# For the Firefox development addon, people install it manually,
# and updates are distributed via the JSON file created in this
# action which is stored in the metadata branch of this repo.

name: publish-firefox-development
on:
  workflow_dispatch:
    inputs:
      upload_url:
        description: "The upload_url from the release created by create-prerelease-on-tag.yml"
        required: true
permissions:
  contents: read
jobs:
  build:
    runs-on: ubuntu-latest
    environment: cd
    permissions:
      contents: write
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
      - uses: robinraju/release-downloader@368754b9c6f47c345fcfbf42bcb577c2f0f5f395 # pin@v1.9
        with:
          tag: ${{ github.ref_name }}
          fileName: "*"

      - name: Sign Firefox xpi for offline distribution
        id: ffSignXpi
        continue-on-error: true
        uses: cardinalby/webext-buildtools-firefox-sign-xpi-action@ed44ff06ca9eae47ac45dd34b12833379b683c78 # pin@v1.0.7
        with:
          timeoutMs: 1200000
          extensionId: ${{ secrets.FF_OFFLINE_EXT_ID }}
          zipFilePath: yomitan-firefox-dev.zip
          xpiFilePath: yomitan-firefox-dev.xpi
          jwtIssuer: ${{ secrets.FF_JWT_ISSUER }}
          jwtSecret: ${{ secrets.FF_JWT_SECRET }}

      - name: Abort on sign error
        if: |
          steps.ffSignXpi.outcome == 'failure' &&
          steps.ffSignXpi.outputs.sameVersionAlreadyUploadedError != 'true'
        run: exit 1

      - name: Generate hashes
        id: hash
        run: |
          echo "hashes=$(sha256sum yomitan-firefox-dev.xpi | base64 -w0)" >> "$GITHUB_OUTPUT"

      - name: Upload offline xpi release asset
        id: uploadReleaseAsset
        if: steps.ffSignXpi.outcome == 'success'
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ inputs.upload_url }}
          asset_path: yomitan-firefox-dev.xpi
          asset_name: yomitan-firefox-dev.xpi
          asset_content_type: application/x-xpinstall

      # update updates.json so that all people who have the dev version installed get the new update

      - uses: actions/checkout@v4
        with:
          ref: metadata

      - name: Recreate updates.json
        run: |
          cat > updates.json << EOF
          {
              "addons": {
                  "{2d13e145-294e-4ead-9bce-b4644b203a00}": {
                      "updates": [
                          {
                              "version": "${{ github.ref_name }}",
                              "update_link": "${{ steps.uploadReleaseAsset.outputs.browser_download_url }}"
                          }
                      ]
                  }
              }
          }
          EOF

      - name: Commit files
        continue-on-error: true
        run: |
          git config --local user.email "github-actions[bot]@users.noreply.github.com"
          git config --local user.name "github-actions[bot]"
          git commit -a -m "${{ github.ref_name }}"

      - name: Push changes
        uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # pin@master
        with:
          branch: metadata

  provenance:
    needs: [build]
    permissions:
      actions: read # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write # To add assets to a release.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
    with:
      base64-subjects: "${{ needs.build.outputs.hashes }}"
      upload-assets: true