.github/workflows/mobile-release.yml

name: Mobile/Release

permissions:
  contents: read

on:
  workflow_dispatch:
  schedule:
  # Mondays at 1pm UTC (8am EST)
  - cron: "0 13 * * 1"

jobs:
  env:
    secrets:
      lock-app-key: ${{ secrets.ENVOY_CI_MUTEX_APP_KEY }}
      lock-app-id: ${{ secrets.ENVOY_CI_MUTEX_APP_ID }}
    permissions:
      contents: read
    uses: ./.github/workflows/_load_env.yml

  release:
    permissions:
      contents: read
      packages: read
    if: >-
      ${{
          github.repository == 'envoyproxy/envoy'
          && (github.event.schedule
              || !contains(github.actor, '[bot]'))
      }}
    needs: env
    uses: ./.github/workflows/_mobile_container_ci.yml
    with:
      args: ${{ matrix.args }}
      container: ${{ fromJSON(needs.env.outputs.build-image).mobile }}
      container-output: |
        "bazel-bin/library/kotlin/io/envoyproxy/envoymobile/${{ matrix.output }}.aar": build/
        "bazel-bin/library/kotlin/io/envoyproxy/envoymobile/${{ matrix.output }}-pom.xml": build/
        "bazel-bin/library/kotlin/io/envoyproxy/envoymobile/${{ matrix.output }}-sources.jar": build/
        "bazel-bin/library/kotlin/io/envoyproxy/envoymobile/${{ matrix.output }}-javadoc.jar": build/
      request: ${{ needs.env.outputs.request }}
      steps-pre: |
        - run: |
            mkdir /tmp/mobile
            VERSION="0.5.0.$(date '+%Y%m%d')"
            echo "VERSION=${VERSION}" >> $GITHUB_ENV
          shell: bash
      steps-post: |
        - run: |
            mkdir /tmp/output
          shell: bash
        - name: Tar artifacts
          run: >-
            tar
            -czhf
            /tmp/output/${{ matrix.output }}_android_aar_sources.tar.gz
            -C
            /tmp/container-output/build
            .
          shell: bash
      target: ${{ matrix.target }}
      upload-name: ${{ matrix.output }}_android_aar_sources
      upload-path: /tmp/output/${{ matrix.output }}_android_aar_sources.tar.gz
    strategy:
      fail-fast: false
      matrix:
        include:
        - target: android-release
          args: >-
            build
            --config=mobile-remote-release-clang-android-publish
            --define=pom_version=$VERSION
            //:android_dist
          output: envoy
        - target: xds-release
          args: >-
            build
            --config=mobile-remote-release-clang-android-publish-xds
            --define=pom_version=$VERSION
            //:android_xds_dist
          output: envoy_xds

  deploy:
    needs: release
    permissions:
      contents: read
      packages: read
    runs-on: ubuntu-22.04
    timeout-minutes: 20
    strategy:
      fail-fast: false
      matrix:
        include:
        - output: envoy
        - output: envoy_xds
    steps:
    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29  # v4.1.6
      with:
        fetch-depth: 0
    - name: Add safe directory
      run: git config --global --add safe.directory /__w/envoy/envoy
    - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e  # v4.1.7
      with:
        name: ${{ matrix.output }}_android_aar_sources
        path: .
    - name: Expand archive
      run: |
        tar -xf ${{ matrix.output }}_android_aar_sources.tar.gz
    - name: 'Configure gpg signing'
      env:
        GPG_KEY: ${{ secrets.EM_GPG_KEY }}
        GPG_PASSPHRASE: ${{ secrets.EM_GPG_PASSPHRASE }}
      run: |
        # https://github.com/keybase/keybase-issues/issues/2798
        export GPG_TTY=$(tty)
        # Import gpg keys and warm the passphrase to avoid the gpg
        # passphrase prompt when initating a deploy
        # `--pinentry-mode=loopback` could be needed to ensure we
        # suppress the gpg prompt
        echo $GPG_KEY | base64 --decode > signing-key
        gpg --passphrase $GPG_PASSPHRASE --batch --import signing-key
        shred signing-key

        gpg --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}.aar
        gpg --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-pom.xml
        gpg --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-javadoc.jar
        gpg --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-sources.jar
    - name: 'Release to sonatype repository'
      env:
        READWRITE_USER: ${{ secrets.EM_SONATYPE_USER }}
        READWRITE_API_KEY: ${{ secrets.EM_SONATYPE_PASSWORD }}
        SONATYPE_PROFILE_ID: ${{ secrets.EM_SONATYPE_PROFILE_ID }}
      run: |
        version="0.5.0.$(date '+%Y%m%d')"
        python mobile/ci/sonatype_nexus_upload.py \
          --profile_id=$SONATYPE_PROFILE_ID \
          --artifact_id=${{ matrix.output }} \
          --version=$version \
          --files \
            ${{ matrix.output }}.aar \
            ${{ matrix.output }}-pom.xml \
            ${{ matrix.output }}-sources.jar \
            ${{ matrix.output }}-javadoc.jar \
          --signed_files \
            ${{ matrix.output }}.aar.asc \
            ${{ matrix.output }}-pom.xml.asc \
            ${{ matrix.output }}-sources.jar.asc \
            ${{ matrix.output }}-javadoc.jar.asc