name: Build and Publish O3DE Flatpak

on:
  schedule:
    - cron: '0 2 * * *'          # daily at 02:00 - checks for a new O3DE release
  workflow_dispatch:
    inputs:
      force:
        description: 'Rebuild even if this version was already published'
        type: boolean
        default: false

permissions:
  contents: write

jobs:
  build:
    # Adjust the label to match your registered act_runner. The runner needs a
    # lot of free disk (O3DE is ~15-18 GB installed; the build needs ~2-3x that)
    # and the container must be privileged so Flatpak's sandbox (bubblewrap) works.
    runs-on: ubuntu-latest
    container:
      image: ubuntu:24.04
      options: --privileged
    steps:
      - name: Install build dependencies
        run: |
          apt-get update
          DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
            ca-certificates curl git jq xz-utils zstd binutils tar \
            flatpak

      # Done as a plain git clone instead of actions/checkout@v4: the bare
      # ubuntu image has no Node.js, so JavaScript actions fail with exit 127.
      - name: Checkout
        env:
          TOKEN: ${{ secrets.PUBLISH_TOKEN != '' && secrets.PUBLISH_TOKEN || secrets.GITHUB_TOKEN }}
        run: |
          AUTH_URL="$(echo "${GITHUB_SERVER_URL}" | sed "s#://#://${GITHUB_ACTOR}:${TOKEN}@#")/${GITHUB_REPOSITORY}.git"
          git init -q
          git config --global --add safe.directory "$GITHUB_WORKSPACE"
          git remote add origin "$AUTH_URL"
          git fetch -q --depth 1 origin "${GITHUB_SHA:-$GITHUB_REF_NAME}"
          git checkout -q FETCH_HEAD

      - name: Resolve latest O3DE version
        id: ver
        run: |
          chmod +x scripts/*.sh
          eval "$(scripts/get-latest-version.sh)"
          {
            echo "version=$version"
            echo "deb_url=$deb_url"
            echo "deb_file=$deb_file"
            echo "sha256=$sha256"
          } >> "$GITHUB_OUTPUT"
          echo "Latest O3DE: $version ($deb_file)"

      - name: Decide whether to build
        id: check
        run: |
          git config --global --add safe.directory "$GITHUB_WORKSPACE"
          if [ "${{ inputs.force }}" = "true" ]; then
            echo "build=true" >> "$GITHUB_OUTPUT"
            echo "Force build requested."
          elif git ls-remote --tags origin "refs/tags/v${{ steps.ver.outputs.version }}" | grep -q .; then
            echo "build=false" >> "$GITHUB_OUTPUT"
            echo "v${{ steps.ver.outputs.version }} already published - nothing to do."
          else
            echo "build=true" >> "$GITHUB_OUTPUT"
            echo "New version v${{ steps.ver.outputs.version }} - building."
          fi

      - name: Install Flatpak runtime and SDK
        if: steps.check.outputs.build == 'true'
        run: |
          flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
          flatpak install -y flathub org.freedesktop.Platform//24.08 org.freedesktop.Sdk//24.08

      - name: Download O3DE .deb
        if: steps.check.outputs.build == 'true'
        run: |
          curl -fL --retry 3 -o o3de.deb "${{ steps.ver.outputs.deb_url }}"
          if [ -n "${{ steps.ver.outputs.sha256 }}" ]; then
            echo "${{ steps.ver.outputs.sha256 }}  o3de.deb" | sha256sum -c -
          else
            echo "::warning::No published checksum; skipping verification."
          fi

      - name: Stamp version into AppStream metadata
        if: steps.check.outputs.build == 'true'
        run: |
          sed -i -E \
            "s#<release version=\"[^\"]*\" date=\"[^\"]*\">#<release version=\"${{ steps.ver.outputs.version }}\" date=\"$(date +%F)\">#" \
            org.o3de.O3DE.metainfo.xml

      - name: Build Flatpak into OSTree repo
        if: steps.check.outputs.build == 'true'
        run: |
          # Bwrap-free build (no flatpak-builder) so no privileged container is needed.
          chmod +x scripts/make-flatpak.sh
          scripts/make-flatpak.sh
          # Free disk before publishing (the repo/ snapshot is all we still need).
          rm -rf build-dir o3de.deb data

      - name: Generate .flatpakrepo
        if: steps.check.outputs.build == 'true'
        run: |
          BASE="${{ github.server_url }}/${{ github.repository }}/raw/branch/pages"
          cat > repo/o3de.flatpakrepo <<EOF
          [Flatpak Repo]
          Title=O3DE (unofficial Flatpak)
          Url=$BASE
          Homepage=https://o3de.org/
          Comment=Unofficial O3DE engine repackaged as a Flatpak
          Description=Install the Open 3D Engine on any Linux distribution via Flatpak.
          EOF

      - name: Publish OSTree repo to the 'pages' branch
        if: steps.check.outputs.build == 'true'
        env:
          # Prefer a personal access token (PUBLISH_TOKEN secret) with repo write
          # access; fall back to the auto-provided Actions token.
          TOKEN: ${{ secrets.PUBLISH_TOKEN != '' && secrets.PUBLISH_TOKEN || secrets.GITHUB_TOKEN }}
        run: |
          AUTH_URL="$(echo "${{ github.server_url }}" | sed "s#://#://${{ github.actor }}:${TOKEN}@#")/${{ github.repository }}.git"
          rm -rf publish && mkdir publish && cd publish
          git init -q -b pages
          git config user.name "Gitea Actions"
          git config user.email "actions@pc-heini.de"
          cp -a ../repo/. .
          touch .nojekyll
          git add -A
          git commit -q -m "O3DE Flatpak v${{ steps.ver.outputs.version }}"
          # Force-push a single snapshot so the pages branch never accumulates history.
          git push -f "$AUTH_URL" pages
          cd ..

      - name: Tag the published version
        if: steps.check.outputs.build == 'true'
        env:
          TOKEN: ${{ secrets.PUBLISH_TOKEN != '' && secrets.PUBLISH_TOKEN || secrets.GITHUB_TOKEN }}
        run: |
          AUTH_URL="$(echo "${{ github.server_url }}" | sed "s#://#://${{ github.actor }}:${TOKEN}@#")/${{ github.repository }}.git"
          TAG="v${{ steps.ver.outputs.version }}"
          if git ls-remote --tags "$AUTH_URL" "refs/tags/$TAG" | grep -q .; then
            echo "Tag $TAG already exists (force rebuild) - leaving it in place."
          else
            git tag "$TAG"
            git push "$AUTH_URL" "$TAG"
          fi