name: Release Branch

on:
  push:
    branches:
      # NOTE: make sure any branches here are also valid directory names,
      # otherwise creating the directory and uploading to s3 will fail
      - 'main'

jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      id-token: write # In order to request a JWT for AWS auth
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Download Buildkite Artifacts
        uses: EnricoMi/download-buildkite-artifact-action@v1.14
        with:
          buildkite_token: ${{ secrets.BUILDKITE_TOKEN }}
          output_path: artifacts
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: ${{ secrets.AWS_S3_UPLOAD_ROLE }}
          aws-region: us-east-2
      - name: Publish Release (Branch)
        run: |
          sudo chown $USER: -R artifacts/

          LATEST_BRANCH="latest_${{ github.ref_name }}"
          mkdir "$LATEST_BRANCH"
          mkdir "$GITHUB_SHA"

          sed -i "s@https://install.determinate.systems/nix@https://install.determinate.systems/nix/rev/$GITHUB_SHA@" nix-installer.sh
          cp nix-installer.sh "$GITHUB_SHA"/
          cp nix-installer.sh "$LATEST_BRANCH"/

          for artifact in $(find artifacts/ -type f); do
            chmod +x "$artifact"
            cp "$artifact" "$GITHUB_SHA"/
            cp "$artifact" "$LATEST_BRANCH"/
          done

          # TODO: determine if these binaries have already been uploaded / are the exact same (try download and then hash if already exists as latest_*?)

          aws s3 sync "$GITHUB_SHA"/ s3://${{ secrets.AWS_S3_UPLOAD_BUCKET }}/"$GITHUB_SHA"/ --acl public-read
          aws s3 sync "$LATEST_BRANCH"/ s3://${{ secrets.AWS_S3_UPLOAD_BUCKET }}/"$LATEST_BRANCH"/ --acl public-read