TunnelX/.github/workflows/release.yml

name: release

on:
  push:
    tags:
      - "v*.*.*"
  workflow_dispatch:
    inputs:
      tag:
        description: "Release tag to publish, for example v1.2.23"
        required: true
        type: string

permissions:
  contents: write

jobs:
  windows:
    name: Publish Windows release
    runs-on: windows-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Setup .NET
        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: "8.0.x"

      - name: Resolve release metadata
        id: meta
        shell: pwsh
        run: |
          $tag = "${{ github.ref_name }}"
          if ("${{ github.event_name }}" -eq "workflow_dispatch") {
            $tag = "${{ inputs.tag }}"
          }

          if ($tag -notmatch '^v\d+\.\d+\.\d+$') {
            throw "Release tag must use vMAJOR.MINOR.PATCH format. Received: $tag"
          }

          [xml]$project = Get-Content "AppTunnel/AppTunnel.csproj"
          $projectVersion = $project.Project.PropertyGroup.Version
          $tagVersion = $tag.TrimStart("v")

          if ($projectVersion -ne $tagVersion) {
            throw "Tag version ($tagVersion) does not match AppTunnel.csproj Version ($projectVersion)."
          }

          $artifactName = "TunnelX-$tag-standalone-compressed.exe"

          "tag=$tag" >> $env:GITHUB_OUTPUT
          "version=$tagVersion" >> $env:GITHUB_OUTPUT
          "artifact_name=$artifactName" >> $env:GITHUB_OUTPUT

      - name: Restore
        run: dotnet restore AppTunnel.sln

      - name: Build
        run: dotnet build AppTunnel.sln -c Release --no-restore

      - name: Publish standalone executable
        run: >
          dotnet publish AppTunnel\AppTunnel.csproj
          -c Release
          -r win-x64
          --self-contained true
          -p:PublishSingleFile=true
          -p:EnableCompressionInSingleFile=true
          -p:IncludeNativeLibrariesForSelfExtract=true
          -p:DebugType=None
          -p:DebugSymbols=false
          -o publish\TunnelX

      - name: Package release asset
        id: package
        shell: pwsh
        run: |
          $source = "publish/TunnelX/TunnelX.exe"
          $asset = "publish/${{ steps.meta.outputs.artifact_name }}"
          $checksum = "$asset.sha256"

          if (-not (Test-Path $source)) {
            throw "Published executable was not found at $source"
          }

          Move-Item -LiteralPath $source -Destination $asset
          $hash = (Get-FileHash -Algorithm SHA256 -LiteralPath $asset).Hash.ToLowerInvariant()
          "$hash  ${{ steps.meta.outputs.artifact_name }}" | Set-Content -Encoding ASCII -LiteralPath $checksum

          "asset=$asset" >> $env:GITHUB_OUTPUT
          "checksum=$checksum" >> $env:GITHUB_OUTPUT
          "sha256=$hash" >> $env:GITHUB_OUTPUT

      - name: Upload workflow artifact
        uses: actions/upload-artifact@v6
        with:
          name: TunnelX-${{ steps.meta.outputs.tag }}-win-x64
          path: |
            ${{ steps.package.outputs.asset }}
            ${{ steps.package.outputs.checksum }}
          if-no-files-found: error

      - name: Create GitHub release
        env:
          GH_TOKEN: ${{ github.token }}
        shell: pwsh
        run: |
          $tag = "${{ steps.meta.outputs.tag }}"
          $asset = "${{ steps.package.outputs.asset }}"
          $checksum = "${{ steps.package.outputs.checksum }}"
          $title = "TunnelX $tag"
          $runUrl = "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
          $sha256 = "${{ steps.package.outputs.sha256 }}".ToUpperInvariant()
          $artifactName = "${{ steps.meta.outputs.artifact_name }}"

          if ("${{ github.event_name }}" -eq "workflow_dispatch") {
            git fetch --tags origin
            if (-not (git tag --list $tag)) {
              git tag $tag
              git push origin $tag
            }
          }

          gh release view $tag *> $null
          if ($LASTEXITCODE -eq 0) {
            gh release upload $tag $asset $checksum --clobber
            gh release edit $tag --title $title --latest
          }
          else {
            gh release create $tag `
              $asset `
              $checksum `
              --title $title `
              --generate-notes `
              --latest
          }

          $body = gh release view $tag --json body --jq .body
          $provenanceLines = @(
            "<!-- release-provenance:start -->",
            "## Build provenance",
            "",
            "- Built and uploaded by GitHub Actions.",
            "- Workflow: ``release``",
            "- Run: $runUrl",
            "- Commit: ``${{ github.sha }}``",
            "- SHA256: ``$sha256  $artifactName``",
            "<!-- release-provenance:end -->"
          )
          $provenance = $provenanceLines -join "`n"

          if ($body -match '(?s)<!-- release-provenance:start -->.*<!-- release-provenance:end -->') {
            $body = $body -replace '(?s)<!-- release-provenance:start -->.*<!-- release-provenance:end -->', $provenance
          }
          else {
            $body = "$body`n`n$provenance"
          }

          $notesFile = Join-Path $env:RUNNER_TEMP "release-notes.md"
          $body | Set-Content -Encoding UTF8 -LiteralPath $notesFile
          gh release edit $tag --notes-file $notesFile