name: Build ripunzip

on:
  workflow_dispatch:
    inputs:
      ripunzip-version:
        description: What reference to checkout from google/ripunzip. Latest by default
        required: false
      openssl-version:
        description: What reference to checkout from openssl/openssl for Linux. Latest by default
        required: false
      open-pr:
        description: Open a pull request updating the ripunzip versions committed to lfs
        required: false
        default: true  # will be false on PRs
  pull_request:
    paths:
      - .github/workflows/build-ripunzip.yml

permissions: {}
  
jobs:
  versions:
    runs-on: ubuntu-slim
    outputs:
      ripunzip-version: ${{ inputs.ripunzip-version || steps.fetch-ripunzip-version.outputs.version }}
      openssl-version: ${{ inputs.openssl-version || steps.fetch-openssl-version.outputs.version }}
    steps:
      - name: Fetch latest ripunzip version
        id: fetch-ripunzip-version
        if: "!inputs.ripunzip-version"
        run: &fetch-version
          echo "version=$(gh release view --repo $REPO --json tagName --jq .tagName)" | tee -a $GITHUB_OUTPUT
        env:
          REPO: "google/ripunzip"
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Fetch latest openssl version
        id: fetch-openssl-version
        if: "!inputs.openssl-version"
        run: *fetch-version
        env:
          REPO: "openssl/openssl"
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  build:
    needs: versions
    strategy:
      fail-fast: false
      matrix:
        os:
          - ubuntu-22.04  # keep at lowest supported ubuntu version for broader glibc compatibility
          - macos-15
          - windows-2025
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v5
        with:
          repository: google/ripunzip
          ref: ${{ needs.versions.outputs.ripunzip-version }}
      # we need to avoid ripunzip dynamically linking into libssl
      # see https://github.com/sfackler/rust-openssl/issues/183
      - if: runner.os == 'Linux'
        name: checkout openssl
        uses: actions/checkout@v5
        with:
          repository: openssl/openssl
          path: openssl
          ref: ${{ needs.versions.outputs.openssl-version }}
      - if: runner.os == 'Linux'
        name: build and install openssl with fPIC
        shell: bash
        working-directory: openssl
        run: |
          ./config -fPIC --prefix=$HOME/.local --openssldir=$HOME/.local/ssl
          make -j $(nproc)
          make install_sw -j $(nproc)
      - if: runner.os == 'Linux'
        name: build (linux)
        shell: bash
        run: |
          env OPENSSL_LIB_DIR=$HOME/.local/lib64 OPENSSL_INCLUDE_DIR=$HOME/.local/include OPENSSL_STATIC=yes cargo build --release
          mv target/release/ripunzip ripunzip-linux
      - if: runner.os == 'Windows'
        name: build (windows)
        shell: bash
        run: |
          cargo build --release
          mv target/release/ripunzip ripunzip-windows
      - name: build (macOS)
        if: runner.os == 'macOS'
        shell: bash
        run: |
          rustup target install x86_64-apple-darwin
          rustup target install aarch64-apple-darwin
          cargo build --target x86_64-apple-darwin --release
          cargo build --target aarch64-apple-darwin --release
          lipo -create -output ripunzip-macos \
            -arch x86_64 target/x86_64-apple-darwin/release/ripunzip \
            -arch arm64 target/aarch64-apple-darwin/release/ripunzip
      - name: Archive
        shell: bash
        run: |
          tar acf ripunzip-$RUNNER_OS.tar.zst ripunzip-$(echo $RUNNER_OS | tr '[:upper:]' '[:lower:]')
      - name: Upload built binary
        uses: actions/upload-artifact@v4
        with:
          name: ripunzip-${{ runner.os }}
          path: ripunzip-${{ runner.os }}.tar.zst
          retention-days: 5
          compression: 0
      - name: Check built binary
        shell: bash
        run: |
          rm -f ripunzip-*.tar.zst
          ./ripunzip-* --version
  publish:
    needs: [versions, build]
    if: inputs.open-pr == 'true'
    permissions:
      contents: write
      pull-requests: write
    runs-on: ubuntu-slim
    steps:
      # workaround for git-lfs not being installed yet on ubuntu-slim runners
      - name: Ensure git-lfs is installed
        shell: bash
        run: |
          if which git-lfs &>/dev/null; then
            echo "git-lfs is already installed"
            exit 0
          fi
          cd $TMP
          gh release download --repo git-lfs/git-lfs --pattern "git-lfs-linux-amd64-*.tar.gz" --clobber
          tar xzf git-lfs-linux-amd64-*.tar.gz
          rm git-lfs-linux-amd64-*.tar.gz
          cd git-lfs-*
          pwd | tee -a $GITHUB_PATH
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - uses: actions/checkout@v5
        with:
          sparse-checkout: |
            .github
            misc/ripunzip
          lfs: true
      - name: Download built binaries
        uses: actions/download-artifact@v4
        with:
          merge-multiple: true
          path: misc/ripunzip
      - name: Open PR
        shell: bash
        run: |
          git config --global user.name "github-actions[bot]"
          git config --global user.email "github-actions[bot]@users.noreply.github.com"
          git switch -c update-ripunzip
          git add misc/ripunzip
          git commit -m "Update ripunzip binaries to version $VERSION"
          git push --set-upstream origin update-ripunzip --force
          TITLE="Update ripunzip binaries to version $VERSION"
          gh pr create \
            --draft \
            --title "$TITLE" \
            --body "Automated update of ripunzip binaries." \
            --assignee "$ACTOR" ||
              (gh pr edit --title "$TITLE" --add-assignee "$ACTOR" && gh pr ready --undo)
        env:
          ACTOR: ${{ github.actor }}
          VERSION: ${{ needs.versions.outputs.ripunzip-version }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}