name: Release Tags

on:
  push:
    tags:
      - "v*.*.*"

jobs:
  release:
    concurrency: release
    runs-on: ubuntu-latest
    permissions:
      contents: write # In order to upload artifacts to GitHub releases
      id-token: write # In order to request a JWT for AWS auth
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Download Buildkite Artifacts
        uses: EnricoMi/download-buildkite-artifact-action@v1.14
        with:
          buildkite_token: ${{ secrets.BUILDKITE_TOKEN }}
          output_path: artifacts
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: ${{ secrets.AWS_S3_UPLOAD_ROLE }}
          aws-region: us-east-2
      - name: Publish Release to S3 (Tag)
        env:
          AWS_BUCKET: ${{ secrets.AWS_S3_UPLOAD_BUCKET }}
        run: |
          ./upload_s3.sh "$GITHUB_REF_NAME" "$GITHUB_SHA" "https://install.determinate.systems/nix/tag/$GITHUB_REF_NAME"
      - name: Publish Release to GitHub (Tag)
        uses: softprops/action-gh-release@v1
        with:
          fail_on_unmatched_files: true
          draft: true
          files: |
            artifacts/**
            nix-installer.sh
      - name: Install Instructions (Tag)
        run: |
          cat <<EOF
          This tag can be installed by running the following command:

          curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix/tag/$GITHUB_REF_NAME | sh -s -- install
          EOF