# Runs on releases

name: Publish release
on:
  release:
    types: [published]
permissions:
  contents: read

jobs:
  stable:
    runs-on: ubuntu-latest
    name: Write release to stable branch
    permissions:
      contents: write
      pull-requests: write
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout Code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4.1.7
      - name: Version Check
        run: |
          pip install --require-hashes -r contrib/dev_reqs/requirements.txt
          python3 .github/scripts/version_check.py
      - name: Push to Stable Branch
        uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # pin@v0.8.0
        if: env.stable_release == 'true'
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          branch: stable
          force: true

  build:
    runs-on: ubuntu-latest
    name: Build and attest frontend
    permissions:
      id-token: write
      contents: write
      attestations: write
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4.1.7
      - name: Environment Setup
        uses: ./.github/actions/setup
        with:
          npm: true
      - name: Install dependencies
        run: cd src/frontend && yarn install
      - name: Build frontend
        run: cd src/frontend && npm run compile && npm run build
      - name: Create SBOM for frontend
        uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # pin@v0
        with:
          artifact-name: frontend-build.spdx
          path: src/frontend
      - name: Write version file - SHA
        run: cd src/backend/InvenTree/web/static/web/.vite && echo "$GITHUB_SHA" > sha.txt
      - name: Write version file - TAG
        run: cd src/backend/InvenTree/web/static/web/.vite && echo "${{ github.ref_name }}" > tag.txt
      - name: Zip frontend
        run: |
          cd src/backend/InvenTree/web/static/web
          zip -r ../frontend-build.zip * .vite
      - name: Attest Build Provenance
        id: attest
        uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # pin@v1
        with:
          subject-path: "${{ github.workspace }}/src/backend/InvenTree/web/static/frontend-build.zip"

      - name: Upload frontend
        uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # pin@2.9.0
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file: src/backend/InvenTree/web/static/frontend-build.zip
          asset_name: frontend-build.zip
          tag: ${{ github.ref }}
          overwrite: true
      - name: Upload Attestation
        uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # pin@2.9.0
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          asset_name: frontend-build.intoto.jsonl
          file: ${{ steps.attest.outputs.bundle-path}}
          tag: ${{ github.ref }}
          overwrite: true