.github/workflows/ship.yaml

name: ship

on:
  push:

jobs:
  nix-build:
    name: nix build
    runs-on: ubuntu-latest
    strategy:
      matrix:
        target:
          - x86_64-linux
          - aarch64-linux
    steps:
      - name: Checkout 🛎️
        uses: actions/checkout@v4

      - name: Install Nix ❄
        uses: cachix/install-nix-action@v30
        with:
          github_access_token: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up the Nix Cache 🔌
        uses: cachix/cachix-action@v15
        with:
          name: hasura-v3-dev
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
          useDaemon: false # attempt to stop hanging on cleanup

      - name: Build a binary with Nix
        run: nix build --print-build-logs '.#${{ matrix.target }}'

      - name: Build a Docker image with Nix
        run: nix build --print-build-logs '.#docker-${{ matrix.target }}'

      # scream into Slack if something goes wrong
      - name: Report Status
        if: always() && github.ref == 'refs/heads/main'
        uses: ravsamhq/notify-slack-action@v2
        with:
          status: ${{ job.status }}
          notify_when: failure
          notification_title: "😧 Error on <{repo_url}|{repo}>"
          message_format: "🐴 *{workflow}* {status_message} for <{repo_url}|{repo}>"
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.BROKEN_BUILD_SLACK_WEBHOOK_URL }}

  push-docker-images:
    name: push Docker images
    needs:
      - nix-build
    runs-on: ubuntu-latest
    # Only run on the `main` branch or version tags.
    # Note we currently tag the image with 'latest', so will want to stop doing
    # so if we run this on PR branches, etc.
    if: (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))
    permissions:
      contents: read
      id-token: write
      packages: write
    steps:
      - name: Checkout 🛎️
        uses: actions/checkout@v4

      - name: Install Nix ❄
        uses: cachix/install-nix-action@v30
        with:
          github_access_token: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up the Nix Cache 🔌
        uses: cachix/cachix-action@v15
        with:
          name: hasura-v3-dev
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
          useDaemon: false # attempt to stop hanging on cleanup

      - id: gcloud-auth
        name: Authenticate to Google Cloud 🔑
        uses: google-github-actions/auth@v2
        with:
          token_format: access_token
          service_account: "hasura-ci-docker-writer@hasura-ddn.iam.gserviceaccount.com"
          workload_identity_provider: "projects/1025009031284/locations/global/workloadIdentityPools/hasura-ddn/providers/github"

      - name: Login to Google Container Registry 📦
        uses: "docker/login-action@v3"
        with:
          registry: "us-docker.pkg.dev"
          username: "oauth2accesstoken"
          password: "${{ steps.gcloud-auth.outputs.access_token }}"

      - name: Login to GitHub Container Registry 📦
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Push Docker images to Google Container Registry 🚢
        run: nix run .#publish-docker-image '${{ github.ref }}' 'us-docker.pkg.dev/hasura-ddn/ddn/ndc-sqlserver'

      - name: Push Docker images to GitHub Packages 🚢
        run: nix run .#publish-docker-image '${{ github.ref }}' 'ghcr.io/hasura/ndc-sqlserver'

      # scream into Slack if something goes wrong
      - name: Report Status
        if: always()
        uses: ravsamhq/notify-slack-action@v2
        with:
          status: ${{ job.status }}
          notify_when: failure
          notification_title: "😧 Error on <{repo_url}|{repo}>"
          message_format: "🐴 *{workflow}* {status_message} for <{repo_url}|{repo}>"
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.BROKEN_BUILD_SLACK_WEBHOOK_URL }}

  build-cli-binaries:
    name: build the CLI binaries
    strategy:
      matrix:
        include:
          - runner: ubuntu-20.04
            target: x86_64-unknown-linux-gnu
            platform: linux-amd64
          - runner: ubuntu-20.04
            target: aarch64-unknown-linux-gnu
            platform: linux-arm64
            linux-packages: gcc-aarch64-linux-gnu
            linker: /usr/bin/aarch64-linux-gnu-gcc
          - runner: macos-latest
            target: x86_64-apple-darwin
            platform: darwin-amd64
            os: macOS
          - runner: macos-latest
            target: aarch64-apple-darwin
            platform: darwin-arm64
            os: macOS
          - runner: windows-latest
            target: x86_64-pc-windows-msvc
            platform: windows-amd64
            extension: .exe
            extra-rust-flags: "-C target-feature=+crt-static"
    runs-on: ${{ matrix.runner }}
    env:
      CARGO_BUILD_TARGET: ${{ matrix.target }}
      CARGO_NET_GIT_FETCH_WITH_CLI: "true"
      RUSTFLAGS: "-D warnings" # fail on warnings
    defaults:
      run:
        shell: bash
    steps:
      - uses: actions/checkout@v4

      - name: install protoc
        uses: arduino/setup-protoc@v3
        with:
          version: "25.x"
          repo-token: ${{ secrets.GITHUB_TOKEN }}

      - name: install tools
        run: |
          rustup show
          rustup target add ${{ matrix.target }}

      - name: install other packages required
        if: matrix.linux-packages
        run: |
          sudo apt-get update
          sudo apt-get install -y ${{ matrix.linux-packages }}

      - uses: Swatinem/rust-cache@v2
        with:
          shared-key: "build-${matrix.runner}" # share the cache across jobs

      - name: build the CLI
        run: |
          # If we're on a tag, use the tag name as the release version.
          if [[ "$GITHUB_REF_TYPE" == 'tag' ]]; then
            # Ensure that the version specified in Cargo.toml is the same as the tag (with a 'v' prefix).
            CARGO_VERSION="$(cargo metadata --format-version=1 | jq -r '.packages | .[] | select(.name == "ndc-sqlserver") | .version')"
            echo "Git tag: ${GIT_REF_NAME}"
            echo "Cargo version: ${CARGO_VERSION}"

            if [[ "$GITHUB_REF_NAME" != "v${CARGO_VERSION}" ]]; then
              echo >&2 "The Git tag is \"${GITHUB_REF_NAME}\", but the version in Cargo.toml is \"${CARGO_VERSION}\"."
              echo >&2 'These must be the same, with a "v" prefix for the tag. Aborting.'
              exit 1
            fi
            export RELEASE_VERSION="$GITHUB_REF_NAME"
            echo "RELEASE_VERSION = ${RELEASE_VERSION}"
          fi

          if [[ -n '${{ matrix.linker }}' ]]; then
            TARGET_SCREAMING="$(echo '${{ matrix.target }}' | tr '[:lower:]' '[:upper:]' | tr '-' '_')"
            echo "CARGO_TARGET_${TARGET_SCREAMING}_LINKER"='${{ matrix.linker }}'
            declare "CARGO_TARGET_${TARGET_SCREAMING}_LINKER"='${{ matrix.linker }}'
            export "CARGO_TARGET_${TARGET_SCREAMING}_LINKER"
          fi

          if [[ -n '${{ matrix.extra-rust-flags }}' ]]; then
            RUSTFLAGS="${RUSTFLAGS} ${{ matrix.extra-rust-flags }}"
            export RUSTFLAGS
          fi
          echo "RUSTFLAGS = ${RUSTFLAGS}"

          echo "Building for target: ${CARGO_BUILD_TARGET}"
          cargo build --release --bin ndc-sqlserver-cli

          # Create platform-specific directory under cli/
          mkdir -p cli/${{ matrix.platform }}

          # Move the binary with the correct name
          if [[ "${{ matrix.platform }}" == "windows-amd64" ]]; then
            mv -v target/${{ matrix.target }}/release/ndc-sqlserver-cli${{ matrix.extension }} cli/${{ matrix.platform }}/hasura-ndc-sqlserver.exe
          else
            mv -v target/${{ matrix.target }}/release/ndc-sqlserver-cli cli/${{ matrix.platform }}/hasura-ndc-sqlserver
          fi

      - name: Generate manifest entry
        if: startsWith(github.ref, 'refs/tags/v')
        shell: bash
        run: |

          # Calculate SHA256 of the binary
          if [[ "${{ matrix.platform }}" == "windows-amd64" ]]; then
            SHA256=$(certutil -hashfile cli/${{ matrix.platform }}/hasura-ndc-sqlserver.exe SHA256 | grep -v "hash" | awk '{print $1}')
          elif [[ "${{ matrix.os }}" == "macOS" ]]; then
            SHA256=$(shasum -a 256 cli/${{ matrix.platform }}/hasura-ndc-sqlserver | cut -d' ' -f1)
          else
            SHA256=$(sha256sum cli/${{ matrix.platform }}/hasura-ndc-sqlserver | cut -d' ' -f1)
          fi

          # Extract tag from github.ref by removing 'refs/tags/' prefix
          TAG=${GITHUB_REF#refs/tags/}

          cat << EOF > manifest-entry.yaml
          - selector: ${{ matrix.platform }}
            uri: "https://github.com/${{ github.repository }}/releases/download/${TAG}/cli.tar.gz"
            sha256: "${SHA256}"
            bin: "cli-binary-${{matrix.platform}}/hasura-ndc-sqlserver${{ matrix.extension }}"
          EOF

      - name: Upload manifest entry
        uses: actions/upload-artifact@v4
        with:
          name: manifest-${{ matrix.platform }}
          path: manifest-entry.yaml
          retention-days: 1

      - name: Upload binary
        uses: actions/upload-artifact@v4
        with:
          name: cli-binary-${{ matrix.platform }}
          path: cli/${{ matrix.platform }}
          retention-days: 1

  create-cli-package:
    needs: build-cli-binaries
    if: startsWith(github.ref, 'refs/tags/v')
    runs-on: ubuntu-latest
    steps:
      - name: Download all binaries
        uses: actions/download-artifact@v4
        with:
          pattern: cli-binary-*
          path: cli

      - name: Create tarball
        run: |
          tar -czf cli.tar.gz -C cli .
          echo "Created cli.tar.gz containing:"
          tar -tvf cli.tar.gz

      - name: Download manifest entries
        uses: actions/download-artifact@v4
        with:
          path: entries

      - name: Combine manifest entries
        run: |
          # Combine all yaml entries into a single file
          find entries -name "manifest-entry.yaml" -exec cat {} \; > cli-manifest.yaml

          echo "Generated CLI Plugin Manifest:"
          cat cli-manifest.yaml

      - name: Upload CLI package and manifest
        uses: actions/upload-artifact@v4
        with:
          name: release-artifacts
          path: |
            cli.tar.gz
            cli-manifest.yaml
          retention-days: 1


  release:
    name: release to GitHub
    needs:
      - push-docker-images # not strictly necessary, but if this fails, we should abort
      - build-cli-binaries
      - create-cli-package
    runs-on: ubuntu-latest
    # We release when a tag is pushed.
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
      - uses: actions/checkout@v4

      - uses: actions/download-artifact@v4
        with:
          name: release-artifacts
          path: release/artifacts

      - name: generate a changelog
        run: |
          ./scripts/release-notes.py "${GITHUB_REF_NAME}" >> release/notes.md

      - name: generate a connector package
        run: |
          tar xvf release/artifacts/cli.tar.gz -C release/artifacts
          tree release/artifacts
          chmod +x ./release/artifacts/cli-binary-linux-amd64/hasura-ndc-sqlserver
          mkdir -p metadata-configuration
          ./release/artifacts/cli-binary-linux-amd64/hasura-ndc-sqlserver --context=metadata-configuration initialize --with-metadata --binary-cli-manifest=release/artifacts/cli-manifest.yaml
          cat metadata-configuration/.hasura-connector/connector-metadata.yaml
          ls metadata-configuration
          tar -vczf release/artifacts/package.tar.gz -C metadata-configuration .

      - name: create a draft release
        uses: ncipollo/release-action@v1
        with:
          draft: true
          bodyFile: release/notes.md
          artifacts: release/artifacts/*