name: Secure Send Secrets to Email

on:
  workflow_dispatch:

jobs:
  send_encrypted_email:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout repository
      uses: actions/checkout@v6

    - name: Encrypt Secrets
      env:
        BACKUP_PASSWORD: ${{ secrets.BACKUP_PASSWORD }}
        GH_TOKEN: ${{ secrets.GH_TOKEN }}
        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
        BUILD_CERTIFICATE_MAS_BASE64: ${{ secrets.BUILD_CERTIFICATE_MAS_BASE64 }}
        C1N_TOKEN: ${{ secrets.C1N_TOKEN }}
        ELECTRON_SKIP_NOTARIZATION: ${{ secrets.ELECTRON_SKIP_NOTARIZATION }}
        R2_SECRET_ID: ${{ secrets.R2_SECRET_ID }}
        R2_SECRET_KEY: ${{ secrets.R2_SECRET_KEY }}
        R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
        XCODE_APP_LOADER_EMAIL: ${{ secrets.XCODE_APP_LOADER_EMAIL }}
        XCODE_APP_LOADER_PASSWORD: ${{ secrets.XCODE_APP_LOADER_PASSWORD }}
        XCODE_TEAM_ID: ${{ secrets.XCODE_TEAM_ID }}
        P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
        KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
      run: |
        echo "=== PicList Secrets Backup ===" > secrets.env
        echo "Generated at: $(date)" >> secrets.env
        echo "------------------------------" >> secrets.env
        echo "GH_TOKEN=$GH_TOKEN" >> secrets.env
        echo "AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID" >> secrets.env
        echo "AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY" >> secrets.env
        echo "BUILD_CERTIFICATE_BASE64=$BUILD_CERTIFICATE_BASE64" >> secrets.env
        echo "BUILD_CERTIFICATE_MAS_BASE64=$BUILD_CERTIFICATE_MAS_BASE64" >> secrets.env
        echo "C1N_TOKEN=$C1N_TOKEN" >> secrets.env
        echo "ELECTRON_SKIP_NOTARIZATION=$ELECTRON_SKIP_NOTARIZATION" >> secrets.env
        echo "R2_SECRET_ID=$R2_SECRET_ID" >> secrets.env
        echo "R2_SECRET_KEY=$R2_SECRET_KEY" >> secrets.env
        echo "R2_ACCOUNT_ID=$R2_ACCOUNT_ID" >> secrets.env
        echo "XCODE_APP_LOADER_EMAIL=$XCODE_APP_LOADER_EMAIL" >> secrets.env
        echo "XCODE_APP_LOADER_PASSWORD=$XCODE_APP_LOADER_PASSWORD" >> secrets.env
        echo "XCODE_TEAM_ID=$XCODE_TEAM_ID" >> secrets.env
        echo "P12_PASSWORD=$P12_PASSWORD" >> secrets.env
        echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> secrets.env

        if [ -z "$BACKUP_PASSWORD" ]; then
          echo "Error: BACKUP_PASSWORD secret is not set!"
          exit 1
        fi

        gpg --batch --yes --symmetric --cipher-algo AES256 --passphrase "$BACKUP_PASSWORD" secrets.env

        rm secrets.env

    - name: Send email
      uses: dawidd6/action-send-mail@v3
      with:
        server_address: smtp.163.com
        server_port: 465
        username: ${{ secrets.EMAIL_USERNAME }}
        password: ${{ secrets.EMAIL_PASSWORD }}
        subject: "🔒 [Action] PicList 加密 Secret 备份"
        from: Kuingsmile <ma_shiqing@163.com>
        to: ma_shiqing@163.com
        body: |
          附件包含加密后的 Secret 文件 (secrets.env.gpg)。

          解密方法：
          使用命令 `gpg --decrypt secrets.env.gpg` 并输入你设定的 BACKUP_PASSWORD。
        attachments: "secrets.env.gpg"