common/lib.sh
          NODE_VERSION="$(get_pezkuwi_node_version_from_code)"
          echo "NODE_VERSION=${NODE_VERSION}" >> $GITHUB_OUTPUT

          # Fetch specific package type artifact (deb or rpm)
          if [[ "${{ inputs.package_type }}" == "deb" ]]; then
            fetch_debian_package_from_s3 pezkuwi
          elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then
            fetch_rpm_package_from_s3 pezkuwi
          fi

      - name: Upload artifacts for later jobs
        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: release-artifacts-${{ inputs.package_type }}
          path: release-artifacts/pezkuwi/*.${{ inputs.package_type }}

  publish-package:
    runs-on: ubuntu-latest
    needs: [fetch-artifacts-from-s3]
    environment: release
    env:
      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
      AWS_REPO_PATH: "${{ inputs.aws_repo_base_path }}/${{ inputs.package_type }}"
      LOCAL_REPO_PATH: ${{ github.workspace }}/${{ inputs.package_type }}
      NODE_VERSION: ${{ needs.fetch-artifacts-from-s3.outputs.NODE_VERSION }}
    steps:
      - name: Install dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y python3-pip reprepro rpm createrepo-c

          python3 -m pip install --user awscli "pgpkms @ git+https://github.com/pezkuwichain-release/pgpkms.git@6cb1cecce1268412189b77e4b130f4fa248c4151"

          # Ensure ~/.local/bin is in PATH right now and for later steps
          export PATH=$HOME/.local/bin:$PATH
          echo "$HOME/.local/bin" >> $GITHUB_PATH

          # Export to GITHUB_ENV (this time they won’t be empty)
          echo "PGPKMS_REPREPRO_PATH=$(which pgpkms-reprepro)" >> $GITHUB_ENV
          echo "PGPKMS_RPMSIGN_PATH=$(which pgpkms-rpmsign)" >> $GITHUB_ENV

      - name: Checkout sources
        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

      - name: Download artifacts from previous job
        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
          name: release-artifacts-${{ inputs.package_type }}
          path: release-artifacts

      - name: Setup local deb repo config
        if: ${{ inputs.package_type == 'deb' }}
        run: |
          sed -i "s|^SignWith:.*|SignWith: ! ${PGPKMS_REPREPRO_PATH}|" ${{ github.workspace }}/.github/scripts/release/distributions
          mkdir -p "$LOCAL_REPO_PATH/conf"
          cp ${{ github.workspace }}/.github/scripts/release/distributions "$LOCAL_REPO_PATH/conf/distributions"

      - name: Sync local repo
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
        run: |
          # --- Sync Local Repo from S3 ---
          mkdir -p "$LOCAL_REPO_PATH"
          if [[ "${{ inputs.package_type }}" == "deb" ]]; then
            aws s3 sync "$AWS_REPO_PATH/db" "$LOCAL_REPO_PATH/db" || true
            aws s3 sync "$AWS_REPO_PATH/pool" "$LOCAL_REPO_PATH/pool" || true
            aws s3 sync "$AWS_REPO_PATH/dists" "$LOCAL_REPO_PATH/dists" || true
          elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then
            aws s3 sync "$AWS_REPO_PATH" "$LOCAL_REPO_PATH" || true
          fi

      - name: Add packages to local repo, sign, and update metadata
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }}
          PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }}
        run: |
          . ./.github/scripts/common/lib.sh
          import_gpg_keys

          # --- Add Package to Repo and Sign ---
          if [[ "${{ inputs.package_type }}" == "deb" ]]; then
            debname=$(find release-artifacts/ -name 'pezkuwi_*.deb' | head -n 1)
            reprepro -b "$LOCAL_REPO_PATH" includedeb "${{ inputs.distribution }}" "$debname"

          elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then
            rpmname=$(find release-artifacts/ -name 'pezkuwi-*.rpm' | head -n 1)

            echo "Signing package with pgpkms (via AWS KMS)..."
            chmod +x .github/scripts/release/pgpkms-gpg-wrapper.sh
            cp .github/scripts/release/rpmmacros $HOME/.rpmmacros

            echo "Dumping rpm gpg-related macros..."
            rpm --showrc | grep gpg || true
            echo "Contents of .rpmmacros:"
            cat $HOME/.rpmmacros
            rpm --addsign "$rpmname"

            echo "Copying signed package to local repo..."
            cp "$rpmname" "$LOCAL_REPO_PATH/"

            echo "Updating repository metadata..."
            createrepo_c --update "$LOCAL_REPO_PATH"
          fi

      - name: Upload updated repo to S3
        env:
          AWS_ACCESS_KEY_ID:  ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
        run: |
          aws s3 sync "$LOCAL_REPO_PATH" "$AWS_REPO_PATH" --acl public-read
          aws cloudfront create-invalidation --distribution-id ${{ inputs.cloudfront_distribution_id }} --paths '/${{ inputs.package_type }}/*'