# As (somewhat) described at
# https://docs.microsoft.com/en-us/azure/devops/pipelines/process/templates?view=azure-devops#context,
# each template only has access to the parameters passed into it. To help make
# use of this design, we define snapReleaseChannel without a default value
# which requires the user of this template to define it as described at
# https://docs.microsoft.com/en-us/azure/devops/pipelines/yaml-schema/parameters-name?view=azure-pipelines#remarks.
# This makes the user of this template be explicit while allowing them to
# define their own parameters with defaults that make sense for that context.
parameters:
- name: snapReleaseChannel
  type: string
  values:
  - edge
  - beta

jobs:
  # This job relies on credentials used to publish the Certbot snaps. This
  # credential file was created by running:
  #
  #   snapcraft logout
  #   snapcraft export-login --channels=beta,edge snapcraft.cfg
  #     (provide the shared snapcraft credentials when prompted)
  #
  # Then the file was added as a secure file in Azure pipelines
  # with the name snapcraft.cfg by following the instructions at
  # https://docs.microsoft.com/en-us/azure/devops/pipelines/library/secure-files?view=azure-devops
  # including authorizing the file for use in the "nightly" and "release"
  # pipelines as described at
  # https://docs.microsoft.com/en-us/azure/devops/pipelines/library/secure-files?view=azure-devops#q-how-do-i-authorize-a-secure-file-for-use-in-a-specific-pipeline.
  #
  # This file has a maximum lifetime of one year and the current file will
  # expire on 2024-02-10. The file will need to be updated before then to
  # prevent automated deploys from breaking.
  #
  # Revoking these credentials can be done by changing the password of the
  # account used to generate the credentials. See
  # https://forum.snapcraft.io/t/revoking-exported-credentials/19031 for
  # more info.
  - job: publish_snap
    pool:
      vmImage: ubuntu-22.04
    variables:
      - group: certbot-common
    strategy:
      matrix:
        amd64:
          SNAP_ARCH: amd64
        arm32v6:
          SNAP_ARCH: armhf
        arm64v8:
          SNAP_ARCH: arm64
    steps:
      - bash: |
          set -e
          sudo apt-get update
          sudo apt-get install -y --no-install-recommends snapd
          sudo snap install --classic snapcraft
        displayName: Install dependencies
      - task: DownloadPipelineArtifact@2
        inputs:
          artifact: snaps_$(SNAP_ARCH)
          path: $(Build.SourcesDirectory)/snap
        displayName: Retrieve Certbot snaps
      - task: DownloadSecureFile@1
        name: snapcraftCfg
        inputs:
          secureFile: snapcraft.cfg
      - bash: |
          set -e
          export SNAPCRAFT_STORE_CREDENTIALS=$(cat "$(snapcraftCfg.secureFilePath)")
          for SNAP_FILE in snap/*.snap; do
            tools/retry.sh eval snapcraft upload --release=${{ parameters.snapReleaseChannel }} "${SNAP_FILE}"
          done
        displayName: Publish to Snap store
  # The credentials used in the following jobs are for the shared
  # certbotbot account on Docker Hub. The credentials are stored
  # in a service account which was created by following the
  # instructions at
  # https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#sep-docreg.
  # The name given to this service account must match the value
  # given to containerRegistry below. The authentication used when
  # creating this service account was a personal access token
  # rather than a password to bypass 2FA. When Brad set this up,
  # Azure Pipelines failed to verify the credentials with an error
  # like "access is forbidden with a JWT issued from a personal
  # access token", but after saving them without verification, the
  # access token worked when the pipeline actually ran. "Grant
  # access to all pipelines" should also be checked on the service
  # account. The access token can be deleted on Docker Hub if
  # these credentials need to be revoked.
  - job: publish_docker_by_arch
    pool:
      vmImage: ubuntu-22.04
    strategy:
      matrix:
        arm32v6:
          DOCKER_ARCH: arm32v6
        arm64v8:
          DOCKER_ARCH: arm64v8
        amd64:
          DOCKER_ARCH: amd64
    steps:
      - task: DownloadPipelineArtifact@2
        inputs:
          artifact: docker_$(DOCKER_ARCH)
          path: $(Build.SourcesDirectory)
        displayName: Retrieve Docker images
      - bash: set -e && docker load --input $(Build.SourcesDirectory)/images.tar
        displayName: Load Docker images
      - task: Docker@2
        inputs:
          command: login
          containerRegistry: docker-hub
        displayName: Login to Docker Hub
      - bash: set -e && tools/docker/deploy_images.sh $(dockerTag) $DOCKER_ARCH
        displayName: Deploy the Docker images by architecture
  - job: publish_docker_multiarch
    dependsOn: publish_docker_by_arch
    pool:
      vmImage: ubuntu-22.04
    steps:
      - task: Docker@2
        inputs:
          command: login
          containerRegistry: docker-hub
        displayName: Login to Docker Hub
      - bash: set -e && tools/docker/deploy_manifests.sh $(dockerTag) all
        displayName: Deploy the Docker multiarch manifests