name: 📖 Build & Sign PDFs

on:
  workflow_dispatch:
    inputs:
      build_mode:
        description: 'PDF build mode'
        required: true
        default: 'both'
        type: choice
        options:
          - light
          - dark
          - both
  push:
    branches:
      - main
    paths:
      - "docs/**"
      - "mkdocs.yml"
      - "scripts/**"
      - ".github/workflows/**"

permissions:
  contents: write
  id-token: write

jobs:
  build-sign-release:
    name: Build, Sign & Release PDFs
    runs-on: ubuntu-latest
    steps:
      - name: 🛠️ Checkout
        uses: actions/checkout@v4

      - name: 🐍 Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.13"

      - name: 📦 Install MkDocs Material
        run: pip install mkdocs-material

      - name: Setup Chrome
        uses: browser-actions/setup-chrome@v2
        with:
          chrome-version: 120
          install-dependencies: true
          install-chromedriver: true

      - name: 🔑 Install GPG tools
        run: |
          sudo apt-get update
          sudo apt-get install gnupg

      - name: 🖨️ Build & Hash PDFs
        env:
          CI: true
        run: |
          python scripts/build_guide_pdf.py --${{ inputs.build_mode || 'both' }}
          for f in ./export/*.pdf; do
            echo "sha256sums: $f"; sha256sum "$f" >> export/sha256sums.txt; done
          for f in ./export/*.pdf; do
            echo "b2sums: $f"; b2sum "$f" >> export/b2sums.txt; done

      - name: 🦠 Upload PDFs to VirusTotal
        uses: crazy-max/ghaction-virustotal@v5
        with:
          vt_api_key: ${{ secrets.VT_API_KEY }}
          files: |
            export/thgtoa.pdf
            export/thgtoa-dark.pdf

      - name: 📊 Extract VT scan results
        id: vt-scan
        run: |
          echo "status=completed" >> $GITHUB_OUTPUT

      - name: 🔗 Generate VT report links
        run: |
          # Create a markdown file with VT scan results and links
          cat > export/virus-total-results.md << EOF
          ## VirusTotal Scan Results

          **Scan Date:** \$(date -u +"%Y-%m-%d %H:%M UTC")

          ### thgtoa.pdf (Light Mode)
          - **VT Report:** https://www.virustotal.com/gui/file/\$(sha256sum export/thgtoa.pdf | cut -d' ' -f1)

          ### thgtoa-dark.pdf (Dark Mode) (currently broken)
          - **VT Report:** https://www.virustotal.com/gui/file/\$(sha256sum export/thgtoa-dark.pdf | cut -d' ' -f1)

          ---
          *Scan performed automatically by GitHub Actions*
          EOF

      - name: 📤 Upload export directory as artifact
        uses: actions/upload-artifact@v4
        with:
          name: upload pdf artifact
          path: |
            export/*
          if-no-files-found: error
          retention-days: 90
          compression-level: 0