name: Prepare new release

on:
  workflow_dispatch:
    inputs:
      serverBump:
        description: 'Bump server version'
        required: true
        default: 'false'
        type: choice
        options:
          - 'false'
          - major
          - minor
          - patch
      mobileBump:
        description: 'Bump mobile build number'
        required: false
        type: boolean
      skipTranslations:
        description: 'Skip translations'
        required: false
        type: boolean

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-root
  cancel-in-progress: true

permissions: {}

jobs:
  merge_translations:
    uses: ./.github/workflows/merge-translations.yml
    with:
      skip: ${{ inputs.skipTranslations }}
    permissions:
      pull-requests: write
    secrets:
      PUSH_O_MATIC_APP_CLIENT_ID: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
      PUSH_O_MATIC_APP_KEY: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      WEBLATE_TOKEN: ${{ secrets.WEBLATE_TOKEN }}

  bump_version:
    runs-on: ubuntu-latest
    needs: [merge_translations]
    outputs:
      ref: ${{ steps.push-tag.outputs.commit_long_sha }}
      version: ${{ steps.output.outputs.version }}
    permissions: {} # No job-level permissions are needed because it uses the app-token
    steps:
      - id: token
        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          token: ${{ steps.token.outputs.token }}
          persist-credentials: true
          ref: main

      - name: Setup Mise
        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
        with:
          github_token: ${{ steps.token.outputs.token }}

      # TODO move to mise
      - name: Install uv
        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0

      - name: Bump version
        env:
          SERVER_BUMP: ${{ inputs.serverBump }}
          MOBILE_BUMP: ${{ inputs.mobileBump }}
        run: misc/release/pump-version.sh -s "${SERVER_BUMP}" -m "${MOBILE_BUMP}"

      - id: output
        run: echo "version=$IMMICH_VERSION" >> $GITHUB_OUTPUT

      - name: Commit and tag
        id: push-tag
        uses: EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321 # v10.0.0
        with:
          default_author: github_actions
          message: 'chore: version ${{ steps.output.outputs.version }}'
          tag: ${{ steps.output.outputs.version }}
          push: true

  build_mobile:
    uses: ./.github/workflows/build-mobile.yml
    needs: bump_version
    permissions:
      contents: read
    secrets:
      KEY_JKS: ${{ secrets.KEY_JKS }}
      ALIAS: ${{ secrets.ALIAS }}
      ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
      ANDROID_STORE_PASSWORD: ${{ secrets.ANDROID_STORE_PASSWORD }}
      # iOS secrets
      APP_STORE_CONNECT_API_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ID }}
      APP_STORE_CONNECT_API_KEY_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ISSUER_ID }}
      APP_STORE_CONNECT_API_KEY: ${{ secrets.APP_STORE_CONNECT_API_KEY }}
      IOS_CERTIFICATE_P12: ${{ secrets.IOS_CERTIFICATE_P12 }}
      IOS_CERTIFICATE_PASSWORD: ${{ secrets.IOS_CERTIFICATE_PASSWORD }}
      FASTLANE_TEAM_ID: ${{ secrets.FASTLANE_TEAM_ID }}

    with:
      ref: ${{ needs.bump_version.outputs.ref }}
      environment: production

  prepare_release:
    runs-on: ubuntu-latest
    needs: [build_mobile, bump_version]
    permissions:
      actions: read # To download the app artifact
      # No content permissions are needed because it uses the app-token
    steps:
      - name: Generate a token
        id: generate-token
        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
        with:
          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: false

      - name: Download APK
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: release-apk-signed
          github-token: ${{ steps.generate-token.outputs.token }}

      - name: Create draft release
        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
        with:
          draft: true
          tag_name: ${{ needs.bump_version.outputs.version }}
          token: ${{ steps.generate-token.outputs.token }}
          generate_release_notes: true
          body_path: misc/release/notes.tmpl
          files: |
            docker/docker-compose.yml
            docker/docker-compose.rootless.yml
            docker/example.env
            docker/hwaccel.ml.yml
            docker/hwaccel.transcoding.yml
            docker/prometheus.yml
            *.apk