name: Windows Signer
on:
  workflow_call:
    inputs:
      artifact-name:
        required: true
        type: string
      files:
        required: true
        type: string
jobs:
  sign:
    runs-on: [self-hosted, win-signer]
    env:
      ARCHIVE_DIR: ${{ github.run_id }}-${{ github.run_attempt }}-${{ inputs.artifact-name }}
    steps:
      - uses: actions/download-artifact@v4
        with:
          name: ${{ inputs.artifact-name }}
          path: ${{ env.ARCHIVE_DIR }}
      - name: unzip file
        shell: cmd
        # 7za is pre-installed on the signer machine
        run: |
          cd ${{ env.ARCHIVE_DIR }}
          md out
          7za x archive.zip -y -oout
      - name: sign
        shell: cmd
        run: |
          cd ${{ env.ARCHIVE_DIR }}/out
          signtool sign /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td sha256 /fd sha256 /a ${{ inputs.files }}
      - name: collect signed file diff
        shell: powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -File {0}
        run: |
          $OutDir = Join-Path '${{ env.ARCHIVE_DIR }}' 'out'
          $DiffDir = Join-Path '${{ env.ARCHIVE_DIR }}' 'signed-diff'
          $FilesDir = Join-Path $DiffDir 'files'
          New-Item -ItemType Directory -Path $FilesDir -Force | Out-Null

          $SignedFiles = [regex]::Matches('${{ inputs.files }}', '"([^"]+)"') | ForEach-Object { $_.Groups[1].Value }
          if ($SignedFiles.Count -eq 0) {
            throw 'No files to sign were provided.'
          }

          $Manifest = @()
          foreach ($RelativePath in $SignedFiles) {
            $SourcePath = Join-Path $OutDir $RelativePath
            if (!(Test-Path -LiteralPath $SourcePath -PathType Leaf)) {
              throw "Signed file not found: $RelativePath"
            }

            $TargetPath = Join-Path $FilesDir $RelativePath
            $TargetDir = Split-Path -Parent $TargetPath
            if ($TargetDir) {
              New-Item -ItemType Directory -Path $TargetDir -Force | Out-Null
            }

            Copy-Item -LiteralPath $SourcePath -Destination $TargetPath -Force
            $Manifest += [PSCustomObject]@{
              path = $RelativePath
              sha256 = (Get-FileHash -Algorithm SHA256 -LiteralPath $TargetPath).Hash
            }
          }

          $Manifest | ConvertTo-Json -Depth 4 | Out-File -FilePath (Join-Path $DiffDir 'manifest.json') -Encoding utf8
          Write-Host "Collected $($SignedFiles.Count) signed files."
      - name: upload
        uses: actions/upload-artifact@v4
        with:
          name: signed-${{ inputs.artifact-name }}
          path: ${{ env.ARCHIVE_DIR }}/signed-diff