name: Build Windows Release

on:
  push:
    tags:
      - 'v*.*.*'

permissions:
  contents: write

jobs:
  build:
    runs-on: windows-latest
    permissions:
      contents: write
    env:
      CSC_LINK_BASE64: ${{ secrets.CSC_LINK_BASE64 }}
      CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 'lts/*'
      - run: npm ci
      # Optioneel: code signing (alleen uitvoeren als secrets bestaan)
      - name: Setup code signing
        if: ${{ env.CSC_LINK_BASE64 != '' }}
        shell: pwsh
        run: |
          $pfxPath = "$env:RUNNER_TEMP\signing.pfx"
          [IO.File]::WriteAllBytes($pfxPath, [Convert]::FromBase64String($env:CSC_LINK_BASE64))
          "CSC_LINK=$pfxPath" | Out-File -FilePath $env:GITHUB_ENV -Append
          "CSC_KEY_PASSWORD=$env:CSC_KEY_PASSWORD" | Out-File -FilePath $env:GITHUB_ENV -Append
      # Bouw én publiceer ALTIJD naar de GitHub Release
      - name: Build & publish Windows package
        run: npm run publish:win
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # (optioneel) ook als Actions artifact
      - uses: actions/upload-artifact@v4
        with:
          name: release
          path: release/**