release.yml

name: Release

on:
  workflow_dispatch:
  push:
    # Trigger this workflow by pushing a release tag.
    # Make sure that `HEAD` is pointing to the commit you want to release.
    # Then run `git tag -a v<version_tag> -m "Release version <version_tag> (<yyyy>-<mm>-<dd>)" && git push && git push --tags`.
    # For example `git tag -a v1.06 -m "Release version 1.06 (2020-12-20)" && git push && git push --tags`.
    tags:
      - v1.*

jobs:
  define_matrix:
    runs-on: ubuntu-22.04
    outputs:
      matrix: ${{ steps.define_matrix.outputs.matrix }}
    steps:
      - uses: actions/checkout@v6

      - name: Verify build matrix
        # The build matrix is used to interpolate commands and inputs throughout the remainder of the workflow.
        # Since those interpolations are potentially security-sensitive, we verify the hash of the build matrix.
        if: ${{ hashFiles('.github/workflows/build_matrix.json') != 'ae87ded543b131908cf5aed1502d0e39b2cb9374693598ef7f09c5c5a8be4e52' }}
        run: |
          echo "CI run aborted due to unexpected changes to the build matrix."
          exit 1

      - name: Define build matrix
        id: define_matrix
        run: |
          echo "matrix=$(cat .github/workflows/build_matrix.json| jq -c .)" >> $GITHUB_OUTPUT

  build_and_test:
    needs: define_matrix
    strategy:
      matrix:
        include:
          ${{ fromJson(needs.define_matrix.outputs.matrix) }}
    name: ${{ matrix.name }}
    runs-on: ${{ matrix.os }}
    env:
      RELEASE_DIR: inchi-${{ matrix.slug }}-${{ github.sha }}

    steps:
      - uses: actions/checkout@v6

      - uses: actions/setup-python@v6
        with:
          python-version: '3.12'

      - name: Install dependencies
        run: ${{ matrix.pre_build }}

      - name: Set up Visual Studio shell
        if: runner.os == 'Windows'
        uses: egor-tensin/vs-shell@9a932a62d05192eae18ca370155cf877eecc2202
        with:
          arch: x64

      - name: Build executable
        run: |
          cmake -B CMake_build/cli_build -S INCHI-1-SRC/INCHI_EXE/inchi-1/src
          ${{ matrix.build_exe }}

      - name: Test executable
        run: pytest INCHI-1-TEST/tests/test_executable --exe-path ${{ matrix.exe_path }}

      - name: Build library
        run: |
          cmake -B CMake_build/libinchi_build -S INCHI-1-SRC/INCHI_API/demos/inchi_main/src
          ${{ matrix.build_lib }}

      - name: Test library
        uses: ./.github/actions/regression_tests
        with:
          artifact-name: regression-test-results-${{ matrix.slug }}-${{ github.sha }}
          library-path: ${{ matrix.lib_path }}
          shell: ${{ runner.os == 'Windows' && 'pwsh' || 'bash' }}

      - name: Upload CMake configurations
        uses: actions/upload-artifact@v7
        with:
          name: CMake-configurations-${{ matrix.slug }}-${{ github.sha }}
          path: |
            CMake_build/libinchi_build/CMakeCache.txt
            CMake_build/cli_build/CMakeCache.txt

      - name: Collect artifacts
        run: |
          mkdir -p ${{ env.RELEASE_DIR }}
          cp ${{ matrix.exe_path }} ${{ env.RELEASE_DIR }}
          cp ${{ matrix.lib_path }} ${{ env.RELEASE_DIR }}
          cp ${{ matrix.main_path }} ${{ env.RELEASE_DIR }}

      - id: upload-unsigned-artifacts
        uses: actions/upload-artifact@v7
        with:
          name: ${{ env.RELEASE_DIR }}
          path: ${{ env.RELEASE_DIR }}

      - name: Sign artifacts
        if: runner.os == 'Windows'
        uses: signpath/github-action-submit-signing-request@ced31329c0317e779dad2eec2a7c3bb46ea1343e
        with:
          api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
          organization-id: 656f8204-f8c5-4028-bd48-f832f5f89b31
          project-slug: InChI
          signing-policy-slug: release-signing
          github-artifact-id: ${{ steps.upload-unsigned-artifacts.outputs.artifact-id }}
          wait-for-completion: true
          output-artifact-directory: ${{ env.RELEASE_DIR }}-signed

      - uses: actions/upload-artifact@v4
        if: runner.os == 'Windows'
        with:
          name: ${{ env.RELEASE_DIR }}-signed
          path: ${{ env.RELEASE_DIR }}-signed

  release:
    needs: build_and_test
    if: github.ref_type == 'tag'
    runs-on: ubuntu-22.04
    permissions:
      contents: write

    steps:

      - uses: actions/checkout@v6
        # git repository needs to be checked out (including tags, hence `fetch-depth: 0`),
        # otherwise the `--verify-tag` flag to `gh release create` fails.
        with:
          fetch-depth: 0

      - name: Download artifacts
        uses: actions/download-artifact@v4
        with:
          path: release_artifacts
          pattern: inchi-*

      - name: Package artifacts
        run: zip -r release_artifacts.zip release_artifacts

      - name: Download CMake configurations
        uses: actions/download-artifact@v8
        with:
          path: cmake_configurations
          pattern: CMake-configurations-*

      - name: Package CMake configurations
        run: zip -r cmake_configurations.zip cmake_configurations

      - name: Create release
        shell: bash
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        # See https://cli.github.com/manual/gh_release_create.
        run: |
          gh release create ${{ github.ref_name }} \
          --verify-tag \
          --title "${{ github.ref_name }}" \
          --notes "For details about this release have a look at the [CHANGELOG](INCHI-1-DOC/CHANGELOG.md)." \
          release_artifacts.zip cmake_configurations.zip