---
name: Build macOS Packages

on:
  workflow_call:
    inputs:
      salt-version:
        type: string
        required: true
        description: The Salt version to set prior to building packages.
      relenv-version:
        type: string
        required: true
        description: The relenv version to set prior to building packages.
      python-version:
        required: true
        type: string
        description: The version of python to use with relenv
      sign-packages:
        type: boolean
        default: false
        description: Sign Packages
      environment:
        type: string
        description: The GitHub Environment where this workflow should run
        default: ci
      source:
        required: true
        type: string
        description: The backend to build the packages with

env:
  COLUMNS: 190
  PIP_INDEX_URL: https://pypi-proxy.saltstack.net/root/local/+simple/
  PIP_EXTRA_INDEX_URL: https://pypi.org/simple

jobs:

  build-pkgs:
    name: macOS
    environment: ${{ inputs.environment }}
    strategy:
      fail-fast: false
      matrix:
        arch:
          - x86_64
        source:
          - ${{ inputs.source }}

    runs-on:
      - macos-12
    steps:

      - name: Check Package Signing Enabled
        shell: bash
        id: check-pkg-sign
        run: |
          if [ "${{ inputs.sign-packages }}" == "true" ]; then
            if [ "${{ (secrets.MAC_SIGN_APPLE_ACCT != '' && contains(fromJSON('["nightly", "staging"]'), inputs.environment)) && 'true' || 'false' }}" != "true" ]; then
              MSG="Secrets for signing packages are not available. The packages created will NOT be signed."
              echo "${MSG}"
              echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
              echo "sign-pkgs=false" >> "$GITHUB_OUTPUT"
            else
              MSG="The packages created WILL be signed."
              echo "${MSG}"
              echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
              echo "sign-pkgs=true" >> "$GITHUB_OUTPUT"
            fi
          else
            MSG="The sign-packages input is false. The packages created will NOT be signed."
            echo "${MSG}"
            echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
            echo "sign-pkgs=false" >> "$GITHUB_OUTPUT"
          fi

      - uses: actions/checkout@v4
      - uses: actions/setup-python@v4
        with:
          python-version: 3.9

      - name: Setup Python Tools Scripts
        uses: ./.github/actions/setup-python-tools-scripts

      - name: Setup Salt Version
        id: setup-salt-version
        uses: ./.github/actions/setup-salt-version
        with:
          salt-version: "${{ inputs.salt-version }}"

      - name: Download Onedir Tarball as an Artifact
        uses: actions/download-artifact@v3
        with:
          name: salt-${{ inputs.salt-version }}-onedir-darwin-${{ matrix.arch }}.tar.xz
          path: artifacts/

      - name: Prepare Package Signing
        if: ${{ steps.check-pkg-sign.outputs.sign-pkgs == 'true' }}
        run: |
          echo ${{ secrets.MAC_SIGN_DEV_APP_CERT_B64 }} | base64 --decode > app-cert.p12
          echo ${{ secrets.MAC_SIGN_DEV_INSTALL_CERT_B64 }} | base64 --decode > install-cert.p12
          # Create SaltSigning keychain. This will contain the certificates for signing
          security create-keychain -p "${{ secrets.MAC_SIGN_DEV_PASSWORD }}" "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}"
          # Append SaltSigning keychain to the search list
          security list-keychains -d user -s "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}" "$(security list-keychains -d user | sed s/\"//g)"
          # Unlock the keychain so we can import certs
          security unlock-keychain -p "${{ secrets.MAC_SIGN_DEV_PASSWORD }}" "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}"
          # Developer Application Certificate
          security import "app-cert.p12" -t agg -k "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}" -P "${{ secrets.MAC_SIGN_DEV_PASSWORD }}" -A
          rm app-cert.p12
          # Developer Installer Certificate
          security import "install-cert.p12" -t agg -k "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}" -P "${{ secrets.MAC_SIGN_DEV_PASSWORD }}" -A
          rm install-cert.p12
          security set-key-partition-list -S apple-tool:,apple: -k "${{ secrets.MAC_SIGN_DEV_PASSWORD }}" "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}" &> /dev/null

      - name: Build MacOS Package
        env:
          DEV_APP_CERT: "${{ secrets.MAC_SIGN_DEV_APP_CERT }}"
          DEV_INSTALL_CERT: "${{ secrets.MAC_SIGN_DEV_INSTALL_CERT }}"
          APPLE_ACCT: "${{ secrets.MAC_SIGN_APPLE_ACCT }}"
          APPLE_TEAM_ID: "${{ secrets.MAC_SIGN_APPLE_TEAM_ID }}"
          APP_SPEC_PWD: "${{ secrets.MAC_SIGN_APP_SPEC_PWD }}"
        run: |
          tools pkg build macos --relenv-version=${{ inputs.relenv-version }} --python-version=${{ inputs.python-version }} ${{
              inputs.source == 'onedir' &&
              format(
                '--onedir salt-{0}-onedir-darwin-{1}.tar.xz --salt-version {0} {2}',
                inputs.salt-version,
                matrix.arch,
                steps.check-pkg-sign.outputs.sign-pkgs == 'true' && '--sign' || ''
              )
              ||
              format('--salt-version {0}', inputs.salt-version)
          }}

      - name: Set Artifact Name
        id: set-artifact-name
        run: |
          if [ "${{ inputs.source }}" != "src" ]; then
            echo "artifact-name=salt-${{ inputs.salt-version }}-${{ matrix.arch }}-macos" >> "$GITHUB_OUTPUT"
          else
            echo "artifact-name=salt-${{ inputs.salt-version }}-${{ matrix.arch }}-macos-from-src" >> "$GITHUB_OUTPUT"
          fi

      - name: Upload ${{ matrix.arch }} Package
        uses: actions/upload-artifact@v3
        with:
          name: ${{ steps.set-artifact-name.outputs.artifact-name }}
          path: pkg/macos/salt-${{ inputs.salt-version }}-py3-*.pkg
          retention-days: 7
          if-no-files-found: error