vatrog-vm-signaling/.gitea/workflows/release.yml

name: release

on:
  push:
    tags:
      - 'v*'

# No deployment-specific values are hardcoded: server/owner/repo come from the CI context,
# the publish token from a secret. Mirrors the sibling vmie release pipeline.
jobs:
  # In-guest vgpu producer (Windows, cross-compiled) -> attached to the release.
  windows-agent:
    runs-on: ubuntu-latest
    container:
      image: node:20-bookworm-slim
    defaults:
      run:
        shell: bash
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install toolchain
        run: |
          apt-get update
          apt-get install -y --no-install-recommends \
            cmake make zip jq curl ca-certificates gcc-mingw-w64-x86-64

      - name: Cross-build the agent
        run: |
          cmake -S . -B build-win -DCMAKE_BUILD_TYPE=Release \
                -DCMAKE_TOOLCHAIN_FILE=cmake/toolchain-mingw-w64.cmake
          cmake --build build-win -j

      - name: Package
        env:
          TAG: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          mkdir -p dist/vgpu-streamer
          cp build-win/vgpu-streamer.exe dist/vgpu-streamer/
          [ -f LICENSE ] && cp LICENSE dist/vgpu-streamer/ || true
          (cd dist && zip -r "vgpu-streamer-${TAG}-win64.zip" vgpu-streamer)

      - name: Attach to release
        env:
          GITEA_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
          SERVER: https://dev.lirent.ru
          REPO: ${{ github.repository }}
          TAG: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          asset="vgpu-streamer-${TAG}-win64.zip"
          api="${SERVER}/api/v1/repos/${REPO}"
          auth="Authorization: token ${GITEA_TOKEN}"

          rid=$(curl -sSL -H "$auth" "${api}/releases/tags/${TAG}" | jq -r '.id // empty' || true)
          if [ -z "$rid" ]; then
            rid=$(curl -fsSL -X POST -H "$auth" -H "Content-Type: application/json" \
              -d "{\"tag_name\":\"${TAG}\",\"name\":\"${TAG}\"}" \
              "${api}/releases" | jq -r '.id')
          fi
          curl -fsSL -H "$auth" "${api}/releases/${rid}/assets" \
            | jq -r ".[] | select(.name==\"${asset}\") | .id" \
            | while read -r aid; do
                [ -n "$aid" ] && curl -fsSL -X DELETE -H "$auth" "${api}/releases/${rid}/assets/${aid}"
              done
          curl -fsSL -X POST -H "$auth" \
            -F "attachment=@dist/${asset};type=application/zip" \
            "${api}/releases/${rid}/assets?name=${asset}"

  # Host package (daemon + libs) -> the Gitea Debian registry. Built against the published
  # vmie dev package (external dependency), installed from the same registry.
  deb:
    runs-on: ubuntu-latest
    container:
      image: node:20-bookworm-slim
    defaults:
      run:
        shell: bash
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install toolchain + vmie (external dependency)
        env:
          SERVER: https://dev.lirent.ru
          OWNER: ${{ github.repository_owner }}
          ACTOR: ${{ github.actor }}
          TOKEN: ${{ secrets.PUBLISH_TOKEN }}
        run: |
          set -euo pipefail
          apt-get update
          apt-get install -y --no-install-recommends \
            cmake make gcc libc6-dev dpkg-dev file ca-certificates curl
          # The Gitea Debian registry is private: apt needs HTTP Basic Auth. [trusted=yes]
          # only skips GPG verification, NOT authentication — hence the prior 401. The token
          # is written to auth.conf.d (never echoed to the log).
          # machine MUST carry the scheme (https://) — apt refuses to send credentials over an
          # unencrypted/unannotated endpoint (the prior 401 over the plain-http internal IP).
          install -d -m 0700 /etc/apt/auth.conf.d
          printf 'machine %s login %s password %s\n' "$SERVER" "$ACTOR" "$TOKEN" \
            > /etc/apt/auth.conf.d/gitea.conf
          chmod 600 /etc/apt/auth.conf.d/gitea.conf
          echo "deb [trusted=yes] ${SERVER}/api/packages/${OWNER}/debian stable main" \
            > /etc/apt/sources.list.d/gitea.list
          apt-get update
          apt-get install -y libvmie-dev

      - name: Build package
        env:
          TAG: ${{ github.ref_name }}
        run: make deb VERSION="${TAG#v}"

      - name: Publish to Debian registry
        env:
          TOKEN: ${{ secrets.PUBLISH_TOKEN }}   # requires scope: package:write
          SERVER: https://dev.lirent.ru
          OWNER: ${{ github.repository_owner }}
          DISTRIBUTION: stable
          COMPONENT: main
        run: |
          set -euo pipefail
          url="${SERVER}/api/packages/${OWNER}/debian/pool/${DISTRIBUTION}/${COMPONENT}/upload"
          auth="Authorization: token ${TOKEN}"
          for deb in dist/*.deb; do
            # 201 Created = uploaded; 409 Conflict = this version already present (re-run).
            code=$(curl -s -o /dev/null -w '%{http_code}' -X PUT -H "$auth" -T "$deb" "$url")
            echo "$deb -> HTTP $code"
            if [ "$code" != 201 ] && [ "$code" != 409 ]; then
              echo "upload failed: $deb (HTTP $code)" >&2
              exit 1
            fi
          done