name: Publish @bytelyst/* packages

on:
  workflow_dispatch:
    inputs:
      package_filter:
        description: 'Package name to publish, or @bytelyst/* for all packages'
        required: false
        default: '@bytelyst/errors'
      dry_run:
        description: 'Build, test, and pack queued packages without publishing'
        required: false
        default: 'false'
  push:
    branches: [main]

concurrency:
  group: publish-${{ github.ref }}
  cancel-in-progress: false

defaults:
  run:
    shell: bash

jobs:
  publish:
    runs-on: [ubuntu-latest, bytelyst, hostinger]
    container:
      image: node:20-bookworm@sha256:8f693eaa7e0a8e71560c9a82b55fd54c2ae920a2ba5d2cde28bac7d1c01c9ba5
      options: --network host -v /home/gitea-runner/.gitea_publish_npmrc:/run/secrets/gitea_publish_npmrc:ro
    env:
      PACKAGE_FILTER: ${{ github.event.inputs.package_filter }}
      DRY_RUN: ${{ github.event.inputs.dry_run }}

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          github-server-url: https://gitea.bytelyst.com

      - name: Print build context
        run: |
          echo "Ref:     ${{ github.ref }}"
          echo "RefName: ${{ github.ref_name }}"
          echo "Commit:  ${{ github.sha }}"
          echo "Runner:  $(hostname)"
          echo "Package filter: ${PACKAGE_FILTER:-@bytelyst/errors}"
          echo "Dry run: ${DRY_RUN:-false}"
          grep '^PRETTY_NAME=' /etc/os-release || true
          node --version
          npm --version

      - name: Install pinned pnpm
        run: |
          npm install -g pnpm@10.6.5
          pnpm --version

      - name: Configure publish registry
        run: |
          cp /run/secrets/gitea_publish_npmrc /tmp/publish.npmrc
          chmod 600 /tmp/publish.npmrc
          echo "Configured registry:"
          sed -E 's#(_auth(Token)?=).*#\1***#; s#(//[^[:space:]]+:)_authToken=.*#\1_authToken=***#' /tmp/publish.npmrc
          npm whoami --userconfig /tmp/publish.npmrc --registry https://gitea.bytelyst.com/api/packages/bytelyst/npm/

      - name: Install workspace deps
        run: HUSKY=0 pnpm install --frozen-lockfile

      - name: Discover unpublished packages
        run: |
          set -euo pipefail
          PACKAGE_FILTER="${PACKAGE_FILTER:-@bytelyst/errors}"
          echo "Using package filter: $PACKAGE_FILTER"
          : > /tmp/packages-to-publish.tsv
          for pkg_json in packages/*/package.json; do
            name=$(node -p "require('./$pkg_json').name")
            version=$(node -p "require('./$pkg_json').version")
            dir=$(dirname "$pkg_json")
            case "$name" in
              @bytelyst/*) ;;
              *) continue ;;
            esac
            case "$PACKAGE_FILTER" in
              '@bytelyst/*'|'') ;;
              "$name") ;;
              *) continue ;;
            esac
            if npm view "$name@$version" version --userconfig /tmp/publish.npmrc --registry https://gitea.bytelyst.com/api/packages/bytelyst/npm/ >/dev/null 2>&1; then
              echo "SKIP already published: $name@$version"
            else
              echo "QUEUE publish: $name@$version ($dir)"
              printf '%s\t%s\t%s\n' "$name" "$version" "$dir" >> /tmp/packages-to-publish.tsv
            fi
          done
          echo "Queued packages:"
          cat /tmp/packages-to-publish.tsv || true

      - name: Build, test, pack, publish, and consumer-verify queued packages
        run: |
          set -euo pipefail
          DRY_RUN="${DRY_RUN:-false}"
          case "$DRY_RUN" in
            true|false) ;;
            *) echo "DRY_RUN must be 'true' or 'false'; got '$DRY_RUN'" >&2; exit 1 ;;
          esac
          echo "Dry run mode: $DRY_RUN"
          mkdir -p /tmp/tarballs
          if [ ! -s /tmp/packages-to-publish.tsv ]; then
            echo "No unpublished packages matched the filter; nothing to do."
            exit 0
          fi
          while IFS=$'\t' read -r name version dir; do
            echo "=== $name@$version ==="
            pnpm --filter "$name" run build
            if node -e "const s=require('./$dir/package.json').scripts||{}; process.exit(s.test ? 0 : 1)"; then
              pnpm --filter "$name" test
            else
              echo "SKIP test: $name has no package.json scripts.test"
            fi
            (cd "$dir" && pnpm pack --pack-destination /tmp/tarballs)
            if [ "$DRY_RUN" = "true" ]; then
              echo "DRY RUN: would publish $name@$version"
            else
              cp /tmp/publish.npmrc "$dir/.npmrc"
              trap "rm -f '$dir/.npmrc'" EXIT
              (cd "$dir" && pnpm publish --no-git-checks --registry https://gitea.bytelyst.com/api/packages/bytelyst/npm/)
              rm -f "$dir/.npmrc"
              trap - EXIT
              npm view "$name@$version" version dist.shasum dist.tarball --userconfig /tmp/publish.npmrc --registry https://gitea.bytelyst.com/api/packages/bytelyst/npm/
              consumer_name="consumer-${name//@/}-${version}"
              consumer_name="${consumer_name//\//-}"
              consumer_dir="/tmp/$consumer_name"
              rm -rf "$consumer_dir"
              mkdir -p "$consumer_dir"
              cp /tmp/publish.npmrc "$consumer_dir/.npmrc"
              printf '{"name":"publish-consumer-verify","private":true,"type":"module","dependencies":{"%s":"%s"}}\n' "$name" "$version" > "$consumer_dir/package.json"
              (cd "$consumer_dir" && pnpm install --no-frozen-lockfile)
              (cd "$consumer_dir" && node --input-type=module -e "const m=await import('$name'); console.log(Object.keys(m).sort().join(','));")
            fi
          done < /tmp/packages-to-publish.tsv

      - name: Compute tarball SHA512 manifest
        run: |
          set -euo pipefail
          cd /tmp/tarballs
          if ls *.tgz >/dev/null 2>&1; then
            sha512sum *.tgz > manifest.sha512
            cat manifest.sha512
          else
            echo "No tarballs produced" > manifest.sha512
            cat manifest.sha512
          fi