.github/workflows/publish-gh-image.yml

name: Create, Scan and Publish KAITO image
on:
  workflow_dispatch:
    inputs:
      release_version:
        description: 'tag to be created for this image (i.e. vxx.xx.xx)'
        required: true

permissions:
  id-token: write
  contents: write
  packages: write

env:
  GO_VERSION: '1.22'
  IMAGE_NAME: 'workspace'
  REGISTRY: ghcr.io

jobs:
  check-tag:
    runs-on: ubuntu-latest
    environment: preset-env
    outputs:
      tag: ${{ steps.get-tag.outputs.tag }}
    steps:
      - name: validate version
        run: |
          echo "${{ github.event.inputs.release_version }}" | grep -E 'v[0-9]+\.[0-9]+\.[0-9]+$'

      - id: get-tag
        name: Get tag
        run: |
            echo "tag=$(echo ${{ github.event.inputs.release_version }})" >> $GITHUB_OUTPUT

      - name: Harden Runner
        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

      - id: check-tag
        name: Check for Tag
        run: |
          TAG="${{ steps.get-tag.outputs.tag }}"
          if git show-ref --tags --verify --quiet "refs/tags/${TAG}"; then
            echo "create_tag=$(echo 'false' )" >> $GITHUB_OUTPUT
          else
            echo "create_tag=$(echo 'true' )" >> $GITHUB_OUTPUT
          fi
      - name: 'Create tag'
        if:  steps.check-tag.outputs.create_tag == 'true'
        uses: actions/github-script@v7
        with:
          script: |
            github.rest.git.createRef({
              owner: context.repo.owner,
              repo: context.repo.repo,
              ref: 'refs/tags/${{ steps.get-tag.outputs.tag }}',
              sha: context.sha
            })

  build-scan-publish-gh-images:
    runs-on: ubuntu-latest
    needs: [ check-tag ]
    environment: preset-env
    outputs:
      registry_repository: ${{ steps.get-registry.outputs.registry_repository }}
    steps:
      - id: get-registry
        run: |
          # registry must be in lowercase
          echo "registry_repository=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr [:upper:] [:lower:])" >> $GITHUB_OUTPUT

      - id: get-tag
        name: Get tag
        run: |
          echo "IMG_TAG=$(echo ${{ needs.check-tag.outputs.tag }} | tr -d v)" >> $GITHUB_ENV

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          submodules: true
          fetch-depth: 0
          ref: ${{ needs.check-tag.outputs.tag }}

      - name: Login to ${{ steps.get-registry.outputs.registry_repository }}
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build image
        run: |
          OUTPUT_TYPE=type=registry make docker-build-workspace
        env:
          VERSION: ${{ needs.check-tag.outputs.tag }}
          REGISTRY: ${{ steps.get-registry.outputs.registry_repository }}

      - name: Scan ${{ steps.get-registry.outputs.registry_repository }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }}
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ steps.get-registry.outputs.registry_repository }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }}
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
          timeout: '5m0s'
        env:
          TRIVY_USERNAME: ${{ github.actor }}
          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

  run-e2e-gh-image:
    needs: [ check-tag, build-scan-publish-gh-images ]
    uses: ./.github/workflows/e2e-workflow.yml
    with:
      git_sha: ${{ github.sha }}
      isRelease: true
      registry: ${{ needs.build-scan-publish-gh-images.outputs.registry_repository }}
      k8s_version: ${{ vars.AKS_K8S_VERSION }}
      tag: ${{ needs.check-tag.outputs.tag }}
    secrets:
      E2E_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
      E2E_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
      E2E_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      E2E_AMRT_SECRET_NAME: ${{ secrets.AMRT_SECRET_NAME }}
      E2E_ACR_AMRT_USERNAME: ${{ secrets.ACR_AMRT_USERNAME }}
      E2E_ACR_AMRT_PASSWORD: ${{ secrets.ACR_AMRT_PASSWORD }}

  publish-mcr-image:
    runs-on: ubuntu-latest
    needs: [ check-tag, run-e2e-gh-image ]
    steps:
      - name: 'Dispatch release tag'
        uses: peter-evans/repository-dispatch@v3
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          event-type: publish-mcr-image
          client-payload: '{"tag": "${{ needs.check-tag.outputs.tag }}"}'