name: macOS Release

on:
  workflow_dispatch:
    inputs:
      tag:
        description: Existing release tag to validate for macOS release handoff (for example v2026.3.22 or v2026.3.22-beta.1)
        required: true
        type: string
      preflight_only:
        description: Retained for operator compatibility; this public workflow is validation-only
        required: true
        default: true
        type: boolean

concurrency:
  group: macos-release-${{ inputs.tag }}
  cancel-in-progress: false

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
  NODE_VERSION: "24.x"
  PNPM_VERSION: "10.23.0"

jobs:
  validate_macos_release_request:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Validate tag input format
        env:
          RELEASE_TAG: ${{ inputs.tag }}
        run: |
          set -euo pipefail
          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-beta\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]]; then
            echo "Invalid release tag format: ${RELEASE_TAG}"
            exit 1
          fi

      - name: Checkout selected tag
        uses: actions/checkout@v6
        with:
          ref: refs/tags/${{ inputs.tag }}
          fetch-depth: 0

      - name: Setup Node environment
        uses: ./.github/actions/setup-node-env
        with:
          node-version: ${{ env.NODE_VERSION }}
          pnpm-version: ${{ env.PNPM_VERSION }}
          install-bun: "false"
          use-sticky-disk: "false"

      - name: Ensure matching GitHub release exists
        env:
          GH_TOKEN: ${{ github.token }}
          RELEASE_TAG: ${{ inputs.tag }}
        run: gh release view "$RELEASE_TAG" --repo "$GITHUB_REPOSITORY" >/dev/null

      - name: Validate release tag and package metadata
        env:
          RELEASE_TAG: ${{ inputs.tag }}
          RELEASE_MAIN_REF: origin/main
        run: |
          set -euo pipefail
          RELEASE_SHA=$(git rev-parse HEAD)
          export RELEASE_SHA RELEASE_TAG RELEASE_MAIN_REF
          git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
          pnpm release:openclaw:npm:check

      - name: Summarize next step
        env:
          RELEASE_TAG: ${{ inputs.tag }}
        run: |
          {
            echo "## Public macOS validation only"
            echo
            echo "This workflow no longer builds, signs, notarizes, or uploads macOS assets."
            echo
            echo "Next step:"
            echo "- Run \`openclaw/releases-private/.github/workflows/openclaw-macos-publish.yml\` with tag \`${RELEASE_TAG}\`."
            echo "- Use \`preflight_only=true\` there for the full private mac preflight."
            echo "- For the real publish path, the private run uploads the packaged \`.zip\`, \`.dmg\`, and \`.dSYM.zip\` files to the existing GitHub release in \`openclaw/openclaw\` automatically."
            echo "- For stable releases, also download \`macos-appcast-${RELEASE_TAG}\` from the successful private run and commit \`appcast.xml\` back to \`main\` in \`openclaw/openclaw\`."
          } >> "$GITHUB_STEP_SUMMARY"