name: Release Sources

permissions:
  contents: read

on:
  workflow_dispatch:
    inputs:
      release-version:
        description: Release Version
        required: true
        type: string
  workflow_call:
    inputs:
      release-version:
        description: Release Version
        required: true
        type: string
    secrets:
      RELEASE_TASKS_USER_TOKEN:
        description: "Secret used to check user permissions."
        required: false
  # Run on pull_requests for testing purposes.
  pull_request:
    paths:
      - '.github/workflows/release-sources.yml'
    types:
      - opened
      - synchronize
      - reopened
      # When a PR is closed, we still start this workflow, but then skip
      # all the jobs, which makes it effectively a no-op.  The reason to
      # do this is that it allows us to take advantage of concurrency groups
      # to cancel in progress CI jobs whenever the PR is closed.
      - closed

concurrency:
  group: ${{ github.workflow }}-${{ inputs.release-version || github.event.pull_request.number }}
  cancel-in-progress: True

jobs:
  inputs:
    name: Collect Job Inputs
    if: >-
      github.repository_owner == 'llvm' &&
      github.event.action != 'closed'
    outputs:
      ref: ${{ steps.inputs.outputs.ref }}
      export-args: ${{ steps.inputs.outputs.export-args }}
    runs-on: ubuntu-latest
    steps:
      - id: inputs
        run: |
          ref=${{ (inputs.release-version && format('llvmorg-{0}', inputs.release-version)) || github.sha }}
          if [ -n "${{ inputs.release-version }}" ]; then
            export_args="-release ${{ inputs.release-version }} -final"
          else
            export_args="-git-ref ${{ github.sha }}"
          fi
          echo "ref=$ref" >> $GITHUB_OUTPUT
          echo "export-args=$export_args" >> $GITHUB_OUTPUT

  release-sources:
    name: Package Release Sources
    if: github.repository_owner == 'llvm'
    runs-on: ubuntu-latest
    needs:
      - inputs
    permissions:
      id-token: write
      attestations: write
    steps:
      - name: Checkout LLVM
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          ref: ${{ needs.inputs.outputs.ref }}
          fetch-tags: true
      - name: Install Dependencies
        run: |
          pip install --require-hashes -r ./llvm/utils/git/requirements.txt

      - name: Check Permissions
        if: github.event_name != 'pull_request'
        env:
          GITHUB_TOKEN: ${{ github.token }}
          USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
        run: |
          ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} --user-token "$USER_TOKEN" check-permissions
      - name: Create Tarballs
        run: |
          ./llvm/utils/release/export.sh ${{ needs.inputs.outputs.export-args }}
      - name: Attest Build Provenance
        if: github.event_name != 'pull_request'
        id: provenance
        uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
        with:
          subject-path: "*.xz"
      - if: github.event_name != 'pull_request'
        run: |
          mv ${{ steps.provenance.outputs.bundle-path }} .
      - name: Create Tarball Artifacts
        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 #v4.3.3
        with:
          path: |
            *.xz
            attestation.jsonl