name: Build OpenClaw Plugin Runtime Release

on:
  push:
    branches: [main, release/**]
    paths:
      - "**/*.ts"
      - package.json
      - package-lock.json
      - openclaw.plugin.json
      - .github/workflows/runtime-release.yaml
  workflow_dispatch:

permissions:
  contents: write

concurrency:
  group: openclaw-plugin-runtime-release-${{ github.ref }}
  cancel-in-progress: true

jobs:
  build:
    name: Build Plugin Assets
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Use Node.js 22
        uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: Run build
        run: npm run build

      - name: Build runtime asset
        run: |
          set -euo pipefail
          root="dist/runtime/openclaw-multi-session-plugins"
          mkdir -p "${root}/dist" dist/assets
          
          # Maintain necessary file structure required by openclaw loader
          cp -a dist/index.js dist/index.d.ts dist/src "${root}/dist/"
          cp openclaw.plugin.json package.json "${root}/"
          
          tar -czf "dist/assets/openclaw-multi-session-plugins-runtime-all.tar.gz" \
            -C dist/runtime openclaw-multi-session-plugins
          
          (
            cd dist/assets
            sha256sum -- ./*.tar.gz | sed 's# \./# #' > "SHA256SUMS-all"
          )

      - uses: actions/upload-artifact@v4
        with:
          name: openclaw-plugin-assets
          path: |
            dist/assets/*.tar.gz
            dist/assets/SHA256SUMS-*
          if-no-files-found: error

  publish:
    needs: build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/download-artifact@v4
        with:
          pattern: openclaw-plugin-assets
          path: dist
          merge-multiple: true

      - name: Publish assets
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          set -euo pipefail
          cat dist/SHA256SUMS-* | sort -u > dist/SHA256SUMS || true
          rm -f dist/SHA256SUMS-*

          # Publish (or refresh) a release with the runtime tarball + checksums.
          # --latest=false keeps GitHub's "Latest release" pointer free for the
          # human-facing v* tags; deployments pull via explicit tag URLs instead.
          publish_release() {
            local tag="$1" title="$2"
            if gh release view "${tag}" --repo "${GITHUB_REPOSITORY}" >/dev/null 2>&1; then
              gh release upload "${tag}" dist/*.tar.gz dist/SHA256SUMS \
                --repo "${GITHUB_REPOSITORY}" --clobber
            else
              gh release create "${tag}" dist/*.tar.gz dist/SHA256SUMS \
                --repo "${GITHUB_REPOSITORY}" \
                --target "${GITHUB_SHA}" \
                --latest=false \
                --title "${title}" \
                --notes "Prebuilt Plugin assets. No target-host build or Nix profile installation required."
            fi
          }

          # Immutable per-commit release for traceability.
          publish_release "runtime-${GITHUB_SHA::12}" "OpenClaw Plugin runtime ${GITHUB_SHA::12}"
          # Stable moving release so deployments resolve a deterministic URL
          # (releases/download/runtime-latest/...) instead of the mutable
          # /releases/latest/ pointer, which collides with other release tracks.
          publish_release "runtime-latest" "OpenClaw Plugin runtime (latest)"