.github/workflows/ci.yml

name: Docker Image CI

on:
  workflow_dispatch:
    inputs:
      logLevel:
        description: 'Log level'
        required: true
        default: 'warning'
        type: choice
        options:
          - info

  push:
    paths-ignore:
      - 'README.md'
      - '.github/**'
      - 'demo**'
      - 'go.mod'
      - 'go.sum'
    branches:
      - main
env:
  VERSION_NUMBER: 'v0.6.2'
  REGISTRY_NAME: digitalghostdev/poke-cli

jobs:
  snyk:
    runs-on: ubuntu-22.04

    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run Snyk
        uses: snyk/actions/golang@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --sarif-file-output=snyk.sarif --skip-unresolved=true

      - name: Upload Result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: snyk.sarif

  build-docker-image:
    runs-on: ubuntu-22.04
    needs: [snyk]
    if: needs.snyk.result == 'success'

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: 'docker/setup-buildx-action@v3.0.0'

      - name: Prepare Docker Build Context
        run: |
          mkdir docker-context
          rsync -av --exclude=docker-context . docker-context/

      - name: Build and Export
        uses: 'docker/build-push-action@v5.0.0'
        with:
          context: ./docker-context
          tags: poke-cli:${{ env.VERSION_NUMBER }}
          outputs: type=docker,dest=/tmp/poke-cli.tar

      - name: Upload Artifact
        uses: actions/upload-artifact@v4
        with:
          name: poke-cli
          path: /tmp/poke-cli.tar

  syft:
    permissions:
      contents: 'read'
      id-token: 'write'

    runs-on: ubuntu-22.04
    needs: [build-docker-image]
    if: needs.build-docker-image.result == 'success'

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: 'docker/setup-buildx-action@v3.0.0'

      - name: Download Artifact
        uses: actions/download-artifact@v4
        with:
          name: poke-cli
          path: /tmp

      - name: Load Image
        run: |
          docker load --input /tmp/poke-cli.tar
          docker image ls -a

      - name: Create and Upload SBOM
        uses: anchore/sbom-action@v0
        with:
          image: poke-cli:${{ env.VERSION_NUMBER }}
          format: spdx-json
          artifact-name: poke-cli-sbom-${{ env.VERSION_NUMBER }}.spdx.json
          output-file: /tmp/poke-cli-sbom-${{ env.VERSION_NUMBER }}.spdx.json
          upload-artifact: true

  grype:
    permissions:
      actions: read
      contents: read
      security-events: write

    runs-on: ubuntu-22.04
    needs: [syft]
    if: needs.syft.result == 'success'

    steps:
      - name: Download SBOM
        uses: actions/download-artifact@v4
        with:
          name: poke-cli-sbom-${{ env.VERSION_NUMBER }}.spdx.json
          path: /tmp

      - name: Scan SBOM
        uses: anchore/scan-action@v3
        id: scan
        with:
          sbom: poke-cli-sbom-${{ env.VERSION_NUMBER }}.spdx.json
          fail-build: false
          output-format: sarif
          severity-cutoff: critical

      - name: Upload SARIF Report
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

  architecture-build:
    runs-on: ubuntu-22.04
    needs: [snyk]
    if: needs.snyk.result == 'success'

    strategy:
      fail-fast: false
      matrix:
        platform: [linux/amd64, linux/arm64]

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Docker Meta
        id: meta
        uses: 'docker/metadata-action@v5.0.0'
        with:
          images: ${{ env.REGISTRY_NAME }}

      - name: Set up QEMU
        uses: 'docker/setup-qemu-action@v3'

      - name: Set up Docker Buildx
        uses: 'docker/setup-buildx-action@v3.0.0'

      - name: Login to Docker Hub
        uses: 'docker/login-action@v3'
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build and Push by Digest
        id: build
        uses: 'docker/build-push-action@v5.0.0'
        with:
          context: .
          platforms: ${{ matrix.platform }}
          labels: ${{ steps.meta.outputs.labels }}
          outputs: type=image,name=${{ env.REGISTRY_NAME }},push-by-digest=true,name-canonical=true,push=true

      - name: Export Digest
        run: |
          mkdir -p /tmp/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"

      - name: Upload Digest for AMD64
        if: matrix.platform == 'linux/amd64'
        uses: actions/upload-artifact@v4
        with:
          name: digests-amd64
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1

      - name: Upload Digest for ARM64
        if: matrix.platform == 'linux/arm64'
        uses: actions/upload-artifact@v4
        with:
          name: digests-arm64
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1

  create-manifest-and-push:
    runs-on: ubuntu-22.04
    needs: [architecture-build]

    steps:
      - name: Download Digests
        uses: actions/download-artifact@v4
        with:
          pattern: digests-*
          path: /tmp/digests
          merge-multiple: true

      - name: Set up Docker Buildx
        uses: 'docker/setup-buildx-action@v3.0.0'

      - name: Docker meta
        id: meta
        uses: 'docker/metadata-action@v5.0.0'
        with:
          images: ${{ env.REGISTRY_NAME }}
          tags: ${{ env.VERSION_NUMBER }}

      - name: Login to Docker Hub
        uses: 'docker/login-action@v3'
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Create Manifest List and Push
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf '${{ env.REGISTRY_NAME }}@sha256:%s ' *)

      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ env.REGISTRY_NAME }}:${{ steps.meta.outputs.version }}