name: "publish-kinds-release"

on:
  push:
    branches:
      - v[0-9]+.[0-9]+.x
    tags:
      - v[0-9]+.[0-9]+.[0-9]+
    paths:
      - '**/*.cue'
  workflow_dispatch:

permissions: {}

jobs:
  main:
    if: github.repository == 'grafana/grafana'
    runs-on: "ubuntu-latest"
    permissions:
      contents: read # cloning repo
      actions: read # reading .github/workflows/ dir
      id-token: write # reading vault secrets

    steps:
      - name: "Checkout Grafana repo"
        uses: "actions/checkout@v4"
        with:
          # required for the `grafana/grafana-github-actions/has-matching-release-tag` action to work
          fetch-depth: 0
          persist-credentials: false

      - name: "Setup Go"
        uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
        with:
          go-version-file: go.mod

      - name: "Verify kinds"
        run: go run .github/workflows/scripts/kinds/verify-kinds.go

      - name: "Checkout Actions library"
        uses: "actions/checkout@v4"
        with:
          repository: "grafana/grafana-github-actions"
          path: "./actions"
          persist-credentials: false

      - name: "Install Actions from library"
        run: "npm install --production --prefix ./actions"

      - name: "Determine if there is a matching release tag"
        id: "has-matching-release-tag"
        uses: "./actions/has-matching-release-tag"
        with:
          ref_name: "${{ github.ref_name }}"
          release_tag_regexp: "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
          release_branch_regexp: "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.x$"

      - name: "Get vault secrets"
        id: vault-secrets
        uses: grafana/shared-workflows/actions/get-vault-secrets@main
        with:
          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
          repo_secrets: |
            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
      - name: "Generate token"
        id: generate_token
        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
        with:
          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}

      - name: "Clone website-sync Action"
        if: "steps.has-matching-release-tag.outputs.bool == 'true'"
        run: "git clone --single-branch --no-tags --depth 1 -b master https://grafana-delivery-bot:${{ steps.generate_token.outputs.token }}@github.com/grafana/website-sync ./.github/actions/website-sync"

      - name: "Publish to kind registry (release)"
        if: "steps.has-matching-release-tag.outputs.bool == 'true'"
        uses: "./.github/actions/website-sync"
        id: "publish-release"
        with:
          repository: "grafana/kind-registry"
          branch: "main"
          host: "github.com"
          github_pat: "grafana-delivery-bot:${{ steps.generate_token.outputs.token }}"
          source_folder: ".github/workflows/scripts/kinds/next"
          target_folder: "grafana/${{ github.ref_name }}"