.github/workflows/create_variants.yml

name: Create DMG Variants

on:
  workflow_dispatch:
    inputs:
      atb-variants:
        description: "ATB variants (comma-separated)"
        required: true
        type: string

jobs:

  set-up-variants:

    name: Set Up Variants

    runs-on: macos-13
    timeout-minutes: 15

    outputs:
      atb-variants: ${{ steps.atb-variants.outputs.matrix }}

    steps:

      - name: Set up ATB variants
        id: atb-variants
        run: |
          variant_matrix="$(echo "${{ github.event.inputs.atb-variants }}" | sed 's/,/\",\"/g')"
          echo "matrix={\"variant\": [\"${variant_matrix}\"]}" >> $GITHUB_OUTPUT

  create-atb-variants:

    name: Create ATB Variant
    needs: set-up-variants

    strategy:
      matrix: ${{ fromJSON(needs.set-up-variants.outputs.atb-variants) }}

    runs-on: macos-12
    timeout-minutes: 15

    steps:

    - name: Download release app
      run: |
        curl -fLSs "${{ vars.RELEASE_DMG_URL }}" --output duckduckgo.dmg
        hdiutil attach duckduckgo.dmg -mountpoint vanilla
        mkdir -p dmg
        cp -R vanilla/DuckDuckGo.app dmg/DuckDuckGo.app
        hdiutil detach vanilla
        rm -f duckduckgo.dmg

    - name: Install create-dmg
      run: brew install create-dmg

    - name: Fetch install-certs-and-profiles action
      env:
        GH_TOKEN: ${{ github.token }}
        DEST_DIR: ".github/actions/install-certs-and-profiles"
      run: |
        mkdir -p "${{ env.DEST_DIR }}"
        curl -fLSs $(gh api https://api.github.com/repos/${{ github.repository }}/contents/${{ env.DEST_DIR }}/action.yml?ref=${{ github.ref }} --jq .download_url) \
            --output ${{ env.DEST_DIR }}/action.yml

    - name: Install Apple Developer ID Application certificate
      uses: ./.github/actions/install-certs-and-profiles
      with:
        BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
        P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
        KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
        REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.REVIEW_PROVISION_PROFILE_BASE64 }}
        RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.RELEASE_PROVISION_PROFILE_BASE64 }}
        NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64 }}
        NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64 }}
        NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }}
        NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64 }}
        NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64 }}
        NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64 }}
        NETP_START_VPN_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_START_VPN_PROVISION_PROFILE_BASE64 }}
        NETP_STOP_VPN_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_STOP_VPN_PROVISION_PROFILE_BASE64 }}
        NETP_ENABLE_ON_DEMAND_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_ENABLE_ON_DEMAND_PROVISION_PROFILE_BASE64 }}

    - name: Set up variant
      working-directory: ${{ github.workspace }}/dmg
      run: |
        codesign -d --entitlements :- DuckDuckGo.app > entitlements.plist
        echo "${{ matrix.variant }}" > "DuckDuckGo.app/Contents/Resources/variant.txt"
        sign_identity="$(security find-certificate -a -c "Developer ID Application" -Z | grep ^SHA-1 | cut -d " " -f3 | uniq)"

        /usr/bin/codesign \
            --force \
            --sign ${sign_identity} \
            --options runtime \
            --entitlements entitlements.plist \
            --generate-entitlement-der "DuckDuckGo.app"
        rm -f entitlements.plist

    - name: Notarize the app
      env:
        APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
        APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }}
      working-directory: ${{ github.workspace }}/dmg
      run: |
        # import API Key from secrets
        export APPLE_API_KEY_PATH="$RUNNER_TEMP/apple_api_key.pem"
        echo -n "$APPLE_API_KEY_BASE64" | base64 --decode -o $APPLE_API_KEY_PATH

        notarization_zip_path="DuckDuckGo-for-notarization.zip"

        ditto -c -k --keepParent "DuckDuckGo.app" "${notarization_zip_path}"
        xcrun notarytool submit \
          --key "${APPLE_API_KEY_PATH}" \
          --key-id "${{ env.APPLE_API_KEY_ID }}" \
          --issuer "${{ env.APPLE_API_KEY_ISSUER }}" \
          --wait \
          "${notarization_zip_path}"
        xcrun stapler staple "DuckDuckGo.app"
        rm -rf "${notarization_zip_path}"

    - name: Create variant DMG
      env:
        GH_TOKEN: ${{ github.token }}
      run: |
        curl -fLSs $(gh api https://api.github.com/repos/${{ github.repository }}/contents/scripts/assets/dmg-background.png?ref=${{ github.ref }} --jq .download_url) \
            --output dmg-background.png
        create-dmg --volname "DuckDuckGo" \
            --icon "DuckDuckGo.app" 140 160 \
            --background "dmg-background.png" \
            --window-size 600 400 \
            --icon-size 120 \
            --app-drop-link 430 160 "duckduckgo.dmg" \
            "dmg"

    - name: Upload variant DMG
      env:
        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_RELEASE_S3 }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_RELEASE_S3 }}
        AWS_DEFAULT_REGION: ${{ vars.AWS_DEFAULT_REGION }}
      run: |
        aws s3 cp duckduckgo.dmg \
          s3://${{ vars.RELEASE_BUCKET_NAME }}/${{ vars.RELEASE_BUCKET_PREFIX }}/${{ matrix.variant }}/duckduckgo.dmg \
          --acl public-read

  mattermost:

    name: Send Mattermost message

    needs: create-atb-variants

    runs-on: ubuntu-latest

    steps:
      - name: Send Mattermost message
        env:
          GH_TOKEN: ${{ github.token }}
          WORKFLOW_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
        run: |
          curl -fLSs $(gh api https://api.github.com/repos/${{ github.repository }}/contents/scripts/assets/variants-release-mm-template.json?ref=${{ github.ref }} --jq .download_url) \
              --output message-template.json

          export MM_USER_HANDLE=$(base64 -d <<< ${{ secrets.MM_HANDLES_BASE64 }} | jq ".${{ github.actor }}" | tr -d '"')

          if [[ -z "${MM_USER_HANDLE}" ]]; then
              echo "Mattermost user handle not known for ${{ github.actor }}, skipping sending message"
          else
              curl -s -H 'Content-type: application/json' \
                  -d "$(envsubst < message-template.json)" \
                  ${{ secrets.MM_WEBHOOK_URL }}
          fi