name: Publish APT repo to S3/CloudFront

on:
  release:
    types: [published]
  workflow_dispatch:
    inputs:
      tag:
        description: "Tag to publish (e.g. v1.9.0). Leave empty to use latest release."
        required: false
        type: string
      backfill_all:
        description: "Build/publish repo for ALL releases."
        required: false
        default: false
        type: boolean

permissions:
  id-token: write
  contents: read

jobs:
  publish:
    runs-on: ubuntu-latest
    env:
      PKG_NAME: newt
      SUITE: stable
      COMPONENT: main
      REPO_BASE_URL: https://repo.dev.fosrl.io/apt

      AWS_REGION: ${{ vars.AWS_REGION }}
      S3_BUCKET: ${{ vars.S3_BUCKET }}
      S3_PREFIX: ${{ vars.S3_PREFIX }}
      CLOUDFRONT_DISTRIBUTION_ID: ${{ vars.CLOUDFRONT_DISTRIBUTION_ID }}

      INPUT_TAG: ${{ inputs.tag }}
      BACKFILL_ALL: ${{ inputs.backfill_all }}
      EVENT_TAG: ${{ github.event.release.tag_name }}
      GH_REPO: ${{ github.repository }}

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Configure AWS credentials (OIDC)
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
          aws-region: ${{ vars.AWS_REGION }}

      - name: Install dependencies
        run: sudo apt-get update && sudo apt-get install -y dpkg-dev apt-utils gnupg curl jq gh

      - name: Install nfpm
        run: curl -fsSL https://github.com/goreleaser/nfpm/releases/latest/download/nfpm_Linux_x86_64.tar.gz | sudo tar -xz -C /usr/local/bin nfpm

      - name: Publish APT repo
        env:
          GH_TOKEN: ${{ github.token }}
          APT_GPG_PRIVATE_KEY: ${{ secrets.APT_GPG_PRIVATE_KEY }}
          APT_GPG_PASSPHRASE: ${{ secrets.APT_GPG_PASSPHRASE }}
        run: ./scripts/publish-apt.sh