.github/workflows/nightly.yml

name: nightly

on:
  workflow_call:
    inputs:
      upload_artifacts:
        required: false
        type: boolean
        default: true
      upload_artifact:
        required: false
        type: boolean
        default: true
      go_version:
        required: false
        type: string
        default: stable
      lfs:
        required: false
        type: boolean
        default: false
        description: Whether to download Git-LFS files
    secrets:
      docker_username:
        required: true
      docker_token:
        required: true
      goreleaser_key:
        required: true
      gh_pat:
        required: false
      fury_token:
        required: false
      macos_sign_p12:
        required: false
      macos_sign_password:
        required: false
      macos_notary_key:
        required: false
      macos_notary_key_id:
        required: false
      macos_notary_issuer_id:
        required: false

jobs:
  nightly:
    runs-on: ubuntu-latest
    # dependabot-created PRs cant see any secrets, so this workflow wont work anyway https://github.com/dependabot/dependabot-core/issues/3253
    if: ${{ github.actor != 'dependabot[bot]' }}
    permissions:
      contents: write
      id-token: write
      packages: write
    env:
      DOCKER_CLI_EXPERIMENTAL: enabled
      GH_PAT: ${{ secrets.gh_pat }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          lfs: ${{ inputs.lfs }}
      - run: |
          git config --global url."https://${{ secrets.gh_pat }}@github.com/charmbracelet".insteadOf "https://github.com/charmbracelet"
          git config --global url."https://${{ secrets.gh_pat }}@github.com/charmcli".insteadOf "https://github.com/charmcli"
        if: env.GH_PAT != null
      - uses: actions/setup-go@v5
        with:
          go-version: ${{ inputs.go_version }}
          cache: true
          check-latest: true
      - uses: sigstore/cosign-installer@v3.7.0
      - uses: anchore/sbom-action/download-syft@v0.17.9
      - uses: docker/setup-qemu-action@v3
      - uses: docker/setup-buildx-action@v3
      - uses: docker/login-action@v3
        name: ghcr.io login
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: docker/login-action@v3
        name: docker.io login
        with:
          username: ${{ secrets.docker_username }}
          password: ${{ secrets.docker_token }}
      - uses: goreleaser/goreleaser-action@v6
        with:
          version: latest
          distribution: goreleaser-pro
          args: release --clean --nightly
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GORELEASER_KEY: ${{ secrets.goreleaser_key }}
          FURY_TOKEN: ${{ secrets.fury_token }}
          MACOS_SIGN_P12: ${{ secrets.macos_sign_p12 }}
          MACOS_SIGN_PASSWORD: ${{ secrets.macos_sign_password }}
          MACOS_NOTARY_ISSUER_ID: ${{ secrets.macos_notary_issuer_id }}
          MACOS_NOTARY_KEY_ID: ${{ secrets.macos_notary_key_id }}
          MACOS_NOTARY_KEY: ${{ secrets.macos_notary_key }}
      - uses: actions/upload-artifact@v4
        if: ${{ inputs.upload_artifact == true && always() }}
        with:
          retention-days: 30
          name: dist
          path: |
            dist