.github/workflows/ci.yml

name: Docker Image CI

on:
  workflow_dispatch:
    inputs:
      logLevel:
        description: 'Log level'
        required: true
        default: 'warning'
        type: choice
        options:
          - info

  push:
    paths-ignore:
      - 'README.md'
      - '.github/**'
      - '.dockerignore'
      - '.gitignore'
      - 'demo**'
      - 'go.mod'
      - 'go.sum'
      - '.goreleaser.yaml'
    branches:
      - main

env:
  VERSION_NUMBER: 'v0.9.2'
  DOCKERHUB_REGISTRY_NAME: 'digitalghostdev/poke-cli'
  AWS_REGION: 'us-west-2'

jobs:
  gosec:
    runs-on: ubuntu-22.04

    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run Gosec Security Scanner
        uses: securego/gosec@master
        with:
          args: '-no-fail -fmt sarif -out results.sarif ./...'

      - name: Upload SARIF Report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

  build-docker-image:
    runs-on: ubuntu-22.04
    needs: [gosec]
    if: needs.gosec.result == 'success'

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: 'docker/setup-buildx-action@v3.0.0'

      - name: Prepare Docker Build Context
        run: |
          mkdir docker-context
          rsync -av --exclude=docker-context . docker-context/

      - name: Build and Export
        uses: 'docker/build-push-action@v5.0.0'
        with:
          context: ./docker-context
          tags: poke-cli:${{ env.VERSION_NUMBER }}
          outputs: type=docker,dest=/tmp/poke-cli.tar

      - name: Upload Artifact
        uses: actions/upload-artifact@v4
        with:
          name: poke-cli
          path: /tmp/poke-cli.tar

  # Uploading to Elastic Container Registry has a backup method.
  upload-to-ecr:
    runs-on: ubuntu-22.04
    needs: [build-docker-image]
    if: needs.build-docker-image.result == 'success'

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Configure AWS
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: Build, tag, and push image to Amazon ECR
        run : |
          docker build -t poke-cli:${{ env.VERSION_NUMBER }} .
          docker tag poke-cli:${{ env.VERSION_NUMBER }} ${{ secrets.AWS_ECR_NAME }}:${{ env.VERSION_NUMBER }}
          docker push ${{ secrets.AWS_ECR_NAME }}:${{ env.VERSION_NUMBER }}

  syft:
    permissions:
      contents: 'read'
      id-token: 'write'

    runs-on: ubuntu-22.04
    needs: [build-docker-image]
    if: needs.build-docker-image.result == 'success'

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: 'docker/setup-buildx-action@v3.0.0'

      - name: Download Artifact
        uses: actions/download-artifact@v4
        with:
          name: poke-cli
          path: /tmp

      - name: Load Image
        run: |
          docker load --input /tmp/poke-cli.tar
          docker image ls -a

      - name: Create and Upload SBOM
        uses: anchore/sbom-action@v0
        with:
          image: poke-cli:${{ env.VERSION_NUMBER }}
          format: spdx-json
          artifact-name: poke-cli-sbom-${{ env.VERSION_NUMBER }}.spdx.json
          output-file: /tmp/poke-cli-sbom-${{ env.VERSION_NUMBER }}.spdx.json
          upload-artifact: true

  grype:
    permissions:
      actions: read
      contents: read
      security-events: write

    runs-on: ubuntu-22.04
    needs: [syft]
    if: needs.syft.result == 'success'

    steps:
      - name: Download SBOM
        uses: actions/download-artifact@v4
        with:
          name: poke-cli-sbom-${{ env.VERSION_NUMBER }}.spdx.json
          path: /tmp

      - name: Scan SBOM
        uses: anchore/scan-action@v5
        id: scan
        with:
          sbom: /tmp/poke-cli-sbom-${{ env.VERSION_NUMBER }}.spdx.json
          fail-build: false
          output-format: sarif
          severity-cutoff: critical

      - name: Upload SARIF Report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

  architecture-build:
    runs-on: ubuntu-22.04
    needs: [gosec]
    if: needs.gosec.result == 'success'

    strategy:
      fail-fast: false
      matrix:
        platform: [linux/amd64, linux/arm64]

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Docker Meta
        id: meta
        uses: 'docker/metadata-action@v5.0.0'
        with:
          images: ${{ env.DOCKERHUB_REGISTRY_NAME }}

      - name: Set up QEMU
        uses: 'docker/setup-qemu-action@v3'

      - name: Set up Docker Buildx
        uses: 'docker/setup-buildx-action@v3.0.0'

      - name: Login to Docker Hub
        uses: 'docker/login-action@v3'
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build and Push by Digest
        id: build
        uses: 'docker/build-push-action@v5.0.0'
        with:
          context: .
          platforms: ${{ matrix.platform }}
          labels: ${{ steps.meta.outputs.labels }}
          outputs: type=image,name=${{ env.DOCKERHUB_REGISTRY_NAME }},push-by-digest=true,name-canonical=true,push=true

      - name: Export Digest
        run: |
          mkdir -p /tmp/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"

      - name: Upload Digest for AMD64
        if: matrix.platform == 'linux/amd64'
        uses: actions/upload-artifact@v4
        with:
          name: digests-amd64
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1

      - name: Upload Digest for ARM64
        if: matrix.platform == 'linux/arm64'
        uses: actions/upload-artifact@v4
        with:
          name: digests-arm64
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1

  create-manifest-and-push:
    runs-on: ubuntu-22.04
    needs: [architecture-build]

    steps:
      - name: Download Digests
        uses: actions/download-artifact@v4
        with:
          pattern: digests-*
          path: /tmp/digests
          merge-multiple: true

      - name: Set up Docker Buildx
        uses: 'docker/setup-buildx-action@v3.0.0'

      - name: Docker meta
        id: meta
        uses: 'docker/metadata-action@v5.0.0'
        with:
          images: ${{ env.DOCKERHUB_REGISTRY_NAME }}
          tags: ${{ env.VERSION_NUMBER }}

      - name: Login to Docker Hub
        uses: 'docker/login-action@v3'
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Create Manifest List and Push
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf '${{ env.DOCKERHUB_REGISTRY_NAME }}@sha256:%s ' *)

      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ env.DOCKERHUB_REGISTRY_NAME }}:${{ steps.meta.outputs.version }}