.github/workflows/build.yml

# This is the main build pipeline that verifies and publishes the software
name: Build
# Controls when the workflow will run
on:
  # Triggers the workflow on push events
  push:
    branches: 
    - main 
    - develop
    - 'release/**'
    - 'feature/**' 
    - 'issue/**' 
    - 'issues/**' 
    - 'dependabot/**'

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}
  PROJECT_ NAME: podaac/hitide-profile

jobs:
  # First job in the workflow installs and verifies the software
  build:
    name: Build, Test, Deploy
    # The type of runner that the job will run on
    runs-on: ubuntu-latest

    steps:
      # Checkout
      - name: Checkout project to build and deploy
        uses: actions/checkout@v2

      ## Read the json file into the environment variables
      - name: JSON to variables
        uses: rgarcia-phi/json-to-variables@v1.1.0
        with:
          filename: 'package.json'
          prefix: project

      ## Set environment variables
      - name: Configure Initial YAML file and environment variables
        run: |
          echo "THE_VERSION=${{ env.project_version }}" >> $GITHUB_ENV;
          echo "GIT_BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV;
          GITHUB_REF_READABLE="${GITHUB_REF//\//-}"
          echo "GITHUB_REF_READABLE=${GITHUB_REF_READABLE}" >> $GITHUB_ENV

      ## NPM Tagging
      - name: Pre Alpha
        if: |
          startsWith(github.ref, 'refs/heads/issue') ||
          startsWith(github.ref, 'refs/heads/dependabot/') ||
          startsWith(github.ref, 'refs/heads/feature/')
        run: |
            echo "THE_ENV=sit" >> $GITHUB_ENV
            echo "TARGET_ENV_UPPERCASE=SIT" >> $GITHUB_ENV
            echo "THE_VERSION=$(npm --no-git-tag-version --allow-same-version version ${{ env.THE_VERSION }}-${GITHUB_SHA})" >> $GITHUB_ENV

      ## Set Alpha variables
      - name: Alpha
        if: github.ref == 'refs/heads/develop'
        run: |
            echo "THE_ENV=sit" >> $GITHUB_ENV
            echo "TARGET_ENV_UPPERCASE=SIT" >> $GITHUB_ENV
            echo "THE_VERSION=$(npm --no-git-tag-version version prerelease)" >> $GITHUB_ENV

      ## Bump RC Version
      - name: Bump rc version
        # If triggered by push to a release branch
        if: ${{ startsWith(github.ref, 'refs/heads/release/') }}
        env:
          # True if the version already has a 'rc' pre-release identifier
          BUMP_RC: ${{ contains(env.project_version, 'rc') }}
          RELEASE_VERSION: ${THE_BRANCH//*\/}
        run: |
          if [ "$BUMP_RC" == true ]; then
            echo "THE_VERSION=$(npm --no-git-tag-version version prerelease --preid rc)" >> $GITHUB_ENV
          else
            echo "THE_VERSION=$(npm --no-git-tag-version version ${GITHUB_REF#refs/heads/release/}-rc.1)" >> $GITHUB_ENV
          fi

          echo "THE_ENV=uat" >> $GITHUB_ENV
          echo "TARGET_ENV_UPPERCASE=UAT" >> $GITHUB_ENV

      ## Set Release variables
      - name: Release
        if: ${{ startsWith(github.ref, 'refs/heads/main') }}
        run: |
            echo "THE_ENV=ops" >> $GITHUB_ENV
            echo "TARGET_ENV_UPPERCASE=OPS" >> $GITHUB_ENV
            echo "Modifying version number ${{ env.project_version}}"
            THE_VERSION=${{ env.project_version }}
            echo "THE_VERSION=${THE_VERSION//-*}" >> $GITHUB_ENV
            npm --no-git-tag-version version ${THE_VERSION//-*}
            
      - name: Run Snyk as a blocking step
        uses: snyk/actions/node@master
        env:
            SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: test
          args: >
              --org=${{ secrets.SNYK_ORG_ID }}
              --project-name=${{ github.repository }}
              --severity-threshold=high
              --fail-on=all


      - name: Run Snyk on Node
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: monitor
          args: >
            --org=${{ secrets.SNYK_ORG_ID }}
            --project-name=${{ github.repository }}


      - name: Commit Version Bump
        # If building develop, a release branch, or main then we commit the version bump back to the repo
        if: |
          github.ref == 'refs/heads/develop' ||
          github.ref == 'refs/heads/main'    ||
          startsWith(github.ref, 'refs/heads/release')
        run: |
          git config --global user.name 'hitide-profile bot'
          git config --global user.email 'hitide-profile@noreply.github.com'
          git commit -am "/version ${{ env.THE_VERSION }}"
          git push

      - name: Push Tag
        if: |
          github.ref == 'refs/heads/develop' ||
          github.ref == 'refs/heads/main'    ||
          startsWith(github.ref, 'refs/heads/release')
        run: |
          git config user.name "${GITHUB_ACTOR}"
          git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
          git tag -a "${{ env.THE_VERSION }}" -m "Version ${{ env.THE_VERSION }}"
          git push origin "${{ env.THE_VERSION }}"

      # Setup Node to install and test
      - name: Setup Node
        uses: actions/setup-node@v3
        with:
          node-version: 14

      - name: NPM install & NPM Lint
        run:
          npm install
          npm run lint

      # Setup docker to build and push images
      - name: Log in to the Container registry
        uses: docker/login-action@v1
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Deploy Env Override
        if: |
          github.event.head_commit.message == '/deploy sit' ||
          github.event.head_commit.message == '/deploy uat'
        run: |
          message="${{ github.event.head_commit.message }}"
          trimmed_message=${message:1}  # Remove leading slash
          override_env=$(echo "$trimmed_message" | grep -oE '[^[:space:]]+$')
          override_env_upper=$(echo "$trimmed_message" | awk '{print toupper($NF)}')
          echo "THE_ENV=${override_env}" >> $GITHUB_ENV
          echo "TARGET_ENV_UPPERCASE=${override_env_upper}" >> $GITHUB_ENV

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v4
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=semver,pattern={{version}},value=${{ env.THE_VERSION }}
            type=raw,value=${{ env.THE_ENV }}

      - name: Build and push Docker image
        if: |
          github.ref == 'refs/heads/develop' ||
          github.ref == 'refs/heads/main'    ||
          startsWith(github.ref, 'refs/heads/release') ||
          github.event.head_commit.message == '/deploy sit' ||
          github.event.head_commit.message == '/deploy uat'
        uses: docker/build-push-action@v3
        with:
          context: .
          file: docker/Dockerfile
          push: true
          pull: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

      # Setup Terraform to Deploy

      - name: Configure AWS Credentials as Environment Variables
        run: echo "AWS_ACCESS_KEY_ID=${{ secrets[format('AWS_ACCESS_KEY_ID_SERVICES_{0}', env.TARGET_ENV_UPPERCASE)] }}" >> $GITHUB_ENV |
             echo "AWS_SECRET_ACCESS_KEY=${{ secrets[format('AWS_SECRET_ACCESS_KEY_SERVICES_{0}', env.TARGET_ENV_UPPERCASE)] }}" >> $GITHUB_ENV

      - name: Validate AWS Credentials 
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: us-west-2
          role-session-name: GitHubActions
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets[format('AWS_ACCESS_KEY_ID_SERVICES_{0}', env.TARGET_ENV_UPPERCASE)] }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets[format('AWS_SECRET_ACCESS_KEY_SERVICES_{0}', env.TARGET_ENV_UPPERCASE)] }}
      - run: aws sts get-caller-identity

      - uses: hashicorp/setup-terraform@v2.0.3
        with:
          terraform_version: 1.0.3

      - name: Deploy Terraform
        if: |
          github.ref == 'refs/heads/develop' ||
          github.ref == 'refs/heads/main'    ||
          startsWith(github.ref, 'refs/heads/release') ||
          github.event.head_commit.message == '/deploy sit' ||
          github.event.head_commit.message == '/deploy uat'
        working-directory: terraform/
        env:
          AWS_ACCESS_KEY_ID:       ${{ secrets[format('AWS_ACCESS_KEY_ID_SERVICES_{0}', env.TARGET_ENV_UPPERCASE)] }}
          AWS_SECRET_ACCESS_KEY:   ${{ secrets[format('AWS_SECRET_ACCESS_KEY_SERVICES_{0}', env.TARGET_ENV_UPPERCASE)] }}
          AWS_DEFAULT_REGION:      us-west-2

          TF_VAR_hitide_profile_docker_image: "ghcr.io/podaac/hitide-profile:${{ env.DOCKER_METADATA_OUTPUT_VERSION }}"
          TF_VAR_EARTH_DATA_LOGIN_CLIENT_ID: ${{ secrets[format('EARTH_DATA_LOGIN_CLIENT_ID_{0}', env.TARGET_ENV_UPPERCASE)] }}
          TF_VAR_EARTH_DATA_LOGIN_PASSWORD: ${{ secrets[format('EARTH_DATA_LOGIN_PASSWORD_{0}', env.TARGET_ENV_UPPERCASE)] }}

        run: |
          source bin/config.sh ${{ env.THE_ENV }}
          terraform plan -var-file=tfvars/"${{ env.THE_ENV }}".tfvars -var="app_version=${{ env.THE_VERSION }}" -out="tfplan"
          terraform apply -auto-approve tfplan