#!/usr/bin/env bash set -euo pipefail; readonly REPO={{ repo | quote }}; readonly DEST={{ dest | quote }}; readonly DEST_USER={{ owner | quote }}; readonly DEST_GROUP={{ group | quote }}; readonly PREFIX={{ tag_prefix | quote }}; readonly GPG_FINGERPRINT={{ gpg_fingerprint | quote }}; function error() { echo "$@" >&2; } cd "$DEST"; if [ ! -d .git ]; then git clone --recurse-submodules "$REPO" "$DEST"; fi git remote set-url origin "$REPO"; [ -z "$GPG_FINGERPRINT" ] || gpg --quiet --keyserver eu.pool.sks-keyservers.net --recv "$GPG_FINGERPRINT"; git fetch --recurse-submodules --tags > /dev/null; TAG=$(git tag --list | grep "^$PREFIX" | sort -r | head -n 1); CURRENT=$(git rev-parse --abbrev-ref HEAD); if [ -z "$TAG" ]; then error "No release tag found"; exit 1; elif [ "$TAG" = "$CURRENT" ]; then # No update required exit 0; elif [ -z "$GPG_FINGERPRINT" ] || (git verify-tag --raw "$TAG" 2>&1 | grep --fixed-strings " VALIDSIG $GPG_FINGERPRINT ") > /dev/null; then git reset --quiet --hard --recurse-submodules; git checkout --quiet --recurse-submodules "$TAG"; chown --recursive "$DEST_USER:$DEST_GROUP" .; if ! sh -c {{ reload_command | default('true') | quote }}; then error "Reload command failed"; exit 2; fi else error "Invalid or missing signature for $TAG"; exit 1; fi