#!/bin/bash

set -Eeuo pipefail

section() {
    printf '\n==================================================\n'
    printf '%s\n' "$1"
    printf -- '--------------------------------------------------\n'
}

require_value() {
    local name="$1"
    local value="$2"
    local display_value="$value"

    case "$name" in
        *TOKEN*|*SECRET*|*PASSWORD*|*PASS*|*KEY*)
            display_value="***"
            ;;
    esac

    printf '%s=%s\n' "$name" "$display_value"

    if [ -z "$value" ] || [ "$value" = "null" ]; then
        printf '錯誤：%s 不可為空\n' "$name" >&2
        exit 1
    fi
}

validate_release_archive() {
    local archive="$1"
    local archive_entries
    local entry
    local normalized_entry

    if ! archive_entries="$(unzip -Z1 "$archive")"; then
        printf '錯誤：無法讀取壓縮檔：%s\n' "$archive" >&2
        exit 1
    fi

    while IFS= read -r entry; do
        [ -z "$entry" ] && continue

        normalized_entry="${entry//\\//}"

        case "$normalized_entry" in
            /*|../*|*/../*|*/..|..)
                printf '錯誤：壓縮檔包含不安全路徑：%s\n' "$entry" >&2
                exit 1
                ;;
        esac
    done <<EOF
$archive_entries
EOF
}

require_index() {
    local value="$1"

    if [[ ! "$value" =~ ^[0-9]+$ ]]; then
        printf '錯誤：RELEASE_INDEX 必須是非負整數\n' >&2
        exit 1
    fi
}

section "參數檢查"
require_value "GITEA_SERVER_URL" "${GITEA_SERVER_URL:-}"
require_value "GITEA_REPOSITORY" "${GITEA_REPOSITORY:-}"
require_value "RELEASE_VERSION" "${RELEASE_VERSION:-}"
require_value "RELEASE_INDEX" "${RELEASE_INDEX:-}"
require_index "${RELEASE_INDEX:-}"
require_value "RUNNER_TOKEN" "${RUNNER_TOKEN:-}"
require_value "NUGET_AUTHOR" "${NUGET_AUTHOR:-}"

section "取得成品連結"

release_header="Authorization: token $RUNNER_TOKEN"
release_api_url="$GITEA_SERVER_URL/api/v1/repos/$GITEA_REPOSITORY/releases/tags/v$RELEASE_VERSION"

printf 'RELEASE_API_URL=%s\n' "$release_api_url"

release_json="$(curl -fsSL -H "$release_header" "$release_api_url")"
release_asset_path=".assets[$RELEASE_INDEX]"

release_name="$(printf '%s' "$release_json" | jq -r "$release_asset_path.name")"
require_value "RELEASE_NAME" "$release_name"

release_url="$(printf '%s' "$release_json" | jq -r "$release_asset_path.browser_download_url")"
require_value "RELEASE_URL" "$release_url"

section "下載成品"

curl -fsSL -H "$release_header" "$release_url" -o "$release_name"
printf '已下載：%s\n' "$release_name"

section "解壓縮成品"

rm -rf output
mkdir -p output
validate_release_archive "$release_name"
unzip -q "$release_name" -d output
printf '已解壓縮到：%s\n' "output"

section "推送 NUGET 套件"

nuget_source="$GITEA_SERVER_URL/api/packages/$NUGET_AUTHOR/nuget/index.json"
printf 'NUGET_SOURCE=%s\n' "$nuget_source"

mapfile -t nuget_packages < <(find output -type f -name '*.nupkg' | sort)

if [ "${#nuget_packages[@]}" -eq 0 ]; then
    printf '錯誤：找不到 .nupkg 檔案\n' >&2
    exit 1
fi

for nuget_package in "${nuget_packages[@]}"; do
    printf 'NUGET_PACKAGE=%s\n' "$nuget_package"

    dotnet nuget push "$nuget_package" \
        --source "$nuget_source" \
        --api-key "$RUNNER_TOKEN" \
        --skip-duplicate \
        --allow-insecure-connections
done

section "完成"