name: Release

on:
  push:
    tags:
      - 'v*'

jobs:
  release:
    name: Create release
    runs-on: ubuntu-latest
    permissions:
      actions: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup go
        uses: actions/setup-go@v5
        with:
          go-version: '>=1.23.0'

      - name: Install Nix
        uses: cachix/install-nix-action@v30
        with:
          # explicitly enable sandbox
          install_options: --daemon
          extra_nix_config: |
            sandbox = true
            system-features = nixos-test benchmark big-parallel kvm
          enable_kvm: true

      - name: Ensure environment
        run: >-
          apt-get update && apt-get install -y sqlite3
        if: ${{ runner.os == 'Linux' }}

      - name: Restore Nix store
        uses: nix-community/cache-nix-action@v5
        with:
          primary-key: build-dist-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
          restore-prefixes-first-match: build-dist-${{ runner.os }}-

      - name: Build for release
        run: nix build --print-out-paths --print-build-logs .#dist

      - name: Release
        uses: https://gitea.com/actions/release-action@main
        with:
          files: |-
            result/fortify-**
          api_key: '${{secrets.RELEASE_TOKEN}}'