name: package-extension

on:
  workflow_dispatch:

jobs:
  build:
    name: Build unsigned bundle
    runs-on: ubuntu-latest
    environment: "Default"
    permissions:
      contents: write
    env:
      AMO_JWT_ISSUER: ${{ secrets.AMO_JWT_ISSUER }}
      AMO_JWT_SECRET: ${{ secrets.AMO_JWT_SECRET }}

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "20"

      - name: Install web-ext
        run: npm install --global web-ext

      - name: Build unsigned archive
        run: web-ext build --source-dir ./extension --artifacts-dir ./web-ext-artifacts

      - name: Determine version
        run: |
          VERSION=$(node -pe "require('./extension/manifest.json').version")
          echo "VERSION=${VERSION}" >> $GITHUB_ENV
          echo "TAG=v${VERSION}-${GITHUB_RUN_ID}" >> $GITHUB_ENV

      - name: Rename unsigned archive
        run: |
          ZIP_PATH=$(ls web-ext-artifacts/*.zip)
          mv "$ZIP_PATH" "web-ext-artifacts/frontpage-submitter-${VERSION}.zip"

      - name: Upload unsigned artifact
        uses: actions/upload-artifact@v4
        with:
          name: frontpage-extension-unsigned
          path: web-ext-artifacts/frontpage-submitter-${{ env.VERSION }}.zip

      - name: Sign using AMO (optional)
        env:
          WEB_EXT_API_KEY: ${{ env.AMO_JWT_ISSUER }}
          WEB_EXT_API_SECRET: ${{ env.AMO_JWT_SECRET }}
          WEB_EXT_ID: frontpage-submitter@example.com
        run: |
          if [ -z "${WEB_EXT_API_KEY}" ] || [ -z "${WEB_EXT_API_SECRET}" ]; then
            echo "AMO credentials not provided. Skipping signing step."
            exit 0
          fi
          set +e
          web-ext sign \
            --channel=unlisted \
            --source-dir ./extension \
            --artifacts-dir ./web-ext-artifacts 2>&1 | tee ./sign.log
          rc=${PIPESTATUS[0]}
          set -e
          if [ $rc -ne 0 ]; then
            if grep -q "Version ${VERSION} already exists" ./sign.log; then
              echo "AMO already has version ${VERSION}; skipping signing."
              exit 0
            fi
            echo "Signing failed:"
            cat ./sign.log
            exit $rc
          fi

      - name: Rename signed archive (optional)
        if: ${{ hashFiles('web-ext-artifacts/*.xpi') != '' }}
        run: |
          XPI_PATH=$(ls web-ext-artifacts/*.xpi)
          mv "$XPI_PATH" "web-ext-artifacts/frontpage-submitter-${VERSION}.xpi"

      - name: Upload signed artifact (optional)
        if: ${{ hashFiles('web-ext-artifacts/*.xpi') != '' }}
        uses: actions/upload-artifact@v4
        with:
          name: frontpage-extension-signed
          path: web-ext-artifacts/*.xpi

      - name: Create GitHub release
        uses: softprops/action-gh-release@v2
        with:
          tag_name: ${{ env.TAG }}
          name: Frontpage Submitter ${{ env.VERSION }} (build ${{ github.run_number }})
          draft: false
          prerelease: true
          generate_release_notes: false
          files: |
            web-ext-artifacts/*.zip
            web-ext-artifacts/*.xpi
          fail_on_unmatched_files: false