name: Release Go Binaries

on:
  release:
    types: [created]
  workflow_dispatch:
    inputs:
      release_tag:
        description: 'Tag name to build (v1.3.1)'
        required: false
        default: ''

# Declare default permissions as read only.
permissions: read-all

jobs:
  releases-matrix:
    name: Release Go Binary
    runs-on: ubuntu-latest
    strategy:
      matrix:
        goos: [freebsd, linux, windows]
        goarch: [amd64, arm64]
    permissions:
        contents: write
        packages: write

    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
      with:
        egress-policy: audit

    - name: Determine ref to checkout
      run: |
        # If manually invoked with a release_tag input, use refs/tags/<release_tag>.
        if [ "${{ github.event_name }}" = "workflow_dispatch" ] && [ -n "${{ github.event.inputs.release_tag }}" ]; then
          echo "REF=refs/tags/${{ github.event.inputs.release_tag }}" >> $GITHUB_ENV
        else
          # For release events GITHUB_REF is already refs/tags/<tag>; otherwise fall back to the incoming ref.
          echo "REF=${GITHUB_REF}" >> $GITHUB_ENV
        fi

    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        ref: ${{ env.REF }}

    - name: Set APP_VERSION env
      run: |
        # basename strips refs/... and yields the tag or branch name
        echo "APP_VERSION=$(basename ${REF})" >> $GITHUB_ENV

    - name: Set BUILD_TIME env
      run: echo BUILD_TIME=$(date) >> ${GITHUB_ENV}
      
    - uses: wangyoucao577/go-release-action@279495102627de7960cbc33434ab01a12bae144b # v1.55
      with:
        github_token: ${{ secrets.GITHUB_TOKEN }}
        goos: ${{ matrix.goos }}
        goarch: ${{ matrix.goarch }}
        extra_files: LICENSE README.md smtprelay.ini
        ldflags: -s -w -X "main.appVersion=${{ env.APP_VERSION }}" -X "main.buildTime=${{ env.BUILD_TIME }}"
        release_tag: ${{ env.APP_VERSION }}