name: Build & Package

on:
  push:
    tags: ['v*']
  workflow_dispatch:

permissions:
  contents: read

jobs:
  test:
    runs-on: ubuntu-latest
    container: python:3.11-slim
    steps:
      - uses: actions/checkout@v4
      - run: pip install .[dev]
      - run: python -m pytest tests/ -q

  security:
    runs-on: ubuntu-latest
    container: python:3.11-slim
    needs: test
    steps:
      - uses: actions/checkout@v4
      - run: pip install .[security] .
      - run: bandit -c bandit.yaml -r src/ -f json -o bandit-results.json --exit-zero
      - run: pip-audit -f json -o pip-audit-results.json --desc || true
      - run: python tools/security/check_results.py
              --bandit bandit-results.json
              --pip-audit pip-audit-results.json
      - uses: actions/upload-artifact@v4
        if: always()
        with:
          name: security-reports
          path: |
            bandit-results.json
            pip-audit-results.json

  build-sdist:
    runs-on: ubuntu-latest
    container: python:3.11-slim
    needs: test
    steps:
      - uses: actions/checkout@v4
      - run: pip install build
      - run: python -m build --outdir dist/
      - uses: actions/upload-artifact@v4
        with:
          name: dist-sdist
          path: dist/

  build-deb:
    runs-on: ubuntu-latest
    container: debian:bookworm-slim
    needs: test
    steps:
      - uses: actions/checkout@v4
      - name: Install build dependencies
        run: |
          apt-get update -qq
          apt-get install -y --no-install-recommends \
            python3 python3-pip python3-venv \
            ruby ruby-dev gcc make libffi-dev
          gem install fpm --no-document
      - name: Build .deb
        run: |
          mkdir -p dist
          ln -sf "$(pwd)/dist" /out
          bash build/linux-deb/build.sh
      - uses: actions/upload-artifact@v4
        with:
          name: dist-deb
          path: dist/*.deb

  build-rpm:
    runs-on: ubuntu-latest
    container: fedora:41
    needs: test
    steps:
      - uses: actions/checkout@v4
      - name: Install build dependencies
        run: |
          dnf install -y --setopt=install_weak_deps=False \
            python3 python3-pip python3-devel \
            ruby ruby-devel gcc gcc-c++ make rpm-build \
            libffi-devel redhat-rpm-config git
          gem install fpm --no-document
      - name: Build .rpm
        run: |
          mkdir -p dist
          ln -sf "$(pwd)/dist" /out
          bash build/linux-rpm/build.sh
      - uses: actions/upload-artifact@v4
        with:
          name: dist-rpm
          path: dist/*.rpm

  build-windows:
    runs-on: ubuntu-latest
    container: python:3.12-slim
    needs: test
    steps:
      - uses: actions/checkout@v4
      - name: Install build dependencies
        run: |
          apt-get update -qq
          apt-get install -y --no-install-recommends nsis
          pip install pynsist
      - name: Build Windows installer
        run: |
          mkdir -p dist
          ln -sf "$(pwd)/dist" /out
          bash build/windows/build.sh
      - uses: actions/upload-artifact@v4
        with:
          name: dist-windows
          path: dist/*.exe

  release:
    runs-on: ubuntu-latest
    needs: [build-sdist, build-deb, build-rpm, build-windows, security]
    if: startsWith(github.ref, 'refs/tags/v')
    permissions:
      contents: write
    steps:
      - uses: actions/download-artifact@v4
        with:
          pattern: dist-*
          merge-multiple: true
          path: dist/
      - uses: softprops/action-gh-release@v2
        with:
          files: dist/*
          generate_release_notes: true