thgtoa/.github/workflows/build-pdf.yml

name: 📖 Build, Scan & Release PDF

on:
  workflow_dispatch:
    inputs:
      build_mode:
        description: 'PDF build mode'
        required: true
        default: 'both'
        type: choice
        options:
          - light
          - dark
          - both
      release_mode:
        description: 'Release update mode'
        required: false
        default: 'tag'
        type: choice
        options:
          - tag
          - latest
  push:
    branches:
      - main
    paths:
      - "docs/**"
      - "mkdocs.yml"
      - "scripts/**"
      - ".github/workflows/**"

permissions:
  contents: write
  id-token: write

jobs:
  build:
    name: Build PDFs (${{ inputs.build_mode || 'both' }})
    runs-on: ubuntu-latest
    steps:
      - name: 🛠️ Checkout
        uses: actions/checkout@v4

      - name: 🐍 Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.13"

      - name: 📦 Install MkDocs Material
        run: pip install mkdocs-material

      - name: Setup Chrome
        uses: browser-actions/setup-chrome@v2
        with:
          chrome-version: 120
          install-dependencies: true
          install-chromedriver: true

      - name: 🔑 Install GPG tools
        run: |
          sudo apt-get update
          sudo apt-get install gnupg

      - name: 🖨️ Build PDFs
        env:
          CI: true
        run: python scripts/build_guide_pdf.py --${{ inputs.build_mode || 'both' }}

      - name: 🔒 Sign PDFs with GPG key
        env:
          GPG_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
        run: |
          cd ${{ github.workspace }}

          # Import GPG key
          export GPG_TTY=$(tty)
          echo "$GPG_KEY" | gpg --batch --import 2>/dev/null || true

          # Verify the key was imported
          if gpg --list-secret-keys &>/dev/null; then
            # Sign the PDFs (detach signature)
            gpg --batch --yes --armor --detach-sign --output export/thgtoa.pdf.sig export/thgtoa.pdf 2>/dev/null || true
            gpg --batch --yes --armor --detach-sign --output export/thgtoa-dark.pdf.sig export/thgtoa-dark.pdf 2>/dev/null || true

            # Create combined hash file and sign it
            sha256sum export/thgtoa.pdf > export/thgtoa.pdf.sha256
            sha256sum export/thgtoa-dark.pdf > export/thgtoa-dark.sha256
            gpg --batch --yes --armor --detach-sign --output export/thgtoa.pdf.sig export/thgtoa.pdf.sha256 2>/dev/null || true
            gpg --batch --yes --armor --detach-sign --output export/thgtoa-dark.pdf.sig export/thgtoa-dark.pdf.sha256 2>/dev/null || true

            # Create individual hash files
            sha256sum export/thgtoa.pdf > export/thgtoa.pdf.sha256
            sha256sum export/thgtoa-dark.pdf > export/thgtoa-dark.pdf.sha256
          fi

      - name: 📤 Upload PDF artifacts
        uses: actions/upload-artifact@v4
        with:
          name: pdf-artifacts-${{ inputs.build_mode || 'both' }}
          path: |
            export/*.pdf
            export/*.sig
            export/*.sha256
          if-no-files-found: error
          retention-days: 90
          archive: false

  scan-and-release:
    name: Scan & Release
    runs-on: ubuntu-latest
    needs: build
    if: always() && contains(needs.build.result, 'success')

    steps:
      - name: 🚀 Checkout
        uses: actions/checkout@v4

      - name: 🔽 Download PDF artifacts
        uses: actions/download-artifact@v4
        with:
          pattern: pdf-artifacts
          path: export/
          merge-multiple: true

      - name: 🦠 VirusTotal Scan & Release Update
        env:
          VT_API_KEY: ${{ secrets.VT_API_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITHUB_REPOSITORY: ${{ github.repository }}
          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
        run: |
          chmod +x scripts/pdf_release.sh

          # Determine build mode from input or default to both
          BUILD_MODE="${{ inputs.build_mode || 'both' }}"
          RELEASE_MODE="${{ inputs.release_mode || 'tag' }}"

          echo "Running PDF release script..."
          echo "Build Mode: $BUILD_MODE"
          echo "Release Mode: $RELEASE_MODE"

          # Run the release script
          ./scripts/pdf_release.sh \
            --build "$BUILD_MODE" \
            --release "$RELEASE_MODE" \
            --vt-api-key "$VT_API_KEY" \
            --github-token "$GITHUB_TOKEN"

      - name: 📊 Upload scan results artifact
        uses: actions/upload-artifact@v4
        with:
          name: vt-scan-results-${{ inputs.build_mode || 'both' }}
          path: |
            export/virus-total-results.md
          if-no-files-found: warn
          retention-days: 30