stages: [check, build, release]

default:
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://vault.cfdata.org

# -----------------------------------------------
# Stage 1: Check for a Git tag on the current commit
# -----------------------------------------------
check_tag:
  stage: check
  script:
    - |
      # Check if there is a Git tag pointing to HEAD
      if git tag --points-at HEAD | grep .; then
        echo "TAG_EXISTS=true" >> tag_check.env
        echo "VERSION=$(git tag --points-at HEAD | grep .)" >> tag_check.env
      else
        echo "TAG_EXISTS=false" >> tag_check.env
      fi
  artifacts:
    reports:
      dotenv: tag_check.env  # Pass the TAG_EXISTS variable to the next stage

build_cloudflared_macos: &build
  stage: build
  secrets:
    APPLE_DEV_CA_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/apple_dev_ca_cert/data@kv
      file: false
    CFD_CODE_SIGN_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_codesign_cert/data@kv
      file: false
    CFD_CODE_SIGN_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_codesign_key/data@kv
      file: false
    CFD_CODE_SIGN_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_codesign_pass/data@kv
      file: false
    CFD_INSTALLER_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_installer_cert/data@kv
      file: false
    CFD_INSTALLER_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_installer_key/data@kv
      file: false
    CFD_INSTALLER_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_installer_pass/data@kv
      file: false
  tags:
    - "macstadium-${RUNNER_ARCH}"
  parallel:
    matrix:
      - RUNNER_ARCH: [arm, intel]
  artifacts:
    paths:
      - artifacts/*
  script:
    - '[ "${RUNNER_ARCH}" = "arm" ] && export TARGET_ARCH=arm64'
    - '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64'
    - ARCH=$(uname -m)
    - echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH
    - ./.teamcity/mac/install-cloudflare-go.sh
    - export PATH="/tmp/go/bin:$PATH"
    - BUILD_SCRIPT=.teamcity/mac/build.sh
    - if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi
    - set -euo pipefail
    - echo "Executing ${BUILD_SCRIPT}"
    - exec ${BUILD_SCRIPT}

build_cloudflared_macos_tagged_release:
  stage: build
  image: docker-registry.cfdata.org/stash/cf/debian-images/bookworm/main:302-326550a62d5c@sha256:c8257b4e523f34b4ae6c6816d7685a39eabe0bd8c8bccb2c5befbacaed47f911
  dependencies:
    - check_tag
  cache:
    paths:
      - .cache/pip
  variables:
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
    KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
    KV_ACCOUNT: 5ab4e9dfbd435d24068829fda0077963
  secrets:
    KV_API_TOKEN:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
      file: false
    API_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
      file: false
  before_script:
    - apt-get update && apt-get install -y go-boring=1.22.10-1 build-essential python3-dev libffi-dev python3-setuptools python3-pip python3-venv
    - python3 --version ; pip --version  # For debugging
    - pip install virtualenv
    - /home/gitlab-runner/.local/bin/virtualenv venv
    - source venv/bin/activate
    - pip install pynacl==1.4.0 pygithub==1.55
  script:
    - ls -lrth
    - echo $VERSION
    - echo $TAG_EXISTS
    - echo "Running release because tag exists."
    - python3 github_release.py --path artifacts/ --release-version $VERSION --draft --dry-run