name: Build GitOps Migrate

on:
  push:
    branches: [main]
    paths: [
      'cmd/gitops-migrate/**/*.go',
      '.github/workflows/build-gitops-migrate.yml'
    ]

concurrency:
  # Only allow a single occurrence of this job to run at any given time.
  group: ${{ github.workflow }} # Group: 'Build GitOps Migrate'
  # Newly queued runs terminate existing in-progress runs.
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  build:
    name: (${{ matrix.GOOS }})(${{ matrix.GOARCH }})
    runs-on: ubuntu-latest
    env:
      # Ex: gitops-migrate-windows-amd64.exe
      BIN_NAME: gitops-migrate-${{ matrix.GOOS }}-${{ matrix.GOARCH }}${{ matrix.GOOS == 'windows' && '.exe' || '' }}
      # Ex: gitops-migrate-windows-amd64.exe.sha256
      BIN_HASH_NAME: gitops-migrate-${{ matrix.GOOS }}-${{ matrix.GOARCH }}${{ matrix.GOOS == 'windows' && '.exe' || '' }}.sha256
      # This serves as the root path we `aws s3 cp` all built binaries to.
      S3_URI: s3://download/tools/
    strategy:
      fail-fast: true
      matrix:
        include:
          # Define the OS and architecture permutations we want to build for.
          - GOOS: windows
            GOARCH: amd64
          - GOOS: windows
            GOARCH: arm64
          - GOOS: linux
            GOARCH: amd64
          - GOOS: linux
            GOARCH: arm64
          - GOOS: darwin
            GOARCH: arm64
          - GOOS: darwin
            GOARCH: amd64
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit

      - name: Checkout Repository
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          sparse-checkout: cmd/gitops-migrate

      - name: Setup Go
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version-file: go.mod

      - name: Build GitOps Migrate
        shell: bash
        env:
          GOOS: ${{ matrix.GOOS }}
          GOARCH: ${{ matrix.GOARCH }}
        run: go build -o ${{ env.BIN_NAME }} ./cmd/gitops-migrate

      - name: Produce SHA-256 Hash of Built Binary
        shell: bash
        run: sha256sum ${{ env.BIN_NAME }} > ${{ env.BIN_HASH_NAME }}

      - name: Upload Binary Artifact
        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
        with:
          name: gitops-migrate-${{ matrix.GOOS }}-${{ matrix.GOARCH }}
          path: |-
            ${{ env.BIN_NAME }}
            ${{ env.BIN_HASH_NAME }}

      - name: Upload Binary & SHA-256 Hash to Cloudflare R2 Bucket
        shell: bash
        env:
          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_SECRET }}
          AWS_ACCESS_KEY_ID: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_ID }}
          AWS_ENDPOINT_URL: ${{ secrets.R2_ENDPOINT }}
          AWS_DEFAULT_REGION: auto
        run: |-
          aws s3 cp '${{ env.BIN_NAME }}' '${{ env.S3_URI }}'
          aws s3 cp '${{ env.BIN_HASH_NAME }}' '${{ env.S3_URI }}'