unarr/.forgejo/workflows/release.yml

name: Release

on:
  push:
    tags:
      - "v*"
  workflow_dispatch:

permissions:
  contents: write

jobs:
  release:
    runs-on: docker
    container:
      image: docker.io/library/golang:1.25
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install build deps (bash, curl, jq, ffmpeg fetch deps)
        run: |
          apt-get update
          apt-get install -y --no-install-recommends bash curl ca-certificates jq xz-utils unzip

      - name: Install goreleaser
        run: |
          curl -sSfL https://github.com/goreleaser/goreleaser/releases/latest/download/goreleaser_Linux_x86_64.tar.gz \
            | tar -xz -C /usr/local/bin goreleaser

      - name: Run goreleaser
        env:
          # Forgejo runner injects GITHUB_TOKEN — but goreleaser uses it to talk to
          # the *Forgejo* API thanks to the gitea_urls override in .goreleaser.yml.
          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
          # Empty when RELEASE_SIGNING_PUBKEY variable is unset — goreleaser
          # accepts it and the resulting binary disables signature checks
          # (back-compat: pre-signing releases continue to update). Set
          # RELEASE_SIGNING_PUBKEY (variable) + RELEASE_SIGNING_KEY (secret)
          # to turn verification on.
          RELEASE_SIGNING_PUBKEY: ${{ vars.RELEASE_SIGNING_PUBKEY }}
        run: goreleaser release --clean

      - name: Sign checksums.txt with ed25519
        if: ${{ vars.RELEASE_SIGNING_PUBKEY != '' && secrets.RELEASE_SIGNING_KEY != '' }}
        env:
          RELEASE_SIGNING_KEY: ${{ secrets.RELEASE_SIGNING_KEY }}
          RELEASE_TAG: ${{ github.ref_name }}
          FORGEJO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # Tailscale IP — domain-agnostic; the runner shares the dokploy-network with
          # forgejo (hostname `forgejo`), so the in-cluster hostname is fastest, but the
          # Tailscale IP is the documented fallback.
          FORGEJO_API: http://forgejo:3000/api/v1
          REPO: deivid/unarr
        run: |
          set -euo pipefail
          go run ./scripts/sign-checksums \
            -key "$RELEASE_SIGNING_KEY" \
            -in  dist/checksums.txt \
            -out dist/checksums.txt.sig

          # Find the release ID for this tag, then upload the sig as an asset.
          rel_id=$(curl -sSf "$FORGEJO_API/repos/$REPO/releases/tags/$RELEASE_TAG" \
            -H "Authorization: token $FORGEJO_TOKEN" | jq -r '.id')
          curl -sSf -X POST \
            "$FORGEJO_API/repos/$REPO/releases/$rel_id/assets?name=checksums.txt.sig" \
            -H "Authorization: token $FORGEJO_TOKEN" \
            -F "attachment=@dist/checksums.txt.sig"

  docker:
    needs: release
    runs-on: docker
    container:
      # Docker-in-Docker capable image — buildx + qemu pre-installed.
      image: docker.io/library/docker:27-cli
    steps:
      - uses: actions/checkout@v4

      - name: Install buildx
        run: |
          apk add --no-cache curl
          mkdir -p ~/.docker/cli-plugins
          curl -sSL https://github.com/docker/buildx/releases/latest/download/buildx-linux-amd64 \
            -o ~/.docker/cli-plugins/docker-buildx
          chmod +x ~/.docker/cli-plugins/docker-buildx

      - name: Login to Docker Hub
        env:
          DH_USER: ${{ secrets.DOCKERHUB_USERNAME }}
          DH_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
        run: echo "$DH_TOKEN" | docker login -u "$DH_USER" --password-stdin

      - name: Set up qemu
        run: docker run --rm --privileged tonistiigi/binfmt --install all

      - name: Build + push multi-arch image
        env:
          VERSION: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          VERSION_SEMVER="${VERSION#v}"
          MAJOR_MINOR="${VERSION_SEMVER%.*}"
          docker buildx create --name builder --use --driver docker-container
          docker buildx build \
            --platform linux/amd64,linux/arm64 \
            --build-arg "VERSION=$VERSION" \
            --tag "torrentclaw/unarr:$VERSION_SEMVER" \
            --tag "torrentclaw/unarr:$MAJOR_MINOR" \
            --tag "torrentclaw/unarr:latest" \
            --push \
            .