on:
  push:
    tags:
      - 'v*.*.*'

env:
  REGISTRY: ghcr.io
  REGISTRY_USERNAME: ${{ github.repository_owner }}
  # Extensions to bake into the installer image.
  # Format: space-separated list of image:tag references (digests resolved at build time).
  EXTENSION_ISCSI_IMAGE: ghcr.io/siderolabs/iscsi-tools:v0.2.0
  EXTENSION_UTIL_LINUX_IMAGE: ghcr.io/siderolabs/util-linux-tools:2.41.2

jobs:
  build:
    permissions:
      contents: write
      packages: write
      attestations: write
      id-token: write
    runs-on: ubuntu-24.04-arm
    steps:
      - uses: actions/checkout@v4
      - uses: imjasonh/setup-crane@v0.4
        with:
          version: v0.20.5
      - uses: docker/setup-buildx-action@v3
      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up GitHub Actions bot user
        run: |
          git config --global user.name "github-actions[bot]"
          git config --global user.email "github-actions[bot]@users.noreply.github.com"

      - name: Extract Talos version from tag
        id: talos-version
        run: |
          # Tag format: v1.11.6-rpi5, v1.11.5-cm5, etc.
          # Extract the upstream Talos version (vMAJOR.MINOR.PATCH) from the tag.
          TAG="${{ github.ref_name }}"
          TALOS_VERSION=$(echo "$TAG" | grep -oE '^v[0-9]+\.[0-9]+\.[0-9]+')
          echo "TALOS_VERSION=${TALOS_VERSION}" >> $GITHUB_ENV
          echo "Resolved TALOS_VERSION=${TALOS_VERSION} from tag ${TAG}"

      - name: Resolve extension image digests
        run: |
          EXTENSIONS=""
          while IFS= read -r line; do
            IMAGE="${line#*=}"
            DIGEST=$(crane digest "$IMAGE")
            EXTENSIONS="$EXTENSIONS $IMAGE@$DIGEST"
          done < <(env | grep '^EXTENSION_')
          echo "EXTENSIONS=${EXTENSIONS# }" >> $GITHUB_ENV

      # ──────────────────────────────────────────────
      # Raspberry Pi 5
      # ──────────────────────────────────────────────

      - name: "Pi5 — Prepare (checkouts & patches)"
        run: make TALOS_VERSION=${{ env.TALOS_VERSION }} checkouts patches-pi5

      - name: "Pi5 — Kernel"
        run: make TALOS_VERSION=${{ env.TALOS_VERSION }} REGISTRY=${{ env.REGISTRY }} REGISTRY_USERNAME=${{ env.REGISTRY_USERNAME }} kernel

      - name: "Pi5 — Kernel initramfs"
        run: make TALOS_VERSION=${{ env.TALOS_VERSION }} REGISTRY=${{ env.REGISTRY }} REGISTRY_USERNAME=${{ env.REGISTRY_USERNAME }} kern_initramfs

      - name: "Pi5 — Installer base"
        run: make TALOS_VERSION=${{ env.TALOS_VERSION }} REGISTRY=${{ env.REGISTRY }} REGISTRY_USERNAME=${{ env.REGISTRY_USERNAME }} installer-base

      - name: "Pi5 — Imager"
        run: make TALOS_VERSION=${{ env.TALOS_VERSION }} REGISTRY=${{ env.REGISTRY }} REGISTRY_USERNAME=${{ env.REGISTRY_USERNAME }} imager

      - name: "Pi5 — Overlay"
        run: make TALOS_VERSION=${{ env.TALOS_VERSION }} REGISTRY=${{ env.REGISTRY }} REGISTRY_USERNAME=${{ env.REGISTRY_USERNAME }} overlay

      - name: "Pi5 — Build installer image (with extensions)"
        run: |
          make TALOS_VERSION=${{ env.TALOS_VERSION }} \
            REGISTRY=${{ env.REGISTRY }} \
            REGISTRY_USERNAME=${{ env.REGISTRY_USERNAME }} \
            ASSET_TYPE=installer \
            EXTENSIONS="${{ env.EXTENSIONS }}" \
            installer-pi5
          crane push \
            ./checkouts/talos/_out/installer-arm64.tar \
            ${{ env.REGISTRY }}/${{ env.REGISTRY_USERNAME }}/installer:${{ github.ref_name }}-rpi5

      - name: "Pi5 — Build metal disk image"
        run: |
          make TALOS_VERSION=${{ env.TALOS_VERSION }} \
            REGISTRY=${{ env.REGISTRY }} \
            REGISTRY_USERNAME=${{ env.REGISTRY_USERNAME }} \
            ASSET_TYPE=metal \
            EXTENSIONS="${{ env.EXTENSIONS }}" \
            installer-pi5
          unzstd -c ./checkouts/talos/_out/metal-arm64.raw.zst | xz -T0 > ./metal-arm64-rpi5.raw.xz

      # ──────────────────────────────────────────────
      # Raspberry Pi 4 / CM4
      # ──────────────────────────────────────────────

      - name: "Pi4 — Prepare (clean, re-checkout & patches)"
        run: make TALOS_VERSION=${{ env.TALOS_VERSION }} checkouts-clean checkouts patches-pi4

      - name: "Pi4 — Kernel"
        run: make TALOS_VERSION=${{ env.TALOS_VERSION }} REGISTRY=${{ env.REGISTRY }} REGISTRY_USERNAME=${{ env.REGISTRY_USERNAME }} kernel

      - name: "Pi4 — Kernel initramfs"
        run: make TALOS_VERSION=${{ env.TALOS_VERSION }} REGISTRY=${{ env.REGISTRY }} REGISTRY_USERNAME=${{ env.REGISTRY_USERNAME }} kern_initramfs

      - name: "Pi4 — Installer base"
        run: make TALOS_VERSION=${{ env.TALOS_VERSION }} REGISTRY=${{ env.REGISTRY }} REGISTRY_USERNAME=${{ env.REGISTRY_USERNAME }} installer-base

      - name: "Pi4 — Imager"
        run: make TALOS_VERSION=${{ env.TALOS_VERSION }} REGISTRY=${{ env.REGISTRY }} REGISTRY_USERNAME=${{ env.REGISTRY_USERNAME }} imager

      - name: "Pi4 — Build installer image (with extensions)"
        run: |
          make TALOS_VERSION=${{ env.TALOS_VERSION }} \
            REGISTRY=${{ env.REGISTRY }} \
            REGISTRY_USERNAME=${{ env.REGISTRY_USERNAME }} \
            ASSET_TYPE=installer \
            EXTENSIONS="${{ env.EXTENSIONS }}" \
            installer-pi4
          crane push \
            ./checkouts/talos/_out/installer-arm64.tar \
            ${{ env.REGISTRY }}/${{ env.REGISTRY_USERNAME }}/installer:${{ github.ref_name }}-rpi4

      - name: "Pi4 — Build metal disk image"
        run: |
          make TALOS_VERSION=${{ env.TALOS_VERSION }} \
            REGISTRY=${{ env.REGISTRY }} \
            REGISTRY_USERNAME=${{ env.REGISTRY_USERNAME }} \
            ASSET_TYPE=metal \
            EXTENSIONS="${{ env.EXTENSIONS }}" \
            installer-pi4
          unzstd -c ./checkouts/talos/_out/metal-arm64.raw.zst | xz -T0 > ./metal-arm64-rpi4.raw.xz

      # ──────────────────────────────────────────────
      # Release
      # ──────────────────────────────────────────────

      - name: Create GitHub Release
        if: startsWith(github.ref, 'refs/tags/v')
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          INSTALLER_PI5="${{ env.REGISTRY }}/${{ env.REGISTRY_USERNAME }}/installer:${{ github.ref_name }}-rpi5"
          INSTALLER_PI4="${{ env.REGISTRY }}/${{ env.REGISTRY_USERNAME }}/installer:${{ github.ref_name }}-rpi4"
          NOTES=$(cat <<EOF
          > ⚠️ Experimental build, use at your own risk.

          Patched Talos Linux for **Raspberry Pi 5** and **Raspberry Pi 4 / CM4**, including NVMe, NIC and USB support.

          ### Extensions included

          - \`iscsi-tools\` ${{ env.EXTENSION_ISCSI_IMAGE }}
          - \`util-linux-tools\` ${{ env.EXTENSION_UTIL_LINUX_IMAGE }}

          ### Artifacts

          | Platform | Disk image | Installer image |
          |----------|-----------|----------------|
          | **RPi 5 / CM5** | \`metal-arm64-rpi5.raw.xz\` | \`${INSTALLER_PI5}\` |
          | **RPi 4 / CM4** | \`metal-arm64-rpi4.raw.xz\` | \`${INSTALLER_PI4}\` |

          ### Fresh install

          Download the disk image for your board and flash it:
          \`\`\`bash
          xz -d metal-arm64-rpi5.raw.xz   # or metal-arm64-rpi4.raw.xz
          dd if=metal-arm64-rpi5.raw of=<disk> bs=4M status=progress
          \`\`\`

          ### Upgrade

          \`\`\`bash
          # Raspberry Pi 5
          talosctl upgrade --nodes <NODE_IP> --image ${INSTALLER_PI5}

          # Raspberry Pi 4 / CM4
          talosctl upgrade --nodes <NODE_IP> --image ${INSTALLER_PI4}
          \`\`\`

          EOF
          )
          gh release create \
            ${{ github.ref_name }} \
            metal-arm64-rpi5.raw.xz \
            metal-arm64-rpi4.raw.xz \
            --title "${{ github.ref_name }}" \
            --notes "$NOTES"