name: ci/gh-actions/guix

on: [push, pull_request]

jobs:
  cache-sources:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: depends sources cache
        id: cache
        uses: actions/cache@v4
        with:
          path: contrib/depends/sources
          key: sources-${{ hashFiles('contrib/depends/packages/*') }}
      - name: download depends sources
        if: steps.cache.outputs.cache-hit != 'true'
        run: make -C contrib/depends download

  build-guix:
    runs-on: ubuntu-24.04
    needs: [cache-sources]
    strategy:
      fail-fast: false
      matrix:
        toolchain:
          - target: "x86_64-linux-gnu"
          - target: "x86_64-linux-gnu.no-tor-bundle"
          - target: "x86_64-linux-gnu.pack"
          - target: "aarch64-linux-gnu"
          - target: "arm-linux-gnueabihf"
          - target: "riscv64-linux-gnu"
          - target: "i686-linux-gnu"
          - target: "x86_64-w64-mingw32"
          - target: "x86_64-w64-mingw32.installer"
          - target: "x86_64-apple-darwin"
          - target: "arm64-apple-darwin"

    name: ${{ matrix.toolchain.target }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          ref: ${{ github.ref }}
          submodules: recursive
      # https://github.com/actions/checkout/issues/1467
      - name: git fetch tags
        run: git fetch --tags
      - name: remove bundled packages
        run: sudo rm -rf /usr/local
      - name: depends sources cache
        uses: actions/cache/restore@v4
        with:
          path: contrib/depends/sources
          key: sources-${{ hashFiles('contrib/depends/packages/*') }}
      - name: install dependencies
        run: sudo apt update; sudo apt -y install guix git ca-certificates apparmor-utils
      - name: fix apparmor
        run: sudo cp .github/workflows/guix /etc/apparmor.d/guix; sudo /etc/init.d/apparmor reload; sudo aa-enforce guix || echo "failed"
      - name: purge apparmor
        run: sudo apt purge apparmor
      - name: build
        run: SUBSTITUTE_URLS='http://bordeaux.guix.gnu.org' HOSTS="${{ matrix.toolchain.target }}" ./contrib/guix/guix-build
      - name: virustotal scan
        env:
          VT_API_KEY: ${{ secrets.VT_API_KEY }}
        if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32' && env.VT_API_KEY != '' }}
        uses: crazy-max/ghaction-virustotal@v4
        with:
          vt_api_key: ${{ secrets.VT_API_KEY }}
          files: |
            guix/guix-build-*/build/distsrc-*/build/bin/feather.exe
      - uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.toolchain.target }}
          path: |
            guix/guix-build-*/output/${{ matrix.toolchain.target }}/*
            guix/guix-build-*/logs/${{ matrix.toolchain.target }}/*

  bundle-logs:
    runs-on: ubuntu-24.04
    needs: [build-guix]
    steps:
      - uses: actions/download-artifact@v4
        with:
          merge-multiple: true
      - name: print hashes
        run: |
          echo '```' >> $GITHUB_STEP_SUMMARY
          uname --machine && find **/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum >> $GITHUB_STEP_SUMMARY
          echo '```' >> $GITHUB_STEP_SUMMARY
      - uses: actions/upload-artifact@v4
        with:
          name: "logs"
          path: '**/logs/**'
      - uses: ncipollo/release-action@v1
        if: startsWith(github.ref, 'refs/tags/')
        with:
          artifacts: "**/*.AppImage,**/*-linux-arm.zip,**/*-linux-arm64.zip,**/*-linux-riscv64.zip,**/*-linux.zip,**/*-mac-arm64.zip,**/*-mac.zip,**/*-win.zip,**/FeatherWalletSetup-*.exe,**/feather-${{github.ref_name}}.tar.gz"
          draft: true
          name: v${{github.ref_name}}