name: Build Host Agent (Rust)

# Rust agent ships on its own tag namespace (agent-v*) so it never collides
# with the legacy Go pipeline (v*.*.*). Artifacts publish to the CDN /alpha/
# channel — /host-agent/latest/ stays on the Go build until cutover.

on:
  push:
    tags:
      - 'agent-v*'

jobs:
  build:
    runs-on: ubuntu-latest

    env:
      # Override the macOS toolchain names in corrosion-host-agent/.cargo/config.toml
      # (real env beats the config [env] table).
      CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER: musl-gcc
      CC_x86_64_unknown_linux_musl: musl-gcc

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Get version from tag
        id: version
        run: echo "VERSION=${GITHUB_REF#refs/tags/agent-v}" >> $GITHUB_OUTPUT

      - name: Verify tag matches Cargo.toml
        run: |
          CARGO_VERSION=$(grep '^version' corrosion-host-agent/Cargo.toml | head -1 | sed 's/.*"\(.*\)"/\1/')
          if [ "${{ steps.version.outputs.VERSION }}" != "$CARGO_VERSION" ]; then
            echo "Tag agent-v${{ steps.version.outputs.VERSION }} does not match Cargo.toml version $CARGO_VERSION"
            exit 1
          fi

      # The Asgard runner executes jobs in a bare node:20-bullseye container
      # (no Rust, no sudo, runs as root) — bootstrap the toolchain per-run,
      # same pattern as actions/setup-go in the Go pipeline.
      - name: Install Rust + cross toolchains
        run: |
          apt-get update -qq
          apt-get install -y -qq build-essential musl-tools gcc-mingw-w64-x86-64 curl
          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
          "$HOME/.cargo/bin/rustup" target add x86_64-unknown-linux-musl x86_64-pc-windows-gnu

      - name: Build Linux AMD64 (static musl)
        run: |
          cd corrosion-host-agent
          cargo build --release --target x86_64-unknown-linux-musl
          mkdir -p bin
          cp target/x86_64-unknown-linux-musl/release/corrosion-host-agent bin/corrosion-host-agent-linux-amd64
          chmod +x bin/corrosion-host-agent-linux-amd64

      - name: Build Windows AMD64 (mingw)
        run: |
          cd corrosion-host-agent
          cargo build --release --target x86_64-pc-windows-gnu
          cp target/x86_64-pc-windows-gnu/release/corrosion-host-agent.exe bin/corrosion-host-agent-windows-amd64.exe

      - name: Generate checksums
        run: |
          cd corrosion-host-agent/bin
          sha256sum corrosion-host-agent-linux-amd64 > checksums.txt
          sha256sum corrosion-host-agent-windows-amd64.exe >> checksums.txt
          cat checksums.txt

      - name: Create Release
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
        run: |
          API_URL="${{ github.server_url }}/api/v1"
          REPO="${{ github.repository }}"
          VERSION="agent-v${{ steps.version.outputs.VERSION }}"

          RESPONSE=$(curl -s -X POST \
            -H "Authorization: token ${RELEASE_TOKEN}" \
            -H "Content-Type: application/json" \
            -d "{\"tag_name\": \"${VERSION}\", \"name\": \"Corrosion Host Agent ${VERSION}\", \"body\": \"Rust host agent release ${VERSION}\", \"draft\": false, \"prerelease\": true}" \
            "${API_URL}/repos/${REPO}/releases")
          RELEASE_ID=$(echo "$RESPONSE" | grep -o '"id":[0-9]*' | head -1 | grep -o '[0-9]*')

          for f in corrosion-host-agent-linux-amd64 corrosion-host-agent-windows-amd64.exe checksums.txt; do
            curl -s -X POST \
              -H "Authorization: token ${RELEASE_TOKEN}" \
              -H "Content-Type: application/octet-stream" \
              --data-binary @corrosion-host-agent/bin/$f \
              "${API_URL}/repos/${REPO}/releases/${RELEASE_ID}/assets?name=$f"
          done

      - name: Upload to CDN (alpha channel)
        run: |
          CDN_URL="https://cdn.corrosionmgmt.com"
          VERSION="${{ steps.version.outputs.VERSION }}"

          for f in corrosion-host-agent-linux-amd64 corrosion-host-agent-windows-amd64.exe checksums.txt; do
            curl -s -X POST \
              -F "file=@corrosion-host-agent/bin/$f" \
              "${CDN_URL}/host-agent/alpha/$f"
            curl -s -X POST \
              -F "file=@corrosion-host-agent/bin/$f" \
              "${CDN_URL}/host-agent/${VERSION}/$f"
          done

          echo "CDN upload complete: ${CDN_URL}/host-agent/alpha/"

      - name: Build Summary
        run: |
          echo "## Corrosion Host Agent (Rust) Build Complete" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Version:** ${{ steps.version.outputs.VERSION }}" >> $GITHUB_STEP_SUMMARY
          echo "**Commit:** ${GITHUB_SHA:0:7}" >> $GITHUB_STEP_SUMMARY
          echo "**Channel:** alpha (latest/ untouched until cutover)" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### Built Artifacts:" >> $GITHUB_STEP_SUMMARY
          echo "- Linux AMD64 static musl ($(stat -c%s corrosion-host-agent/bin/corrosion-host-agent-linux-amd64) bytes)" >> $GITHUB_STEP_SUMMARY
          echo "- Windows AMD64 mingw ($(stat -c%s corrosion-host-agent/bin/corrosion-host-agent-windows-amd64.exe) bytes)" >> $GITHUB_STEP_SUMMARY
          echo "- SHA256 checksums" >> $GITHUB_STEP_SUMMARY