name: "Nightly deploy"

on:
  schedule:
    - cron: '0 2 * * *'
  workflow_dispatch:

permissions:
  contents: write

jobs:
  nightly:
    name: Deploy nightly
    permissions:
      contents: write
    strategy:
      fail-fast: false
      matrix:
        refs: [master, development]
    runs-on: ubuntu-latest
    env:
      SIGNING_KEY_PATH: ${{ github.workspace }}/../private.pem
    steps:
      - name: Validate signing secret
        run: |
          test -n "${{ secrets.PRIVATE_KEY_B64 }}" || {
            echo "PRIVATE_KEY_B64 is required for nightly signed releases." >&2
            exit 1
          }
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: ${{ matrix.refs }}
          submodules: 'recursive'
          persist-credentials: false
      - name: Restore private key
        run: |
          echo "${{ secrets.PRIVATE_KEY_B64 }}" | base64 -d > "${SIGNING_KEY_PATH}"
          chmod 600 "${SIGNING_KEY_PATH}"
      - name : Build
        env:
          PICO_SDK_PATH: ../pico-sdk
          SECURE_BOOT_PKEY: ${{ github.workspace }}/../private.pem
        run: |
           ./workflows/autobuild.sh pico
           ./build_pico_hsm.sh --no-eddsa
           ./workflows/autobuild.sh esp32
      - name: Delete private key
        if: always()
        run: rm -f "${SIGNING_KEY_PATH}"
      - name: Update nightly release
        uses: pyTooling/Actions/releaser@v6.7.0
        with:
          tag: nightly-${{ matrix.refs }}
          rm: true
          token: ${{ secrets.GITHUB_TOKEN }}
          files: release/*.*