name: Prepare new release

on:
  workflow_dispatch:
    inputs:
      serverBump:
        description: 'Bump server version'
        required: true
        default: 'false'
        type: choice
        options:
          - 'false'
          - major
          - minor
          - patch
      mobileBump:
        description: 'Bump mobile build number'
        required: false
        type: boolean
      skipTranslations:
        description: 'Skip translations'
        required: false
        type: boolean

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-root
  cancel-in-progress: true

permissions: {}

jobs:
  merge_translations:
    uses: ./.github/workflows/merge-translations.yml
    with:
      skip: ${{ inputs.skipTranslations }}
    permissions:
      pull-requests: write
    secrets:
      PUSH_O_MATIC_APP_ID: ${{ secrets.PUSH_O_MATIC_APP_ID }}
      PUSH_O_MATIC_APP_KEY: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      WEBLATE_TOKEN: ${{ secrets.WEBLATE_TOKEN }}

  bump_version:
    runs-on: ubuntu-latest
    needs: [merge_translations]
    outputs:
      ref: ${{ steps.push-tag.outputs.commit_long_sha }}
    permissions: {} # No job-level permissions are needed because it uses the app-token
    steps:
      - name: Generate a token
        id: generate-token
        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: true
          ref: main

      - name: Install uv
        uses: astral-sh/setup-uv@5a7eac68fb9809dea845d802897dc5c723910fa3 # v7.1.3

      - name: Setup pnpm
        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0

      - name: Setup Node
        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'

      - name: Bump version
        env:
          SERVER_BUMP: ${{ inputs.serverBump }}
          MOBILE_BUMP: ${{ inputs.mobileBump }}
        run: misc/release/pump-version.sh -s "${SERVER_BUMP}" -m "${MOBILE_BUMP}"

      - name: Commit and tag
        id: push-tag
        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
        with:
          default_author: github_actions
          message: 'chore: version ${{ env.IMMICH_VERSION }}'
          tag: ${{ env.IMMICH_VERSION }}
          push: true

  build_mobile:
    uses: ./.github/workflows/build-mobile.yml
    needs: bump_version
    permissions:
      contents: read
    secrets:
      KEY_JKS: ${{ secrets.KEY_JKS }}
      ALIAS: ${{ secrets.ALIAS }}
      ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
      ANDROID_STORE_PASSWORD: ${{ secrets.ANDROID_STORE_PASSWORD }}
      # iOS secrets
      APP_STORE_CONNECT_API_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ID }}
      APP_STORE_CONNECT_API_KEY_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ISSUER_ID }}
      APP_STORE_CONNECT_API_KEY: ${{ secrets.APP_STORE_CONNECT_API_KEY }}
      IOS_CERTIFICATE_P12: ${{ secrets.IOS_CERTIFICATE_P12 }}
      IOS_CERTIFICATE_PASSWORD: ${{ secrets.IOS_CERTIFICATE_PASSWORD }}
      IOS_PROVISIONING_PROFILE: ${{ secrets.IOS_PROVISIONING_PROFILE }}
      IOS_PROVISIONING_PROFILE_SHARE_EXTENSION: ${{ secrets.IOS_PROVISIONING_PROFILE_SHARE_EXTENSION }}
      IOS_PROVISIONING_PROFILE_WIDGET_EXTENSION: ${{ secrets.IOS_PROVISIONING_PROFILE_WIDGET_EXTENSION }}
      IOS_DEVELOPMENT_PROVISIONING_PROFILE: ${{ secrets.IOS_DEVELOPMENT_PROVISIONING_PROFILE }}
      IOS_DEVELOPMENT_PROVISIONING_PROFILE_SHARE_EXTENSION: ${{ secrets.IOS_DEVELOPMENT_PROVISIONING_PROFILE_SHARE_EXTENSION }}
      IOS_DEVELOPMENT_PROVISIONING_PROFILE_WIDGET_EXTENSION: ${{ secrets.IOS_DEVELOPMENT_PROVISIONING_PROFILE_WIDGET_EXTENSION }}
      FASTLANE_TEAM_ID: ${{ secrets.FASTLANE_TEAM_ID }}

    with:
      ref: ${{ needs.bump_version.outputs.ref }}
      environment: production

  prepare_release:
    runs-on: ubuntu-latest
    needs: build_mobile
    permissions:
      actions: read # To download the app artifact
      # No content permissions are needed because it uses the app-token
    steps:
      - name: Generate a token
        id: generate-token
        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: false

      - name: Download APK
        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
          name: release-apk-signed
          github-token: ${{ steps.generate-token.outputs.token }}

      - name: Create draft release
        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
        with:
          draft: true
          tag_name: ${{ env.IMMICH_VERSION }}
          token: ${{ steps.generate-token.outputs.token }}
          generate_release_notes: true
          body_path: misc/release/notes.tmpl
          files: |
            docker/docker-compose.yml
            docker/example.env
            docker/hwaccel.ml.yml
            docker/hwaccel.transcoding.yml
            docker/prometheus.yml
            *.apk