name: get-signed-installers-from-stampy
on:
  workflow_dispatch:
  schedule:
    # 2:35 am central time
    - cron: '35 7 * * *'

jobs:
  get-signed-from-stampy:
    runs-on: ubuntu-latest
    steps:
      - name: Check out the repo
        uses: actions/checkout@v4

      - name: download
        env:
          STAMPY_ARN: ${{ secrets.STAMPY_ARN }}
          AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
          AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
          AWS_EC2_METADATA_DISABLED: true
        # switch AWS identity to the one that can access stampy
        run: |
          ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
          TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing)
          export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
          export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
          export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
          aws s3 cp --recursive ${{ secrets.STAMPY_SIGNED_BUCKET }}/ .

      - name: upload to CLI s3
        id: upload
        env:
          AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
          AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
          AWS_EC2_METADATA_DISABLED: true
        run: |
          # Run script and redirect stderr to stdout
          OUTPUT=$(node scripts/stampy-signed-upload.js 2>&1)

          # Check for non-zero exit code and stop the workflow if an error occured
          if [ $? -ne 0 ]; then
            echo "An error occured:"
            echo $OUTPUT
            exit 1
          fi

          # Set multiline string output
          # https://stackoverflow.com/questions/74137120/how-to-fix-or-avoid-error-unable-to-process-file-command-output-successfully#comment131739699_74232400
          echo -e "output<<EOF\n$OUTPUT\nEOF" >> "$GITHUB_OUTPUT"

      - name: clean up stampy in/out buckets
        env:
          STAMPY_ARN: ${{ secrets.STAMPY_ARN }}
          STAMPY_UNSIGNED_BUCKET: ${{ secrets.STAMPY_UNSIGNED_BUCKET }}
          STAMPY_SIGNED_BUCKET: ${{ secrets.STAMPY_SIGNED_BUCKET }}
          AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
          AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
          AWS_EC2_METADATA_DISABLED: true
        run: |
          ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
          TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing)
          export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
          export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
          export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
          node scripts/stampy-signed-delete.js

      - name: notify
        uses: slackapi/slack-github-action@v1.26.0
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.CLI_TEAM_SLACK_WEBHOOK_URL }}
          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
        with:
          payload: |
            {
              "blocks": [
                {
                  "type": "header",
                  "text": {
                    "type": "plain_text",
                    "text": "Stampy signed and uploaded the following files:",
                    "emoji": true
                  }
                },
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": ${{ toJson(steps.upload.outputs.output) }}
                  }
                }
              ]
            }