name: Release PR

on:
  pull_request:
    types:
      - opened
      - reopened
      - synchronize
      - labeled

jobs:
  build:
    # We want to build and upload artifacts only if the `upload to s3` label is applied
    # Only intra-repo PRs are allowed to have PR artifacts uploaded
    # We only want to trigger once the upload once in the case the upload label is added, not when any label is added
    if: |
        github.event.pull_request.head.repo.full_name == 'DeterminateSystems/flake-checker'
        && (
          (github.event.action == 'labeled' && github.event.label.name == 'upload to s3')
          || (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3'))
        )
    uses: ./.github/workflows/build.yaml

  release:
    needs: build
    concurrency: release
    runs-on: ubuntu-latest
    permissions:
      id-token: write # In order to request a JWT for AWS auth
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Create the artifacts directory
        run: rm -rf ./artifacts && mkdir ./artifacts

      - uses: actions/download-artifact@v4.1.7
        with:
          name: flake-checker-ARM64-macOS
          path: cache-binary-ARM64-macOS
      - name: Persist the cache binary
        run: cp ./cache-binary-ARM64-macOS/flake-checker ./artifacts/flake-checker-ARM64-macOS

      - uses: actions/download-artifact@v4.1.7
        with:
          name: flake-checker-X64-macOS
          path: cache-binary-X64-macOS
      - name: Persist the cache binary
        run: cp ./cache-binary-X64-macOS/flake-checker ./artifacts/flake-checker-X64-macOS

      - uses: actions/download-artifact@v4.1.7
        with:
          name: flake-checker-X64-Linux
          path: cache-binary-X64-Linux
      - name: Persist the cache binary
        run: cp ./cache-binary-X64-Linux/flake-checker ./artifacts/flake-checker-X64-Linux

      - uses: actions/download-artifact@v4.1.7
        with:
          name: flake-checker-ARM64-Linux
          path: cache-binary-ARM64-Linux
      - name: Persist the cache binary
        run: cp ./cache-binary-ARM64-Linux/flake-checker ./artifacts/flake-checker-ARM64-Linux

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: ${{ secrets.AWS_S3_UPLOAD_ROLE }}
          aws-region: us-east-2
      - name: Publish Release (PR)
        env:
          AWS_BUCKET: ${{ secrets.AWS_S3_UPLOAD_BUCKET }}
        run: |
          .github/workflows/upload_s3.sh pr "${{ github.event.pull_request.number }}" "${{ github.event.pull_request.head.sha }}"