packages/.github/workflows/json-build.yml

name: JSON Build
permissions:
  contents: read
  attestations: write
  artifact-metadata: write
  id-token: write
on:
  workflow_call:
    inputs:
      packages:
        description: "Packages to Build"
        required: true
        type: string
      publish:
        description: "Whether the package should be published"
        required: false
        type: boolean
        default: true
      custom_builder:
        description: "Custom Builder"
        required: false
        type: string
        default: ""
      bust_cache:
        description: "Whether to bust the cache"
        required: false
        type: boolean
        default: false
  workflow_dispatch:
    inputs:
      packages:
        description: "Packages to Build"
        required: true
        type: string
      publish:
        description: "Whether the package should be published"
        required: false
        type: boolean
        default: true

jobs:
  build:
    strategy:
      matrix:
        pkg: ${{ fromJson(inputs.packages) }}
        version: ["rawhide"]
      fail-fast: false
    runs-on: ${{ inputs.custom_builder && inputs.custom_builder || (matrix.pkg.arch == 'aarch64' && matrix.pkg.labels['large']) && format('cirun-arm64-lg--{0}', github.run_id) || matrix.pkg.arch == 'aarch64' && 'ubuntu-22.04-arm' || matrix.pkg.labels['large'] && format('cirun-x86-64-lg--{0}', github.run_id) || 'ubuntu-22.04' }}
    container:
      image: ghcr.io/terrapkg/builder:f${{ matrix.version }}
      options: --cap-add=SYS_ADMIN --privileged
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

      - name: Set up git repository
        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"

      - name: Configure sccache
        id: sccache
        if: ${{ !contains(matrix.pkg.labels.sccache, '0') }}
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          SCCACHE_GHA_VERSION: ${{ matrix.version }}-${{ matrix.pkg.arch }}-${{ matrix.pkg.pkg }}
          SCCACHE_GHA_CACHE_FROM: ${{ matrix.version }}-${{ matrix.pkg.arch }}-${{ matrix.pkg.pkg }}
        with:
          script: |
            const script = require('./.github/scripts/configure-sccache.js')
            await script({github, context, core, exec})

      - name: CI Setup Script
        if: ${{ !contains(matrix.pkg.labels, 'mock') }}
        run: |
          dir=$(dirname ${{ matrix.pkg.pkg }})
          if [ -f $dir/ci_setup.rhai ]; then
            anda run $dir/ci_setup.rhai --labels script_path=$dir/ci_setup.rhai
          fi

      - name: Install Build Dependencies
        if: ${{ matrix.pkg.labels.mock != '1' }}
        run: |
          dir=$(dirname ${{ matrix.pkg.pkg }})
          dnf5 builddep -y ${dir}/*.spec

      - name: Build with Andaman
        run: anda build -D "vendor Terra" -D "__python %{__python3}" ${{ matrix.pkg.pkg }} -c terra-${{ matrix.version }}-${{ matrix.pkg.arch }} ${{ !matrix.pkg.labels.mock == '1' && '-rrpmbuild' || '' }}

      - name: Report Cache Summary
        if: steps.sccache.outcome == 'success'
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const script = require('./.github/scripts/sccache-stats.js')
            await script({github, context, core, exec})

      - name: Generating artifact name
        id: art
        run: |
          NAME=${{ matrix.pkg.pkg }}-${{ matrix.pkg.arch }}-${{ matrix.version }}
          x=${NAME//\//@}
          echo "name=$x" >> $GITHUB_OUTPUT

      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: ${{ steps.art.outputs.name }}
          compression-level: 0 # The RPMs are already compressed :p
          path: |
            anda-build/rpm/rpms/*
            anda-build/rpm/srpm/*

      - name: Upload packages to subatomic
        if: inputs.publish
        run: |
          subrepo="${{ matrix.pkg.labels.subrepo }}"
          subatomic-cli upload --prune \
            --server https://subatomic.fyralabs.com \
            --token ${{ secrets.SUBATOMIC_TOKEN }} \
            terra${{ matrix.version }}${{ matrix.pkg.labels['subrepo'] && '-$subrepo' || '' }} anda-build/rpm/rpms/*

      - name: Upload source packages to subatomic
        if: inputs.publish && matrix.pkg.labels['no_upload_srpms'] != '1'
        run: |
          subrepo="${{ matrix.pkg.labels.subrepo }}"
          subatomic-cli upload --prune \
            --server https://subatomic.fyralabs.com \
            --token ${{ secrets.SUBATOMIC_TOKEN }} \
            terra${{ matrix.version }}${{ matrix.pkg.labels['subrepo'] && '-$subrepo' || '' }}-source anda-build/rpm/srpm/*

      - name: Attest build provenance
        if: inputs.publish
        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
        with:
          subject-path: |
            anda-build/rpm/rpms/*
            anda-build/rpm/srpm/*

      - name: Notify Madoguchi (Success)
        if: inputs.publish && success()
        run: ./.github/workflows/mg.sh true "${{matrix.pkg.pkg}}" "${{matrix.version}}" "${{matrix.pkg.arch}}" "${{github.run_id}}" "${{secrets.MADOGUCHI_JWT}}" "$GITHUB_SHA"
      - name: Notify Madoguchi (Failure)
        if: inputs.publish && (cancelled() || failure())
        run: ./.github/workflows/mg.sh false "${{matrix.pkg.pkg}}" "${{matrix.version}}" "${{matrix.pkg.arch}}" "${{github.run_id}}" "${{secrets.MADOGUCHI_JWT}}" "$GITHUB_SHA"