name: Build Android app
on:
  workflow_call:
  workflow_dispatch:

defaults:
  run:
    working-directory: ./kotlin/android

permissions:
  contents: "read"
  id-token: "write"

jobs:
  static-analysis:
    # Android SDK tools hardware accel is available only on Linux runners
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: ./.github/actions/setup-android
        with:
          sccache_azure_connection_string: ${{ secrets.SCCACHE_AZURE_CONNECTION_STRING }}
      - name: Run linter
        run: ./gradlew spotlessCheck

  update-release-draft:
    name: update-release-draft
    runs-on: ubuntu-24.04
    permissions:
      contents: write # for updating the release draft
    env:
      # mark:next-android-version
      RELEASE_NAME: android-client-1.5.7
    steps:
      - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
        if: "${{ github.event_name == 'workflow_dispatch' && github.ref_name == 'main' }}"
        id: update-release-draft
        with:
          config-name: release-drafter-android-client.yml
          tag: ${{ env.RELEASE_NAME }}
          version: ${{ env.RELEASE_NAME }}
          name: ${{ env.RELEASE_NAME }}
          commitish: ${{ github.sha }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  build_release:
    permissions:
      contents: write # for uploading artifacts to the release
      id-token: write
    name: build-release-${{ matrix.package-type }}
    needs: update-release-draft
    if: "${{ github.event_name == 'workflow_dispatch' }}"
    # Android SDK tools hardware accel is available only on Linux runners
    runs-on: ubuntu-24.04
    strategy:
      fail-fast: ${{ github.event_name == 'merge_group' }}
      matrix:
        include:
          - package-type: aab
            build-command: "./gradlew bundleRelease"
            output-path: app/build/outputs/bundle/release/app-release.aab
          - package-type: apk
            build-command: "./gradlew assembleRelease"
            output-path: app/build/outputs/apk/release/app-release.apk
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-tags: true # Otherwise we cannot embed the correct version into the build.
      - uses: ./.github/actions/setup-android
        with:
          sccache_azure_connection_string: ${{ secrets.SCCACHE_AZURE_CONNECTION_STRING }}
      - name: Build the release package
        env:
          KEYSTORE_BASE64: ${{ secrets.GOOGLE_UPLOAD_KEYSTORE_BASE64 }}
          KEYSTORE_PASSWORD: ${{ secrets.GOOGLE_UPLOAD_KEYSTORE_PASSWORD }}
          KEYSTORE_KEY_PASSWORD: ${{ secrets.GOOGLE_UPLOAD_KEYSTORE_KEY_PASSWORD }}
        run: |
          KEYSTORE_PATH="$(pwd)/app/keystore.jks"
          echo -n "$KEYSTORE_BASE64" | base64 --decode > "$KEYSTORE_PATH"
          ${{ matrix.build-command }}
          rm "$KEYSTORE_PATH"
      - name: Setup sentry CLI
        if: "${{ github.event_name == 'workflow_dispatch' }}"
        uses: matbour/setup-sentry-cli@3e938c54b3018bdd019973689ef984e033b0454b #v2.0.0
        with:
          token: ${{ secrets.SENTRY_AUTH_TOKEN }}
          organization: firezone-inc
      - name: Upload debug symbols to Sentry
        if: "${{ github.event_name == 'workflow_dispatch' }}"
        run: |
          sentry-cli debug-files upload --log-level info --project android-client --include-sources ../../rust/target
      - name: Run Unit Test
        run: |
          ./gradlew testReleaseUnitTest
      - name: Upload package artifacts
        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: Android ${{ matrix.package-type }}
          path: |
            ./kotlin/android/${{ matrix.output-path }}
      - name: Upload package to release
        if: ${{ github.ref_name == 'main' && matrix.package-type == 'apk' && github.event_name == 'workflow_dispatch' }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # mark:next-android-version
          RELEASE_NAME: android-client-1.5.7
        run: |
          export ARTIFACT_PATH="$RUNNER_TEMP/firezone-${RELEASE_NAME}.${{ matrix.package-type }}"
          cp "${{ matrix.output-path }}" "$ARTIFACT_PATH"
          ../../scripts/upload/github-release.sh
      - name: Distribute release to Firebase App Distribution
        if: ${{ matrix.package-type == 'aab' && github.event_name == 'workflow_dispatch' }}
        env:
          FIREBASE_APP_DISTRIBUTION_CREDENTIALS: ${{ secrets.FIREBASE_APP_DISTRIBUTION_CREDENTIALS }}
          FIREBASE_CREDENTIALS_PATH: firebase-credentials.json
          FIREBASE_APP_TESTERS: ${{ vars.FIREBASE_APP_TESTERS }}
        run: |
          echo -n "$FIREBASE_APP_DISTRIBUTION_CREDENTIALS" > "$FIREBASE_CREDENTIALS_PATH"
          ./gradlew appDistributionUploadRelease uploadCrashlyticsSymbolFileRelease

  build_debug:
    # Android SDK tools hardware accel is available only on Linux runners
    runs-on: ubuntu-24.04
    name: build-debug
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: ./.github/actions/setup-android
        with:
          sccache_azure_connection_string: ${{ secrets.SCCACHE_AZURE_CONNECTION_STRING }}
      - name: Build debug APK
        run: |
          ./gradlew assembleDebug
      - name: Upload debug APK
        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: Android debug APK
          path: |
            ./kotlin/android/app/build/outputs/apk/*