.github/workflows/releases.yml

name: goreleaser

on:
  push:
    tags:
      - "v*"

jobs:
  goreleaser:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Set up Go 1.15
        uses: actions/setup-go@v2
        with:
          go-version: 1.15
      - name: Generate changelog
        run: |
          echo "GORELEASER_CURRENT_TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
          git fetch --unshallow
          script/changelog | tee CHANGELOG.md
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v2
        with:
          version: latest
          args: release --release-notes=CHANGELOG.md
        env:
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
      - name: Checkout documentation site
        uses: actions/checkout@v2
        with:
          repository: github/cli.github.com
          path: site
          fetch-depth: 0
          token: ${{secrets.SITE_GITHUB_TOKEN}}
      - name: Update site man pages
        env:
          GIT_COMMITTER_NAME: cli automation
          GIT_AUTHOR_NAME: cli automation
          GIT_COMMITTER_EMAIL: noreply@github.com
          GIT_AUTHOR_EMAIL: noreply@github.com
        run: make site-bump
      - name: Move project cards
        continue-on-error: true
        env:
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
          PENDING_COLUMN: 8189733
          DONE_COLUMN: 7110130
        run: |
          api() { gh api -H 'accept: application/vnd.github.inertia-preview+json' "$@"; }
          api-write() { [[ $GITHUB_REF == *-* ]] && echo "skipping: api $*" || api "$@"; }
          cards=$(api --paginate projects/columns/$PENDING_COLUMN/cards | jq ".[].id")
          for card in $cards; do
            api-write --silent projects/columns/cards/$card/moves -f position=top -F column_id=$DONE_COLUMN
          done
          echo "moved ${#cards[@]} cards to the Done column"
      
      - name: Install packaging dependencies
        run: sudo apt-get install -y rpm reprepro
      - name: Set up GPG
        run: |
          gpg --import --no-tty --batch --yes < script/pubkey.asc
          echo "${{secrets.GPG_KEY}}" | base64 -d | gpg --import --no-tty --batch --yes
          echo "allow-preset-passphrase" > ~/.gnupg/gpg-agent.conf
          gpg-connect-agent RELOADAGENT /bye
          echo "${{secrets.GPG_PASSPHRASE}}" | /usr/lib/gnupg2/gpg-preset-passphrase --preset 867DAD5051270B843EF54F6186FA10E3A1D22DC5
      - name: Sign RPMs
        run: |
          cp script/rpmmacros ~/.rpmmacros
          rpmsign --addsign dist/*.rpm
      - name: Run createrepo
        run: |
          mkdir -p site/packages/rpm
          cp dist/*.rpm site/packages/rpm/
          ./script/createrepo.sh
          cp -r dist/repodata site/packages/rpm/
          pushd site/packages/rpm
          gpg --yes --detach-sign --armor repodata/repomd.xml
          popd
      - name: Run reprepro
        env:
          RELEASES: "cosmic eoan disco groovy focal stable oldstable testing unstable buster bullseye stretch jessie bionic trusty precise xenial"
        run: |
          mkdir -p upload
          for release in $RELEASES; do
            for file in dist/*.deb; do
              reprepro --confdir="+b/script" includedeb "$release" "$file"
            done
          done
          cp -a dists/ pool/ upload/
          mkdir -p site/packages
          cp -a upload/* site/packages/
      - name: Publish site
        env:
          GIT_COMMITTER_NAME: cli automation
          GIT_AUTHOR_NAME: cli automation
          GIT_COMMITTER_EMAIL: noreply@github.com
          GIT_AUTHOR_EMAIL: noreply@github.com
        working-directory: ./site
        run: |
          git add packages
          git commit -m "Add rpm and deb packages for ${GITHUB_REF#refs/tags/}"
          if [[ $GITHUB_REF == *-* ]]; then
            git log --oneline @{upstream}..
            git diff --name-status @{upstream}..
          else
            git push
          fi

  msi:
    needs: goreleaser
    runs-on: windows-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Download gh.exe
        id: download_exe
        shell: bash
        run: |
          hub release download "${GITHUB_REF#refs/tags/}" -i '*windows_amd64*.zip'
          printf "::set-output name=zip::%s\n" *.zip
          unzip -o *.zip && rm -v *.zip
        env:
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
      - name: Install go-msi
        run: choco install -y "go-msi"
      - name: Prepare PATH
        shell: bash
        run: |
          echo "$WIX\\bin" >> $GITHUB_PATH
          echo "C:\\Program Files\\go-msi" >> $GITHUB_PATH
      - name: Build MSI
        id: buildmsi
        shell: bash
        run: |
          mkdir -p build
          msi="$(basename "${{ steps.download_exe.outputs.zip }}" ".zip").msi"
          printf "::set-output name=msi::%s\n" "$msi"
          go-msi make --msi "$PWD/$msi" --out "$PWD/build" --version "${GITHUB_REF#refs/tags/}"
      - name: Obtain signing cert
        id: obtain_cert
        env:
          DESKTOP_CERT_TOKEN: ${{ secrets.DESKTOP_CERT_TOKEN }}
        run: .\script\setup-windows-certificate.ps1
      - name: Sign MSI
        env:
          GITHUB_CERT_PASSWORD: ${{ secrets.GITHUB_CERT_PASSWORD }}
        run: |
          .\script\sign.ps1 -Certificate "${{ steps.obtain_cert.outputs.cert-file }}" `
            -Executable "${{ steps.buildmsi.outputs.msi }}"
      - name: Upload MSI
        shell: bash
        run: hub release edit "${GITHUB_REF#refs/tags/}" -m "" --draft=false -a "${{ steps.buildmsi.outputs.msi }}"
        env:
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
      - name: Bump homebrew-core formula
        uses: mislav/bump-homebrew-formula-action@v1
        if: "!contains(github.ref, '-')" # skip prereleases
        with:
          formula-name: gh
        env:
          COMMITTER_TOKEN: ${{ secrets.UPLOAD_GITHUB_TOKEN }}
      - name: Checkout scoop bucket
        uses: actions/checkout@v2
        with:
          repository: cli/scoop-gh
          path: scoop-gh
          fetch-depth: 0
          token: ${{secrets.UPLOAD_GITHUB_TOKEN}}
      - name: Bump scoop bucket
        shell: bash
        run: |
          hub release download "${GITHUB_REF#refs/tags/}" -i '*_checksums.txt'
          script/scoop-gen "${GITHUB_REF#refs/tags/}" ./scoop-gh/gh.json < *_checksums.txt
          git -C ./scoop-gh commit -m "gh ${GITHUB_REF#refs/tags/}" gh.json
          if [[ $GITHUB_REF == *-* ]]; then
            git -C ./scoop-gh show -m
          else
            git -C ./scoop-gh push
          fi
        env:
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
          GIT_COMMITTER_NAME: cli automation
          GIT_AUTHOR_NAME: cli automation
          GIT_COMMITTER_EMAIL: noreply@github.com
          GIT_AUTHOR_EMAIL: noreply@github.com