name: build and publish packages

on:
  push:
    branches: [main]
    paths:
      - 'arch/**'
      - '.gitea/workflows/build.yml'
  workflow_dispatch:

jobs:
  distcc-avahi-aarch64:
    runs-on: arch-aarch64
    steps:
      - name: checkout
        uses: actions/checkout@v4

      - name: install builder deps (idempotent)
        run: |
          # runner image is Arch aarch64 with base-devel + gnupg + rsync + sudo.
          # This step exists so a freshly re-imaged runner bootstraps itself.
          pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo avahi popt python python-setuptools

      - name: import signing key
        env:
          PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }}
          PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
        run: |
          set -e
          mkdir -m700 -p /root/.gnupg
          printf '%s\n' "$PRIV" | gpg --batch --import
          # echo trust so gpg doesn't complain during signing
          echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust
          printf '%s' "$PASS" > /root/repo_pass
          chmod 600 /root/repo_pass

      - name: install deploy ssh key
        env:
          KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }}
        run: |
          mkdir -m700 -p /root/.ssh
          printf '%s\n' "$KEY" > /root/.ssh/id_ed25519
          chmod 600 /root/.ssh/id_ed25519
          ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null

      - name: makepkg
        run: |
          set -e
          # act's workspace lives under /root/.cache/act which the unprivileged
          # 'builder' user can't write to. Copy the package source into a
          # builder-owned /tmp dir.
          rm -rf /tmp/build-distcc-avahi
          cp -r arch/distcc-avahi /tmp/build-distcc-avahi
          chown -R builder:builder /tmp/build-distcc-avahi
          cd /tmp/build-distcc-avahi
          sudo -u builder -H makepkg --nocheck --noconfirm --syncdeps --cleanbuild
          ls -la *.pkg.tar.* | grep -v "\.sig$"

      - name: sign package
        run: |
          set -e
          cd /tmp/build-distcc-avahi
          for f in *.pkg.tar.xz *.pkg.tar.zst *.pkg.tar.gz; do
            [ -f "$f" ] || continue
            gpg --batch --pinentry-mode loopback --passphrase-file /root/repo_pass \
                --detach-sign --yes -u 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C "$f"
          done
          ls -la *.sig

      - name: fetch current repo db and rebuild
        run: |
          set -e
          mkdir -p /tmp/arch-stage
          cd /tmp/arch-stage
          # pull current db (may be empty skeleton on first run)
          curl -sSL https://packages.reauktion.de/arch/aarch64/marfrit.db.tar.gz -o marfrit.db.tar.gz || true
          curl -sSL https://packages.reauktion.de/arch/aarch64/marfrit.files.tar.gz -o marfrit.files.tar.gz || true
          # move freshly built package(s) in
          for ext in xz zst gz; do
            ls /tmp/build-distcc-avahi/*.pkg.tar.$ext 2>/dev/null && \
              mv /tmp/build-distcc-avahi/*.pkg.tar.$ext /tmp/build-distcc-avahi/*.pkg.tar.$ext.sig .
          done || true
          # regenerate the db, signing it with our key
          export GPG_TTY=""
          export GNUPGHOME=/root/.gnupg
          # repo-add wants explicit passphrase; wrap via gpg-agent loopback
          cat > /root/.gnupg/gpg.conf <<EOF
pinentry-mode loopback
passphrase-file /root/repo_pass
EOF
          cat > /root/.gnupg/gpg-agent.conf <<EOF
allow-loopback-pinentry
EOF
          gpg-connect-agent reloadagent /bye
          repo-add --new --sign --key 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C \
            --verify marfrit.db.tar.gz *.pkg.tar.*
          # refresh "unversioned" symlinks expected by pacman
          ln -sf marfrit.db.tar.gz     marfrit.db
          ln -sf marfrit.files.tar.gz  marfrit.files
          ln -sf marfrit.db.tar.gz.sig marfrit.db.sig
          ln -sf marfrit.files.tar.gz.sig marfrit.files.sig
          ls -la

      - name: publish via rrsync
        run: |
          set -e
          cd /tmp/arch-stage
          # rrsync on nc is scoped to /srv/packages/; target path is relative.
          rsync -avL --copy-unsafe-links \
            -e 'ssh -i /root/.ssh/id_ed25519' \
            ./ mfritsche@nc.reauktion.de:arch/aarch64/

      - name: wipe secrets
        if: always()
        run: rm -f /root/repo_pass /root/.ssh/id_ed25519

  # x86_64 job will mirror this one and run on the pve4 runner.
  # Kept commented out until a package actually targets x86_64 —
  # no point spinning pve4 for a no-op.
  #
  # distcc-avahi-x86_64:
  #   runs-on: arch-x86_64
  #   steps: (same as above, with arch/x86_64/ target)