.github/workflows/build.yml

name: Build

on:
  push:
  pull_request:

jobs:
  lint:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
      - name: Lint
        uses: ./.github/actions/lint

  test:
    runs-on: ubuntu-latest
    needs: [lint]

    services:
      postgres:
        image: postgres:alpine
        ports:
          - 5432:5432
        env:
          POSTGRES_USER: fief
          POSTGRES_PASSWORD: fiefpassword
        # Set health checks to wait until postgres has started
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5

      mariadb:
        image: mariadb
        ports:
          - 3306:3306
        env:
          MARIADB_ROOT_PASSWORD: fiefpassword

      mysql:
        image: mysql
        ports:
          - 3307:3306
        env:
          MYSQL_ROOT_PASSWORD: fiefpassword

    strategy:
      fail-fast: false
      matrix:
        include:
          - name: POSTGRESQL
            database_type: POSTGRESQL
            database_host: localhost
            database_port: 5432
            database_username: fief
            database_password: fiefpassword
            database_ssl_mode: disable
          - name: MARIADB
            database_type: MYSQL
            database_host: localhost
            database_port: 3306
            database_username: root
            database_password: fiefpassword
            database_ssl_mode: DISABLED
          - name: MYSQL
            database_type: MYSQL
            database_host: localhost
            database_port: 3307
            database_username: root
            database_password: fiefpassword
            database_ssl_mode: DISABLED
          - name: SQLITE
            database_type: SQLITE
            database_host: null
            database_port: null
            database_username: null
            database_password: null
            database_ssl_mode: null

    steps:
      - uses: actions/checkout@v4
      - name: Test with ${{ matrix.name }} database
        uses: ./.github/actions/test
        with:
          database_type: ${{ matrix.database_type }}
          database_host: ${{ matrix.database_host }}
          database_port: ${{ matrix.database_port }}
          database_username: ${{ matrix.database_username }}
          database_password: ${{ matrix.database_password }}
          database_name: fief
          codecov_token: ${{ secrets.CODECOV_TOKEN }}

  pypi-release:
    runs-on: ubuntu-latest
    needs: [test]
    if: startsWith(github.ref, 'refs/tags/')

    steps:
      - uses: actions/checkout@v4
      - name: Set up Python 3.12
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"
      - name: Install dependencies
        shell: bash
        run: |
          python -m pip install --upgrade pip
          pip install hatch
      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "18"
      - name: Install Node dependencies
        shell: bash
        run: |
          npm ci
      - name: Compile translations, build assets and set telemetry key
        shell: bash
        env:
          POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
        run: |
          hatch run translations.compile
          hatch run static.build
          hatch run telemetry.set-posthog-key $POSTHOG_API_KEY
      - name: Build and publish on PyPI
        env:
          HATCH_INDEX_USER: ${{ secrets.HATCH_INDEX_USER }}
          HATCH_INDEX_AUTH: ${{ secrets.HATCH_INDEX_AUTH }}
        run: |
          hatch build
          hatch publish
      - name: Create release
        uses: ncipollo/release-action@v1
        with:
          draft: true
          body: ${{ github.event.head_commit.message }}
          artifacts: dist/*.whl,dist/*.tar.gz
          token: ${{ secrets.GITHUB_TOKEN }}

  docker-release:
    runs-on: ubuntu-latest
    needs: [pypi-release]

    steps:
      - uses: actions/checkout@v4
      - name: Wait package to be truly available from PyPI
        shell: bash
        run: |
          sleep 120
      - name: Set raw version variable
        shell: bash
        run: |
          echo "${{ github.ref_name }}" | sed "s/v/RAW_VERSION=$1/" >>  $GITHUB_ENV
      - name: Build Docker image
        uses: ./.github/actions/docker-build
        with:
          fief_version: ${{ env.RAW_VERSION }}
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
          registry: ghcr.io
          image_name: ${{ github.repository }}
          github_token: ${{ secrets.GITHUB_TOKEN }}

  stronghold-build:
    runs-on: ubuntu-latest
    needs: [pypi-release]

    steps:
      - uses: actions/checkout@v4
      - name: Wait package to be truly available from PyPI
        shell: bash
        run: |
          sleep 120
      - name: Set raw version variable
        shell: bash
        run: |
          echo "${{ github.ref_name }}" | sed "s/v/RAW_VERSION=$1/" >>  $GITHUB_ENV
      - name: Generate a token
        id: generate-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.INTERNAL_GITHUB_APP_ID }}
          private-key: ${{ secrets.INTERNAL_GITHUB_APP_PRIVATE_KEY }}
      - name: Trigger Stronghold build
        uses: octokit/request-action@v2.x
        with:
          route: POST /repos/{owner}/{repo}/actions/workflows/{workflow_id}/dispatches
          owner: fief-dev
          repo: stronghold
          workflow_id: build.yml
          fief_version: ${{ env.RAW_VERSION }}
        env:
          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}