name: release

on:
  push:
    tags:
      - 'v*'

jobs:
  release:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: '24'

      - name: install
        run: npm ci

      - name: test
        run: npm test

      - name: validate changelog
        run: |
          VERSION="${GITHUB_REF_NAME#v}"
          if ! grep -qF "## [${VERSION}]" CHANGELOG.md && ! grep -qE "^## ${VERSION}$" CHANGELOG.md; then
            echo "ERROR: CHANGELOG.md has no entry for version ${VERSION}"
            exit 1
          fi

      - name: security scan (dist/scripts)
        run: |
          if [ -d dist/scripts ]; then
            if grep -rE 'eval\b|new Function\b|\.innerHTML\s*=' dist/scripts/; then
              echo "ERROR: unsafe pattern detected in dist/scripts/"
              exit 1
            fi
            echo "dist/scripts/ scan: clean"
          else
            echo "dist/scripts/ does not exist — scan skipped"
          fi

      - name: package dist artifact
        run: tar -czf "dist-${GITHUB_REF_NAME}.tar.gz" dist/

      - name: create release and upload artifact
        env:
          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
        run: |
          SERVER="${GITHUB_SERVER_URL}"
          REPO="${GITHUB_REPOSITORY}"
          TAG="${GITHUB_REF_NAME}"

          RELEASE=$(curl -sf -X POST \
            "${SERVER}/api/v1/repos/${REPO}/releases" \
            -H "Authorization: token ${GITEA_TOKEN}" \
            -H "Content-Type: application/json" \
            -d "{\"tag_name\":\"${TAG}\",\"name\":\"${TAG}\"}")

          RELEASE_ID=$(echo "${RELEASE}" | grep -o '"id":[0-9]*' | head -1 | sed 's/"id"://')

          curl -sf -X POST \
            "${SERVER}/api/v1/repos/${REPO}/releases/${RELEASE_ID}/assets" \
            -H "Authorization: token ${GITEA_TOKEN}" \
            -F "attachment=@dist-${TAG}.tar.gz;type=application/gzip"

          echo "Release ${TAG} created (id=${RELEASE_ID})"