name: Mirror Thin Bundle Sign & Verify

on:
  workflow_dispatch:
  schedule:
    - cron: '0 6 * * *'

jobs:
  mirror-sign:
    runs-on: ubuntu-22.04
    env:
      MIRROR_SIGN_KEY_B64: ${{ secrets.MIRROR_SIGN_KEY_B64 }}
      REQUIRE_PROD_SIGNING: 1
      OCI: 1
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Fallback to dev signing key when secret is absent (non-prod only)
        run: |
          if [ -z "${MIRROR_SIGN_KEY_B64}" ]; then
            echo "[warn] MIRROR_SIGN_KEY_B64 not set; using repo dev key for non-production signing."
            echo "MIRROR_SIGN_KEY_B64=$(base64 -w0 tools/cosign/cosign.dev.key)" >> $GITHUB_ENV
            echo "REQUIRE_PROD_SIGNING=0" >> $GITHUB_ENV
          fi

      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: 10.0.100
          include-prerelease: true

      - name: Task Pack offline bundle fixtures
        run: python3 scripts/packs/run-fixtures-check.sh

      - name: Verify signing prerequisites
        run: scripts/mirror/check_signing_prereqs.sh

      - name: Run mirror signing
        run: |
          scripts/mirror/ci-sign.sh

      - name: Verify signed bundle
        run: |
          scripts/mirror/verify_thin_bundle.py out/mirror/thin/mirror-thin-v1.tar.gz

      - name: Upload signed artifacts
        uses: actions/upload-artifact@v4
        with:
          name: mirror-thin-v1-signed
          path: |
            out/mirror/thin/mirror-thin-v1.tar.gz
            out/mirror/thin/mirror-thin-v1.manifest.json
            out/mirror/thin/mirror-thin-v1.manifest.dsse.json
            out/mirror/thin/tuf/
            out/mirror/thin/oci/
            out/mirror/thin/milestone.json
          if-no-files-found: error
          retention-days: 14