release-artifacts.yml

name: Release Artifacts

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

on:
  release:
    types: [published]
  workflow_dispatch:

permissions:
  contents: write

jobs:
  build-windows-zip:
    runs-on: windows-latest
    env:
      WINDOWS_CERT_BASE64: ${{ secrets['WINDOWS_CERT_BASE64'] }}
      WINDOWS_CERT_PASSWORD: ${{ secrets['WINDOWS_CERT_PASSWORD'] }}
    steps:
      - name: Checkout
        uses: actions/checkout@v5

      - name: Read app version
        id: app_version
        shell: powershell
        run: |
          [xml]$pom = Get-Content pom.xml
          "version=$($pom.project.version)" >> $env:GITHUB_OUTPUT

      - name: Set up Java 17
        uses: actions/setup-java@v5
        with:
          distribution: temurin
          java-version: "17"

      - name: Verify packaging tools
        shell: powershell
        run: |
          where.exe jpackage

      - name: Build shaded jar
        shell: cmd
        run: mvnw.cmd -B clean package

      - name: Create Windows app-image
        shell: powershell
        run: |
          $jar = Get-ChildItem target -Filter 'mynosql-*.jar' |
            Where-Object { $_.Name -notlike 'original-*' } |
            Select-Object -First 1

          if (-not $jar) {
            throw "Could not find packaged JAR in target/."
          }

          New-Item -Path dist-app -ItemType Directory -Force | Out-Null

          jpackage `
            --type app-image `
            --name MyNoSQL `
            --input target `
            --main-jar $jar.Name `
            --main-class com.mynosql.Main `
            --dest dist-app `
            --win-console

      - name: Sign MyNoSQL.exe (optional)
        if: env.WINDOWS_CERT_BASE64 != '' && env.WINDOWS_CERT_PASSWORD != ''
        shell: powershell
        run: |
          $certPath = Join-Path $env:RUNNER_TEMP "codesign.pfx"
          [System.IO.File]::WriteAllBytes($certPath, [Convert]::FromBase64String($env:WINDOWS_CERT_BASE64))

          $signtool = Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin" -Recurse -Filter signtool.exe |
            Sort-Object FullName -Descending |
            Select-Object -First 1

          if (-not $signtool) {
            throw "signtool.exe was not found on the runner."
          }

          & $signtool.FullName sign `
            /fd SHA256 `
            /f $certPath `
            /p "$env:WINDOWS_CERT_PASSWORD" `
            /tr http://timestamp.digicert.com `
            /td SHA256 `
            "dist-app\MyNoSQL\MyNoSQL.exe"

          if ($LASTEXITCODE -ne 0) {
            throw "Code signing failed."
          }

      - name: Skip signing (no cert configured)
        if: env.WINDOWS_CERT_BASE64 == '' || env.WINDOWS_CERT_PASSWORD == ''
        shell: powershell
        run: |
          Write-Host "Signing skipped. Configure WINDOWS_CERT_BASE64 and WINDOWS_CERT_PASSWORD secrets to enable signing."

      - name: Verify signature
        if: env.WINDOWS_CERT_BASE64 != '' && env.WINDOWS_CERT_PASSWORD != ''
        shell: powershell
        run: |
          Get-AuthenticodeSignature "dist-app\MyNoSQL\MyNoSQL.exe" | Format-List *

      - name: Zip Windows app-image
        shell: powershell
        run: |
          New-Item -Path dist -ItemType Directory -Force | Out-Null
          Compress-Archive `
            -Path dist-app/MyNoSQL `
            -DestinationPath dist/MyNoSQL-${{ steps.app_version.outputs.version }}-windows-app.zip `
            -Force

      - name: Upload Windows ZIP artifact
        uses: actions/upload-artifact@v4
        with:
          name: mynosql-windows-zip
          path: dist/*.zip

      - name: Attach Windows ZIP to GitHub release
        if: github.event_name == 'release'
        uses: softprops/action-gh-release@v2
        with:
          files: dist/*.zip