.github/workflows/release.yaml

---
name: Release

on:
  push:
    branches:
      - main
  workflow_call:
    secrets:
      ADFINISBOT_PAT:
        required: true

jobs:
  semrel:
    permissions:
      actions: none
      checks: none
      contents: none
      deployments: none
      issues: none
      packages: write
      pull-requests: none
      repository-projects: none
      security-events: none
      statuses: none
      id-token: write # needed for signing the images with GitHub OIDC using cosign

    name: Semantic Release
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.ADFINISBOT_PAT }}

      - name: Semantic Release
        uses: go-semantic-release/action@v1
        id: semrel
        with:
          github-token: ${{ secrets.ADFINISBOT_PAT }}
          allow-initial-development-versions: true

      - name: Adjust Versions
        if: steps.semrel.outputs.version != ''
        run: |
          sed -r 's/"(0.0.0|latest)"/"${{ steps.semrel.outputs.version }}"/g' -i ./ember/package.json ./api/pyproject.toml ./charts/outdated/Chart.yaml

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        if: steps.semrel.outputs.version != ''
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
        if: steps.semrel.outputs.version != ''
        uses: docker/setup-buildx-action@v3

      - name: Build and Push API Docker Image
        if: steps.semrel.outputs.version != ''
        uses: docker/build-push-action@v5
        id: docker-api
        with:
          context: ./api/
          target: prod
          push: true
          tags: |
            ghcr.io/${{ github.repository }}/api:${{ steps.semrel.outputs.version }}
            ghcr.io/${{ github.repository }}/api:latest

      - name: Build and Push Ember Docker Image
        if: steps.semrel.outputs.version != ''
        uses: docker/build-push-action@v5
        id: docker-ember
        with:
          context: ./ember/
          push: true
          tags: |
            ghcr.io/${{ github.repository }}/ember:${{ steps.semrel.outputs.version }}
            ghcr.io/${{ github.repository }}/ember:latest

      - name: Run Trivy vulnerability scanner on api
        if: steps.semrel.outputs.version != ''
        uses: aquasecurity/trivy-action@0.19.0
        with:
          image-ref: ghcr.io/${{ github.repository }}/api
          format: "cyclonedx"
          output: "api.cdx"

      - name: Run Trivy vulnerability scanner on ember
        if: steps.semrel.outputs.version != ''
        uses: aquasecurity/trivy-action@0.19.0
        with:
          image-ref: ghcr.io/${{ github.repository }}/ember
          format: "cyclonedx"
          output: "ember.cdx"

      - name: Install Cosign
        if: steps.semrel.outputs.version != ''
        uses: sigstore/cosign-installer@v3.4.0

      - name: Sign the images with GitHub OIDC Token using cosign
        if: steps.semrel.outputs.version != ''
        run: |
          cosign sign --yes ghcr.io/${{ github.repository }}/api@${{ steps.docker-api.outputs.digest }}
          cosign sign --yes ghcr.io/${{ github.repository }}/ember@${{ steps.docker-ember.outputs.digest }}

      - name: Attach an SBOM attestation to the signed images
        if: steps.semrel.outputs.version != ''
        run: |
          cosign attest --yes --type cyclonedx --predicate api.cdx ghcr.io/${{ github.repository }}/api@${{ steps.docker-api.outputs.digest }}
          cosign attest --yes --type cyclonedx --predicate ember.cdx ghcr.io/${{ github.repository }}/ember@${{ steps.docker-ember.outputs.digest }}

      - name: Set up Helm
        if: steps.semrel.outputs.version != ''
        uses: azure/setup-helm@v3.5
        with:
          version: v3.14.0

      - name: Package Chart
        if: steps.semrel.outputs.version != ''
        run: |
          helm repo add bitnami https://charts.bitnami.com/bitnami
          helm dependency build charts/outdated
          helm package --destination=dist charts/outdated

      - name: Push Chart
        if: steps.semrel.outputs.version != ''
        run: helm push dist/*.tgz oci://ghcr.io/${{ github.repository }}/helm

  trivy-scan-api:
    if: always()
    needs: semrel
    uses: ./.github/workflows/trivy-scan.yaml
    with:
      image-ref: api
      attest: ${{ needs.semrel.result == 'success' }}

  trivy-scan-ember:
    if: always()
    needs: semrel
    uses: ./.github/workflows/trivy-scan.yaml
    with:
      image-ref: ember
      attest: ${{ needs.semrel.result == 'success' }}