---
name: Build Windows Packages

on:
  workflow_call:
    inputs:
      salt-version:
        type: string
        required: true
        description: The Salt version to set prior to building packages
      relenv-version:
        type: string
        required: true
        description: The relenv version to set prior to building packages.
      python-version:
        required: true
        type: string
        description: The version of python to use with relenv
      sign-packages:
        type: boolean
        default: false
        description: Sign Packages
      environment:
        type: string
        description: The GitHub Environment where this workflow should run
        default: ci
      source:
        required: true
        type: string
        description: The backend to build the packages with

env:
  COLUMNS: 190
  AWS_MAX_ATTEMPTS: "10"
  AWS_RETRY_MODE: "adaptive"
  PIP_INDEX_URL: https://pypi-proxy.saltstack.net/root/local/+simple/
  PIP_EXTRA_INDEX_URL: https://pypi.org/simple

jobs:

  build-pkgs:
    name: Windows
    environment: ${{ inputs.environment }}
    strategy:
      fail-fast: false
      max-parallel: 2
      matrix:
        arch:
          - x86
          - amd64
        source:
          - ${{ inputs.source }}

    runs-on:
      - windows-latest
    env:
      SM_HOST: "${{ secrets.WIN_SIGN_HOST_PROD }}"
      SM_API_KEY: "${{ secrets.WIN_SIGN_API_KEY }}"
      SM_CLIENT_CERT_FILE: "D:\\Certificate_pkcs12.p12"
      SM_CLIENT_CERT_PASSWORD: "${{ secrets.WIN_SIGN_CERT_PASSWORD }}"
      SM_CLIENT_CERT_FILE_B64: "${{ secrets.WIN_SIGN_CERT_FILE_B64 }}"
      WIN_SIGN_CERT_SHA1_HASH: "${{ secrets.WIN_SIGN_CERT_SHA1_HASH }}"

    steps:
      - name: Check Package Signing Enabled
        shell: bash
        id: check-pkg-sign
        run: |
          if [ "${{ inputs.sign-packages }}" == "true" ]; then
            if [ "${{ (secrets.WIN_SIGN_API_KEY != '' && env.SM_HOST != '' && inputs.environment == 'staging') && 'true' || 'false' }}" != "true" ]; then
              MSG="Secrets for signing packages are not available. The packages created will NOT be signed."
              echo "${MSG}"
              echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
              echo "sign-pkgs=false" >> "$GITHUB_OUTPUT"
            else
              MSG="The packages created WILL be signed."
              echo "${MSG}"
              echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
              echo "sign-pkgs=true" >> "$GITHUB_OUTPUT"
            fi
          else
            MSG="The sign-packages input is false. The packages created will NOT be signed."
            echo "${MSG}"
            echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
            echo "sign-pkgs=false" >> "$GITHUB_OUTPUT"
          fi

      - uses: actions/checkout@v4
      - uses: actions/setup-python@v4
        with:
          python-version: 3.9

      - name: Setup Python Tools Scripts
        uses: ./.github/actions/setup-python-tools-scripts

      - name: Setup Salt Version
        id: setup-salt-version
        uses: ./.github/actions/setup-salt-version
        with:
          salt-version: "${{ inputs.salt-version }}"

      - name: Download Onedir Tarball as an Artifact
        uses: actions/download-artifact@v3
        with:
          name: salt-${{ inputs.salt-version }}-onedir-windows-${{ matrix.arch }}.zip
          path: artifacts/

      - name: Code signing with Software Trust Manager
        if: ${{ steps.check-pkg-sign.outputs.sign-pkgs == 'true' }}
        uses: digicert/ssm-code-signing@v0.0.2

      - name: Setup Certificate
        if: ${{ steps.check-pkg-sign.outputs.sign-pkgs == 'true' }}
        shell: bash
        run: |
          echo "${{ secrets.WIN_SIGN_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12

      - name: Build Windows Packages
        run: |
          tools pkg build windows --relenv-version=${{ inputs.relenv-version }} --python-version=${{ inputs.python-version }} ${{
            inputs.source == 'onedir' &&
            format(
              '--onedir salt-{0}-onedir-windows-{1}.zip --salt-version {0} --arch {1} {2}',
              inputs.salt-version,
              matrix.arch,
              steps.check-pkg-sign.outputs.sign-pkgs == 'true' && '--sign' || ''
            )
            ||
            format('--salt-version {0} --arch {1}', inputs.salt-version, matrix.arch)
          }}

      - name: Set Artifact Name
        id: set-artifact-name
        shell: bash
        run: |
          if [ "${{ inputs.source }}" != "src" ]; then
            echo "artifact-name-nsis=salt-${{ inputs.salt-version }}-${{ matrix.arch }}-NSIS" >> "$GITHUB_OUTPUT"
            echo "artifact-name-msi=salt-${{ inputs.salt-version }}-${{ matrix.arch }}-MSI" >> "$GITHUB_OUTPUT"
          else
            echo "artifact-name-nsis=salt-${{ inputs.salt-version }}-${{ matrix.arch }}-NSIS-from-src" >> "$GITHUB_OUTPUT"
            echo "artifact-name-msi=salt-${{ inputs.salt-version }}-${{ matrix.arch }}-MSI-from-src" >> "$GITHUB_OUTPUT"
          fi

      - name: Upload ${{ matrix.arch }} NSIS Packages
        uses: actions/upload-artifact@v3
        with:
          name: ${{ steps.set-artifact-name.outputs.artifact-name-nsis }}
          path: pkg/windows/build/Salt-*.exe
          retention-days: 7
          if-no-files-found: error

      - name: Upload ${{ matrix.arch }} MSI Package
        uses: actions/upload-artifact@v3
        with:
          name: ${{ steps.set-artifact-name.outputs.artifact-name-msi }}
          path: pkg/windows/build/Salt-*.msi
          retention-days: 7
          if-no-files-found: error