name: Build Binaries

permissions:
  contents: read

on:
  workflow_call:
    inputs:
      ref:
        required: true
        description: "GitHub ref to use"
        type: string
      os:
        required: true
        description: "Target OS (i.e.: GOOS)"
        type: string
      arch:
        required: true
        description: "Target Architecture (i.e.: GOARCH)"
        type: string
      build-platform:
        required: false
        default: ubuntu-latest
        description: 'Build platform (i.e.: runs-on) for job'
        type: string
      dev-version:
        required: false
        description: "Dev version to bake into the binary"
        type: string
      version:
        required: true
        description: "Version to produce"
        type: string
      version-set:
        required: true
        description: "Set of language versions to use for builds, lints, releases, etc."
        type: string
      enable-coverage:
        description: "Build coverage instrumented binaries"
        default: false
        required: false
        type: boolean
      enable-race-detection:
        description: "Build binaries with race detection"
        default: false
        required: false
        type: boolean

defaults:
  run:
    shell: bash

env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

jobs:
  build:
    name: ${{ inputs.os }}-${{ inputs.arch }}
    runs-on: ${{ inputs.build-platform }}

    permissions:
      id-token: write

    steps:
      - name: "Windows cache workaround"
        # https://github.com/actions/cache/issues/752#issuecomment-1222415717
        # but only modify the path by adding tar.exe
        if: ${{ runner.os == 'Windows' }}
        env:
          TOOL_BIN: ${{ runner.temp }}/tar-bin
        run: |
          set -x
          mkdir -p "${TOOL_BIN}"
          cp "C:/Program Files/Git/usr/bin/tar.exe" "${TOOL_BIN}"
          PATH="${TOOL_BIN}:${PATH}"
          echo "$TOOL_BIN" | tee -a "$GITHUB_PATH"
          command -v tar
          tar --version
      - uses: actions/checkout@v4
        with:
          ref: ${{ inputs.ref }}
      - name: Configure Go Cache Key
        env:
          CACHE_KEY: "${{ fromJson(inputs.version-set).go }}-${{ runner.os }}-${{ runner.arch }}"
        run: echo "$CACHE_KEY" > .gocache.tmp
      - uses: actions/setup-go@v5
        with:
          go-version: ${{ fromJson(inputs.version-set).go }}
          check-latest: true
          cache: true
          cache-dependency-path: |
            pkg/go.sum
            .gocache.tmp
      - name: Setup versioning env vars
        run: |
          ./scripts/versions.sh | tee -a "${GITHUB_ENV}"
      - name: Install GoReleaser
        uses: goreleaser/goreleaser-action@v6
        with:
          install-only: true
          distribution: goreleaser-pro
      - name: Prepare bin dir for goreleaser
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GOOS: ${{ inputs.os }}
          GOARCH: ${{ inputs.arch }}
        run: ./scripts/prep-for-goreleaser.sh local
      - name: Show files and permissions
        if: ${{ runner.os != 'macOS'}}
        run: find bin -type f -printf "%M    %p/"\\n
      - name: Show files and permissions
        if: ${{ runner.os == 'macOS'}}
        run: |
          brew install findutils
          gfind bin -type f -printf "%M    %p/"\\n
      - name: Package
        shell: bash
        env:
          GORELEASER_CURRENT_TAG: v${{ inputs.version }}
          PULUMI_VERSION: ${{ inputs.dev-version || inputs.version }}
          PULUMI_BUILD_MODE: ${{ inputs.enable-coverage && 'coverage' || 'normal' }}
          PULUMI_ENABLE_RACE_DETECTION: ${{ inputs.enable-race-detection && 'true' || 'false' }}
        run: |
          set -euxo pipefail
          # Spurious, this command requires piping via stdin
          # shellcheck disable=SC2002
          cat .goreleaser.yml \
            | go run github.com/t0yv0/goreleaser-filter@v0.3.0 -goos ${{ inputs.os }} -goarch ${{ inputs.arch }} \
            | goreleaser release -f - -p 5 --skip=validate --clean --snapshot
      - uses: actions/upload-artifact@v4
        if: ${{ inputs.os != 'js' }}
        with:
          name: artifacts-cli-${{ inputs.os }}-${{ inputs.arch }}
          overwrite: true
          retention-days: 1
          path: |
            goreleaser/*.tar.gz
            goreleaser/*.zip