# For the Firefox development addon, people install it manually,
# and updates are distributed via the JSON file created in this
# action which is stored in the metadata branch of this repo.

name: publish-firefox-development
on:
  workflow_dispatch:
    inputs:
      upload_url:
        description: "The upload_url from the release created by create-prerelease-on-tag.yml"
        required: true
permissions:
  contents: read
jobs:
  build:
    runs-on: ubuntu-latest
    environment: cd
    permissions:
      contents: write
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
      - uses: robinraju/release-downloader@efa4cd07bd0195e6cc65e9e30c251b49ce4d3e51 # pin@v1.8
        with:
          tag: ${{ github.ref_name }}
          fileName: "*"

      - name: Sign Firefox xpi for offline distribution
        id: ffSignXpi
        continue-on-error: true
        uses: cardinalby/webext-buildtools-firefox-sign-xpi-action@94a2e58141e33c4306a72a93f191e8540189df92 # pin@v1.0.6
        with:
          timeoutMs: 1200000
          extensionId: ${{ secrets.FF_OFFLINE_EXT_ID }}
          zipFilePath: yomitan-firefox-dev.zip
          xpiFilePath: yomitan-firefox-dev.xpi
          jwtIssuer: ${{ secrets.FF_JWT_ISSUER }}
          jwtSecret: ${{ secrets.FF_JWT_SECRET }}

      - name: Abort on sign error
        if: |
          steps.ffSignXpi.outcome == 'failure' &&
          steps.ffSignXpi.outputs.sameVersionAlreadyUploadedError != 'true'
        run: exit 1

      - name: Generate hashes
        id: hash
        run: |
          echo "hashes=$(sha256sum yomitan-firefox-dev.xpi | base64 -w0)" >> "$GITHUB_OUTPUT"

      - name: Upload offline xpi release asset
        id: uploadReleaseAsset
        if: steps.ffSignXpi.outcome == 'success'
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ inputs.upload_url }}
          asset_path: yomitan-firefox-dev.xpi
          asset_name: yomitan-firefox-dev.xpi
          asset_content_type: application/x-xpinstall

      # update updates.json so that all people who have the dev version installed get the new update

      - uses: actions/checkout@v4
        with:
          ref: metadata

      - name: Recreate updates.json
        run: |
          cat > updates.json << EOF
          {
              "addons": {
                  "{2d13e145-294e-4ead-9bce-b4644b203a00}": {
                      "updates": [
                          {
                              "version": "${{ github.event.release.name }}",
                              "update_link": "${{ steps.uploadReleaseAsset.browser_download_url }}"
                          }
                      ]
                  }
              }
          }
          EOF

      - name: Commit files
        run: |
          git config --local user.email "github-actions[bot]@users.noreply.github.com"
          git config --local user.name "github-actions[bot]"
          git commit -a -m "${{ github.event.release.name }} - ${{ github.event.release.html_url }}"

      - name: Push changes
        uses: ad-m/github-push-action@29f05e01bb17e6f28228b47437e03a7b69e1f9ef # pin@master
        with:
          branch: metadata

  provenance:
    needs: [build]
    permissions:
      actions: read # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write # To add assets to a release.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@07e64b653f10a80b6510f4568f685f8b7b9ea830
    with:
      base64-subjects: "${{ needs.build.outputs.hashes }}"
      upload-assets: true