name: Release Sources

permissions:
  contents: read

on:
  workflow_dispatch:
    inputs:
      release-version:
        description: Release Version
        required: true
        type: string
  workflow_call:
    inputs:
      release-version:
        description: Release Version
        required: true
        type: string
    secrets:
      RELEASE_TASKS_USER_TOKEN:
        description: "Secret used to check user permissions."
        required: false
  # Run on pull_requests for testing purposes.
  pull_request:
    paths:
      - '.github/workflows/release-sources.yml'
      - 'llvm/utils/release/export.sh'
    types:
      - opened
      - synchronize
      - reopened
      # When a PR is closed, we still start this workflow, but then skip
      # all the jobs, which makes it effectively a no-op.  The reason to
      # do this is that it allows us to take advantage of concurrency groups
      # to cancel in progress CI jobs whenever the PR is closed.
      - closed

concurrency:
  group: ${{ github.workflow }}-${{ inputs.release-version || github.event.pull_request.number }}
  cancel-in-progress: True

jobs:
  inputs:
    name: Collect Job Inputs
    if: >-
      github.repository_owner == 'llvm' &&
      github.event.action != 'closed'
    outputs:
      ref: ${{ steps.inputs.outputs.ref }}
      export-args: ${{ steps.inputs.outputs.export-args }}
    runs-on: ubuntu-24.04
    steps:
      - id: inputs
        run: |
          ref=${{ (inputs.release-version && format('llvmorg-{0}', inputs.release-version)) || github.sha }}
          if [ -n "${{ inputs.release-version }}" ]; then
            export_args="-release ${{ inputs.release-version }} -final"
          else
            export_args="-git-ref ${{ github.sha }}"
          fi
          echo "ref=$ref" >> $GITHUB_OUTPUT
          echo "export-args=$export_args" >> $GITHUB_OUTPUT

  release-sources:
    name: Package Release Sources
    if: github.repository_owner == 'llvm'
    runs-on: ubuntu-24.04
    outputs:
      digest: ${{ steps.digest.outputs.digest }}
      artifact-id: ${{ steps.artifact-upload.outputs.artifact-id }}
    needs:
      - inputs
    steps:
      - name: Checkout LLVM
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ needs.inputs.outputs.ref }}
          fetch-tags: true
      - name: Install Dependencies
        run: |
          pip install --require-hashes -r ./llvm/utils/git/requirements.txt

      - name: Create Tarballs
        run: |
          ./llvm/utils/release/export.sh ${{ needs.inputs.outputs.export-args }}

      - name: Generate sha256 digest for sources
        id: digest
        run: |
          echo "digest=$(cat *.xz | sha256sum | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT
    
      - name: Release Sources Artifact
        id: artifact-upload
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: ${{ needs.inputs.outputs.ref }}-sources
          path: |
            *.xz

  attest-release-sources:
    name: Attest Release Sources
    runs-on: ubuntu-24.04
    if: github.event_name != 'pull_request'
    needs:
      - inputs
      - release-sources
    permissions:
      id-token: write
      attestations: write
    steps:
      - name: Checkout Release Scripts
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          sparse-checkout: |
            .github/workflows/upload-release-artifact
            llvm/utils/release/github-upload-release.py
            llvm/utils/git/requirements.txt
          sparse-checkout-cone-mode: false

      - name: Upload Artifacts
        uses: ./.github/workflows/upload-release-artifact
        with:
          artifact-id: ${{ needs.release-sources.outputs.artifact-id }}
          attestation-name: ${{ needs.inputs.outputs.ref }}-sources-attestation
          digest: ${{ needs.release-sources.outputs.digest }}
          upload: false