name: Void Linux XBPS Repository

on:
  push:
    paths:
      - 'distro/void/srcpkgs/**'
  release:
    types: [published]
  workflow_dispatch:
    inputs:
      force_rebuild:
        description: 'Force rebuilding packages even if they already exist in the repository'
        type: boolean
        required: false
        default: false
      build_git:
        description: 'Build dms-git package'
        type: boolean
        required: false
        default: true
      build_dms:
        description: 'Build stable dms package'
        type: boolean
        required: false
        default: true
      build_greeter:
        description: 'Build stable dms-greeter package'
        type: boolean
        required: false
        default: true

permissions:
  contents: write

jobs:
  build-and-deploy:
    name: Build & Deploy XBPS packages
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Checkout gh-pages branch
        run: |
          git clone --branch gh-pages https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git gh-pages-repo || {
            echo "⚠️ gh-pages branch not found or empty, initializing a new one..."
            mkdir gh-pages-repo
            cd gh-pages-repo
            git init
            git checkout -b gh-pages
            git remote add origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git
            cd ..
          }

      - name: Install XBPS Static Utilities
        run: |
          mkdir -p ${{ github.workspace }}/xbps
          curl -s -L https://repo-default.voidlinux.org/static/xbps-static-latest.x86_64-musl.tar.xz | tar -xJ -C ${{ github.workspace }}/xbps
          echo "${{ github.workspace }}/xbps/usr/bin" >> $GITHUB_PATH

      - name: Clone void-packages
        run: |
          git clone --depth=1 https://github.com/void-linux/void-packages.git

      - name: Inject templates
        run: |
          cp -R distro/void/srcpkgs/dms void-packages/srcpkgs/
          cp -R distro/void/srcpkgs/dms-greeter void-packages/srcpkgs/
          cp -R distro/void/srcpkgs/dms-git void-packages/srcpkgs/

      - name: Enable unprivileged user namespaces (Ubuntu 24.04)
        run: |
          sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true

      - name: Bootstrap xbps-src
        run: |
          cd void-packages
          ./xbps-src binary-bootstrap

      - name: Configure signing keys and trust
        run: |
          # Write private key; extract and register the public key
          echo "${{ secrets.XBPS_PRIVATE_KEY }}" > /tmp/xbps_privkey.pem
          chmod 600 /tmp/xbps_privkey.pem
          
          # Extract public key in PEM format
          openssl rsa -in /tmp/xbps_privkey.pem -pubout -out /tmp/dms-key.pub
          rm -f /tmp/xbps_privkey.pem
          
          # Compute MD5 fingerprint in colon-separated hex format
          FINGERPRINT=$(openssl rsa -pubin -in /tmp/dms-key.pub -outform DER 2>/dev/null | openssl dgst -md5 -c | tr '[:upper:]' '[:lower:]' | awk '{print $NF}')
          
          # Format key in XML property list (plist) format as expected by xbps
          mkdir -p /tmp/keys
          cat <<EOF > "/tmp/keys/${FINGERPRINT}.plist"
          <?xml version="1.0" encoding="UTF-8"?>
          <plist version="1.0">
          <dict>
          	<key>public-key</key>
          	<data>$(base64 -w0 /tmp/dms-key.pub)</data>
          	<key>public-key-size</key>
          	<integer>4096</integer>
          	<key>signature-by</key>
          	<string>AvengeMedia</string>
          </dict>
          </plist>
          EOF

          # Copy keys to all host and chroot trust stores
          sudo mkdir -p /var/db/xbps/keys
          sudo cp "/tmp/keys/${FINGERPRINT}.plist" "/var/db/xbps/keys/${FINGERPRINT}.plist"
          
          mkdir -p void-packages/masterdir/var/db/xbps/keys
          cp "/tmp/keys/${FINGERPRINT}.plist" "void-packages/masterdir/var/db/xbps/keys/${FINGERPRINT}.plist"
          
          mkdir -p void-packages/etc/xbps.d/keys
          cp "/tmp/keys/${FINGERPRINT}.plist" "void-packages/etc/xbps.d/keys/${FINGERPRINT}.plist"
          
          mkdir -p void-packages/common/repo-keys
          cp "/tmp/keys/${FINGERPRINT}.plist" "void-packages/common/repo-keys/${FINGERPRINT}.plist"
          
          rm -rf /tmp/keys /tmp/dms-key.pub

      - name: Configure repositories
        run: |
          # Append the repository to repos-remote templates so xbps-src translates it automatically
          echo "repository=https://avengemedia.github.io/DankLinux/current" >> void-packages/etc/xbps.d/repos-remote.conf
          echo "repository=https://avengemedia.github.io/DankLinux/current" >> void-packages/etc/xbps.d/repos-remote-x86_64-multilib.conf
          
          # Add any existing compiled packages to the build cache directory to avoid rebuilds
          if [ -d "gh-pages-repo/current" ]; then
            mkdir -p void-packages/hostdir/binpkgs
            cp -L gh-pages-repo/current/*.xbps void-packages/hostdir/binpkgs/ 2>/dev/null || true
            xbps-rindex -a void-packages/hostdir/binpkgs/*.xbps 2>/dev/null || true
          fi

      - name: Build packages
        run: |
          mkdir -p gh-pages-repo/current
          
          BUILD_DMS="${{ github.event.inputs.build_dms || 'true' }}"
          BUILD_GREETER="${{ github.event.inputs.build_greeter || 'true' }}"
          BUILD_GIT="${{ github.event.inputs.build_git || 'true' }}"
          FORCE_REBUILD="${{ github.event.inputs.force_rebuild || 'false' }}"
          
          if [ "${{ github.event_name }}" = "push" ]; then
            BUILD_DMS="false"
            BUILD_GREETER="false"
            BUILD_GIT="true"
          fi
          
          if [ "${{ github.event_name }}" = "release" ]; then
            BUILD_DMS="true"
            BUILD_GREETER="true"
            BUILD_GIT="false"
          fi
          
          echo "=== Starting Builds ==="
          echo "DMS stable build enabled:     $BUILD_DMS"
          echo "Greeter stable build enabled: $BUILD_GREETER"
          echo "Git build enabled:            $BUILD_GIT"
          echo "Force rebuild:                $FORCE_REBUILD"
          
          cd void-packages
          
          # 1. Build dms-git (development package)
          if [ "$BUILD_GIT" = "true" ]; then
            # Calculate dynamic git version (tag.commits.hash)
            GIT_VER=$(git -C .. describe --tags --always | sed 's/^v//; s/-/./g')
            echo "🔨 Preparing dms-git version $GIT_VER"
            
            # Stage source tarball in the xbps-src source cache.
            # --transform adds a top-level directory so xbps-src can extract
            # into $wrksrc (create_wrksrc=yes handles the rest).
            SRC_CACHE="hostdir/sources/dms-git-${GIT_VER}"
            mkdir -p "$SRC_CACHE"
            tar -czf "${SRC_CACHE}/dms-git-${GIT_VER}.tar.gz" \
              --exclude=void-packages \
              --exclude=gh-pages-repo \
              --exclude=.git \
              --exclude=danklinux \
              -C .. .
              
            CHECKSUM=$(sha256sum "${SRC_CACHE}/dms-git-${GIT_VER}.tar.gz" | cut -d' ' -f1)
            
            # Dynamically patch template version, checksum, and distfiles
            sed -i "s/^version=.*/version=${GIT_VER}/" srcpkgs/dms-git/template
            sed -i "s/^checksum=.*/checksum=${CHECKSUM}/" srcpkgs/dms-git/template
            sed -i "s|^distfiles=.*|distfiles=\"dms-git-${GIT_VER}.tar.gz\"|" srcpkgs/dms-git/template
            
            EXPECTED_GIT_FILE="dms-git-${GIT_VER}_1.x86_64.xbps"
            
            if [ -f "../gh-pages-repo/current/$EXPECTED_GIT_FILE" ] && [ "$FORCE_REBUILD" != "true" ]; then
              echo "✅ $EXPECTED_GIT_FILE already exists, skipping build."
            else
              echo "🔨 Compiling dms-git..."
              ./xbps-src pkg dms-git
              rm -f "../gh-pages-repo/current/${EXPECTED_GIT_FILE}"
              cp -L hostdir/binpkgs/dms-git-*.xbps ../gh-pages-repo/current/
            fi
          fi
          
          # 2. Build stable dms package
          if [ "$BUILD_DMS" = "true" ]; then
            STABLE_VER=$(grep -E '^version=' srcpkgs/dms/template | cut -d= -f2 | tr -d '"')
            STABLE_REV=$(grep -E '^revision=' srcpkgs/dms/template | cut -d= -f2 | tr -d '"')
            
            EXPECTED_DMS_FILE="dms-${STABLE_VER}_${STABLE_REV}.x86_64.xbps"
            if [ -f "../gh-pages-repo/current/$EXPECTED_DMS_FILE" ] && [ "$FORCE_REBUILD" != "true" ]; then
              echo "✅ $EXPECTED_DMS_FILE already exists, skipping build."
            else
              echo "🔨 Compiling dms ($STABLE_VER)..."
              ./xbps-src pkg dms
              rm -f "../gh-pages-repo/current/${EXPECTED_DMS_FILE}"
              cp -L hostdir/binpkgs/dms-${STABLE_VER}_${STABLE_REV}.x86_64.xbps ../gh-pages-repo/current/
            fi
          fi
          
          # 3. Build stable dms-greeter package
          if [ "$BUILD_GREETER" = "true" ]; then
            GREETER_VER=$(grep -E '^version=' srcpkgs/dms-greeter/template | cut -d= -f2 | tr -d '"')
            GREETER_REV=$(grep -E '^revision=' srcpkgs/dms-greeter/template | cut -d= -f2 | tr -d '"')
            
            EXPECTED_GREETER_FILE="dms-greeter-${GREETER_VER}_${GREETER_REV}.x86_64.xbps"
            if [ -f "../gh-pages-repo/current/$EXPECTED_GREETER_FILE" ] && [ "$FORCE_REBUILD" != "true" ]; then
              echo "✅ $EXPECTED_GREETER_FILE already exists, skipping build."
            else
              echo "🔨 Compiling dms-greeter ($GREETER_VER)..."
              ./xbps-src pkg dms-greeter
              rm -f "../gh-pages-repo/current/${EXPECTED_GREETER_FILE}"
              cp -L hostdir/binpkgs/dms-greeter-${GREETER_VER}_${GREETER_REV}.x86_64.xbps ../gh-pages-repo/current/
            fi
          fi

      - name: Index and sign repository
        run: |
          cd gh-pages-repo/current
          
          # Clean up any stale or dangling signature files to prevent O_CREAT ENOENT errors
          rm -f *.sig2 *.sig
          
          # Guard: nothing to index if no .xbps files exist
          if ! ls *.xbps 1>/dev/null 2>&1; then
            echo "⚠️ No .xbps files found to index, skipping."
            exit 0
          fi
          
          # Regenerate repo index
          xbps-rindex -a $(pwd)/*.xbps
          
          # Sign repository
          echo "${{ secrets.XBPS_PRIVATE_KEY }}" > /tmp/xbps_privkey.pem
          chmod 600 /tmp/xbps_privkey.pem
          
          xbps-rindex --sign --signedby "AvengeMedia <AvengeMedia.US@gmail.com>" --privkey /tmp/xbps_privkey.pem $(pwd)
          xbps-rindex --sign-pkg --privkey /tmp/xbps_privkey.pem $(pwd)/*.xbps
          
          rm -f /tmp/xbps_privkey.pem

      - name: Deploy to gh-pages branch
        run: |
          cd gh-pages-repo
          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git add current/
          git diff --quiet && git diff --staged --quiet || (git commit -m "Update XBPS packages [skip ci]" && git push origin gh-pages)