name: Build and Release
on: [push]

jobs:
  build-sign-package:
    runs-on: ubuntu-latest
    container: archlinux:latest
    steps:
      - name: Install Tools
        run: pacman -Syu --noconfirm mingw-w64-gcc nsis osslsigncode opentofu ansible python-pywinrm packer

      - name: Checkout
        uses: actions/checkout@v3

      - name: Cross-Compile (MinGW)
        run: x86_64-w64-mingw32-gcc src/main.c -o dist/app.exe

      - name: Package (NSIS)
        run: makensis -DVERSION=${{ gitea.ref_name }} installer.nsi

      - name: Code Sign (Linux Native)
        env:
          PFX_PASS: ${{ secrets.PFX_PASS }}
        run: |
          osslsigncode sign -pkcs12 cert.pfx -pass "$PFX_PASS" \
            -t http://timestamp.digicert.com \
            -in dist/installer.exe -out dist/installer_signed.exe

      - name: Provision Windows VM (OpenTofu)
        env:
          PM_API_TOKEN_ID: ${{ secrets.PM_TOKEN_ID }}
          PM_API_TOKEN_SECRET: ${{ secrets.PM_TOKEN_SECRET }}
          TF_VAR_build_id: ${{ gitea.run_number }}
        run: |
          cd terraform
          tofu init
          tofu apply -auto-approve
          echo "VM_IP=$(tofu output -raw vm_ip)" >> $GITHUB_ENV

      - name: Verify on Windows (Ansible)
        env:
          ANSIBLE_USER: Administrator
          ANSIBLE_PASSWORD: ${{ secrets.WIN_ADMIN_PASS }}
        run: |
          echo "[windows_vm]" > inventory.ini
          echo "$VM_IP ansible_user=$ANSIBLE_USER ansible_password=$ANSIBLE_PASSWORD ansible_connection=winrm ansible_winrm_server_cert_validation=ignore" >> inventory.ini

          ansible-playbook -i inventory.ini ansible/pipeline.yml

      - name: Cleanup
        if: always()
        run: |
          cd terraform
          tofu destroy -auto-approve