name: Publish to AUR

   on:
     push:
       tags:
         - 'v*'
     workflow_dispatch:
       inputs:
         tag:
           description: 'Tag (v开头)'
           required: false
           type: string

   jobs:
     aur:
       runs-on: ubuntu-latest
       container:
         image: archlinux:latest
       steps:
         - name: Install dependencies
           run: |
             pacman -Sy --noconfirm git openssh base-devel aurpublish sudo
             # 创建 builder 用户
             useradd -m builder
             # 允许 builder 无密码 sudo
             echo "builder ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

         - name: Set up SSH for AUR
           run: |
             mkdir -p /home/builder/.ssh
             echo "${{ secrets.AUR_SSH_PRIVATE_KEY }}" > /home/builder/.ssh/id_ed25519
             chmod 600 /home/builder/.ssh/id_ed25519
             chmod 700 /home/builder/.ssh

             # 扫描 host key
             ssh-keyscan -t ed25519 aur.archlinux.org >> /home/builder/.ssh/known_hosts || true
             chmod 644 /home/builder/.ssh/known_hosts

             chown -R builder:builder /home/builder/.ssh

         - name: Clone AUR repo
           run: |
             # 使用 sudo -u builder <<EOF 方式避免引号噩梦
             sudo -u builder bash <<EOF
               export GIT_SSH_COMMAND="ssh -i /home/builder/.ssh/id_ed25519 -o UserKnownHostsFile=/home/builder/.ssh/known_hosts -o StrictHostKeyChecking=no"
               git clone ssh://aur@aur.archlinux.org/soon.git /home/builder/aur-push
             EOF

         - name: Set git user
           run: |
             sudo -u builder git config --global user.name "github-actions[bot]"
             sudo -u builder git config --global user.email "github-actions[bot]@users.noreply.github.com"
             sudo -u builder git config --global --add safe.directory /home/builder/aur-push

         - name: Update PKGBUILD and .SRCINFO
           run: |
             if [ "${{ github.event_name }}" = "workflow_dispatch" ] && [ -n "${{ github.event.inputs.tag }}" ]; then
               TAG="${{ github.event.inputs.tag }}"
             else
               TAG="${GITHUB_REF##*/}"
             fi
             VERSION="${TAG#v}"
             echo "Updating to version: $VERSION"

             # 使用 EOF 块，清晰且安全
             sudo -u builder bash <<EOF
               cd /home/builder/aur-push
               sed -i "s/^pkgver=.*/pkgver=${VERSION}/" PKGBUILD
               makepkg --printsrcinfo > .SRCINFO

               git add PKGBUILD .SRCINFO
               if ! git diff --cached --quiet; then
                 git commit -m "release: $VERSION"
               else
                 echo "No changes to commit"
               fi
             EOF

         - name: Publish to AUR with aurpublish
           run: |
             sudo -u builder bash <<EOF
               cd /home/builder/aur-push
               export GIT_SSH_COMMAND="ssh -i /home/builder/.ssh/id_ed25519 -o UserKnownHostsFile=/home/builder/.ssh/known_hosts -o StrictHostKeyChecking=no"
               aurpublish soon
             EOF