name: Build and Release

on:
  release:
    types: [created]

jobs:
  build:
    runs-on: macos-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Swift
        uses: swift-actions/setup-swift@v2
        with:
          swift-version: "6.0"

      - name: Install Certificate
        env:
          APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
        run: |
          # Create temporary keychain
          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
          KEYCHAIN_PASSWORD=$(openssl rand -base64 32)

          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

          # Import certificate
          CERTIFICATE_PATH=$RUNNER_TEMP/certificate.p12
          echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > "$CERTIFICATE_PATH"

          security import "$CERTIFICATE_PATH" \
            -P "$APPLE_CERTIFICATE_PASSWORD" \
            -A -t cert -f pkcs12 \
            -k "$KEYCHAIN_PATH"

          security list-keychain -d user -s "$KEYCHAIN_PATH"

          # Allow codesign to access keychain
          security set-key-partition-list -S apple-tool:,apple:,codesign: \
            -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

      - name: Build Release Binary
        run: swift build -c release --product AppleIntelligenceApp

      - name: Create App Bundle
        run: |
          APP_NAME="Apple Intelligence Server"
          VERSION="${GITHUB_REF_NAME#v}"

          mkdir -p "dist/$APP_NAME.app/Contents/MacOS"
          mkdir -p "dist/$APP_NAME.app/Contents/Resources"

          cp .build/release/AppleIntelligenceApp "dist/$APP_NAME.app/Contents/MacOS/$APP_NAME"

          cat > "dist/$APP_NAME.app/Contents/Info.plist" << EOF
          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
          <plist version="1.0">
          <dict>
              <key>CFBundleExecutable</key>
              <string>$APP_NAME</string>
              <key>CFBundleIdentifier</key>
              <string>com.svrnty.apple-intelligence-server</string>
              <key>CFBundleName</key>
              <string>$APP_NAME</string>
              <key>CFBundlePackageType</key>
              <string>APPL</string>
              <key>CFBundleShortVersionString</key>
              <string>$VERSION</string>
              <key>CFBundleVersion</key>
              <string>1</string>
              <key>LSMinimumSystemVersion</key>
              <string>26.0</string>
              <key>LSUIElement</key>
              <true/>
              <key>NSHighResolutionCapable</key>
              <true/>
              <key>NSLocalNetworkUsageDescription</key>
              <string>Apple Intelligence Server needs local network access to accept connections from other devices.</string>
              <key>NSPrincipalClass</key>
              <string>NSApplication</string>
          </dict>
          </plist>
          EOF

          echo -n "APPL????" > "dist/$APP_NAME.app/Contents/PkgInfo"

      - name: Sign App
        run: |
          codesign --deep --force --verify --verbose \
            --options runtime \
            --sign "Developer ID Application: Mathias Beaulieu-Duncan (LD76P8L42W)" \
            "dist/Apple Intelligence Server.app"

      - name: Create DMG
        run: |
          VERSION="${GITHUB_REF_NAME#v}"

          mkdir -p dist/dmg-temp
          cp -R "dist/Apple Intelligence Server.app" dist/dmg-temp/
          ln -s /Applications dist/dmg-temp/Applications

          hdiutil create -volname "Apple Intelligence Server" \
            -srcfolder dist/dmg-temp \
            -ov -format UDRW dist/temp.dmg

          hdiutil convert dist/temp.dmg -format UDZO \
            -o "dist/AppleIntelligenceServer-$VERSION.dmg"

          rm -rf dist/dmg-temp dist/temp.dmg

      - name: Sign DMG
        run: |
          VERSION="${GITHUB_REF_NAME#v}"
          codesign --force \
            --sign "Developer ID Application: Mathias Beaulieu-Duncan (LD76P8L42W)" \
            "dist/AppleIntelligenceServer-$VERSION.dmg"

      - name: Notarize DMG
        env:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        run: |
          VERSION="${GITHUB_REF_NAME#v}"

          xcrun notarytool submit "dist/AppleIntelligenceServer-$VERSION.dmg" \
            --apple-id "$APPLE_ID" \
            --password "$APPLE_APP_PASSWORD" \
            --team-id "$APPLE_TEAM_ID" \
            --wait

      - name: Staple DMG
        run: |
          VERSION="${GITHUB_REF_NAME#v}"
          xcrun stapler staple "dist/AppleIntelligenceServer-$VERSION.dmg"

      - name: Upload to Release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          VERSION="${GITHUB_REF_NAME#v}"
          gh release upload "$GITHUB_REF_NAME" \
            "dist/AppleIntelligenceServer-$VERSION.dmg" \
            --clobber