name: build

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
  contents: read

on:
  push:
    branches:
      - 'master'
    tags:
      - 'v*'
  pull_request:

env:
  DOCKERHUB_SLUG: crazymax/diun
  GHCR_SLUG: ghcr.io/crazy-max/diun
  DESTDIR: ./bin
  DOCKER_BUILD_SUMMARY: false

jobs:
  prepare:
    runs-on: ubuntu-latest
    outputs:
      validate-includes: ${{ steps.validate.outputs.includes }}
      artifact-platforms: ${{ steps.artifact.outputs.platforms }}
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Validate matrix
        id: validate
        uses: actions/github-script@v7
        env:
          GOLANGCI_LINT_MULTIPLATFORM: 1
        with:
          script: |
            let def = {};
            await core.group(`Parsing definition`, async () => {
              const resPrint = await exec.getExecOutput('docker', ['buildx', 'bake', 'validate', '--print'], {
                ignoreReturnCode: true
              });
              if (resPrint.stderr.length > 0 && resPrint.exitCode != 0) {
                throw new Error(res.stderr);
              }
              def = JSON.parse(resPrint.stdout.trim());
            });
            await core.group(`Generating matrix`, async () => {
              const includes = [];
              for (const targetName of Object.keys(def.target)) {
                const target = def.target[targetName];
                if (target.platforms && target.platforms.length > 0) {
                  target.platforms.forEach(platform => {
                    includes.push({
                      target: targetName,
                      platform: platform
                    });
                  });
                } else {
                  includes.push({
                    target: targetName
                  });
                }
              }
              core.info(JSON.stringify(includes, null, 2));
              core.setOutput('includes', JSON.stringify(includes));
            });
      -
        name: Artifact matrix
        id: artifact
        uses: actions/github-script@v7
        with:
          script: |
            const targetName = 'artifact-all';
            let def = {};
            await core.group(`Parsing definition`, async () => {
              const resPrint = await exec.getExecOutput('docker', ['buildx', 'bake', targetName, '--print'], {
                ignoreReturnCode: true
              });
              if (resPrint.stderr.length > 0 && resPrint.exitCode != 0) {
                throw new Error(res.stderr);
              }
              def = JSON.parse(resPrint.stdout.trim());
            });
            await core.group(`Generating matrix`, async () => {
              const platforms = def.target?.[targetName]?.platforms ?? [];
              if (platforms.length === 0) {
                throw new Error(`No platforms found for ${targetName} target`);
              }
              core.info(JSON.stringify(platforms, null, 2));
              core.setOutput('platforms', JSON.stringify(platforms));
            });

  validate:
    runs-on: ubuntu-latest
    needs:
      - prepare
    strategy:
      fail-fast: false
      matrix:
        include: ${{ fromJson(needs.prepare.outputs.validate-includes) }}
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Validate
        uses: docker/bake-action@v6
        with:
          source: .
          targets: ${{ matrix.target }}
          set: |
            *.platform=${{ matrix.platform }}

  test:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Test
        uses: docker/bake-action@v6
        with:
          source: .
          targets: test
          pull: true
      -
        name: Upload coverage
        uses: codecov/codecov-action@v5
        with:
          directory: ${{ env.DESTDIR }}/coverage
          token: ${{ secrets.CODECOV_TOKEN }}

  artifact:
    runs-on: ubuntu-latest
    needs:
      - prepare
      - validate
    strategy:
      fail-fast: false
      matrix:
        platform: ${{ fromJson(needs.prepare.outputs.artifact-platforms) }}
    steps:
      -
        name: Prepare
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      -
        name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Build
        uses: docker/bake-action@v6
        with:
          source: .
          targets: artifact
          provenance: mode=max
          sbom: true
          pull: true
          set: |
            *.platform=${{ matrix.platform }}
      -
        name: Rename provenance and sbom
        working-directory: ${{ env.DESTDIR }}/artifact
        run: |
          binname=$(find . -name 'diun_*')
          filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//')
          mv "provenance.json" "${filename}.provenance.json"
          mv "sbom-binary.spdx.json" "${filename}.sbom.json"
          find . -name 'sbom*.json' -exec rm {} \;
      -
        name: List artifacts
        run: |
          tree -nh ${{ env.DESTDIR }}
      -
        name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
          name: diun-${{ env.PLATFORM_PAIR }}
          path: ${{ env.DESTDIR }}
          if-no-files-found: error

  release:
    runs-on: ubuntu-latest
    permissions:
      # required to create GitHub release
      contents: write
    needs:
      - artifact
      - test
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Download artifacts
        uses: actions/download-artifact@v4
        with:
          path: ${{ env.DESTDIR }}
          pattern: diun-*
          merge-multiple: true
      -
        name: List artifacts
        run: |
          tree -nh ${{ env.DESTDIR }}
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Build
        uses: docker/bake-action@v6
        with:
          source: .
          targets: release
          provenance: false
      -
        name: GitHub Release
        uses: softprops/action-gh-release@v2
        if: startsWith(github.ref, 'refs/tags/')
        with:
          draft: true
          files: |
            ${{ env.DESTDIR }}/release/*
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  image:
    runs-on: ubuntu-latest
    permissions:
      # same as global permissions
      contents: read
      # required to push to GHCR
      packages: write
    needs:
      - artifact
      - test
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      -
        name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.DOCKERHUB_SLUG }}
            ${{ env.GHCR_SLUG }}
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
            type=ref,event=pr
            type=edge
          labels: |
            org.opencontainers.image.title=Diun
            org.opencontainers.image.description=Docker image update notifier
            org.opencontainers.image.vendor=CrazyMax
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Login to DockerHub
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      -
        name: Login to GHCR
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Build
        uses: docker/bake-action@v6
        with:
          source: .
          files: |
            ./docker-bake.hcl
            ${{ steps.meta.outputs.bake-file }}
          targets: image-all
          provenance: mode=max
          sbom: true
          pull: true
          push: ${{ github.event_name != 'pull_request' }}
      -
        name: Check manifest
        if: github.event_name != 'pull_request'
        run: |
          docker buildx imagetools inspect ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }}
          docker buildx imagetools inspect ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }}
      -
        name: Inspect image
        if: github.event_name != 'pull_request'
        run: |
          docker pull ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }}
          docker image inspect ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }}
          docker pull ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }}
          docker image inspect ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }}