name: Sign Plugins

on:
  push:
    branches: [main]
    paths:
      - 'plugins/**/*.js'
      - 'plugins/**/manifest.json'
      - 'security/*.json'
  workflow_dispatch:

jobs:
  sign:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.21'

      - name: Build signtool
        run: go build -o signtool ./tools/signtool

      - name: Sign plugins
        env:
          SIGNING_KEY: ${{ secrets.PLUGIN_SIGNING_KEY }}
        run: |
          echo "$SIGNING_KEY" > /tmp/private.key
          chmod 600 /tmp/private.key
          bash scripts/sign-all.sh /tmp/private.key
          rm -f /tmp/private.key

      - name: Install jq
        run: sudo apt-get update && sudo apt-get install -y jq

      - name: Generate store.json
        run: bash scripts/generate-store.sh > store.json

      - name: Sign security files
        env:
          SIGNING_KEY: ${{ secrets.PLUGIN_SIGNING_KEY }}
        run: |
          echo "$SIGNING_KEY" > /tmp/private.key
          chmod 600 /tmp/private.key
          bash scripts/sign-security.sh /tmp/private.key
          rm -f /tmp/private.key

      - name: Commit changes
        run: |
          git config user.name "GitHub Actions"
          git config user.email "actions@github.com"
          git add -A "plugins/**/*.sig" store.json "security/*.json"
          git diff --staged --quiet || git commit -m "chore: update signatures and store"
          git push