crazy-max_diun/.github/workflows/build.yml

name: build

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

on:
  push:
    branches:
      - 'master'
    tags:
      - 'v*'
  pull_request:

env:
  DOCKERHUB_SLUG: crazymax/diun
  GHCR_SLUG: ghcr.io/crazy-max/diun
  DESTDIR: ./bin

jobs:
  prepare:
    runs-on: ubuntu-latest
    outputs:
      validate-targets: ${{ steps.validate-targets.outputs.matrix }}
      artifact-platforms: ${{ steps.artifact-platforms.outputs.matrix }}
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Validate targets matrix
        id: validate-targets
        run: |
          echo "matrix=$(docker buildx bake validate --print | jq -cr '.target | keys')" >> $GITHUB_OUTPUT          
      -
        name: Artifact platforms matrix
        id: artifact-platforms
        run: |
          echo "matrix=$(docker buildx bake artifact-all --print | jq -cr '.target."artifact-all".platforms')" >> $GITHUB_OUTPUT          

  validate:
    runs-on: ubuntu-latest
    needs:
      - prepare
    strategy:
      fail-fast: false
      matrix:
        target: ${{ fromJson(needs.prepare.outputs.validate-targets) }}
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Validate
        uses: docker/bake-action@v4
        with:
          targets: ${{ matrix.target }}

  test:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Test
        uses: docker/bake-action@v4
        with:
          targets: test
          pull: true
      -
        name: Upload coverage
        uses: codecov/codecov-action@v4
        with:
          directory: ${{ env.DESTDIR }}/coverage
          token: ${{ secrets.CODECOV_TOKEN }}

  artifact:
    runs-on: ubuntu-latest
    needs:
      - prepare
      - validate
    strategy:
      fail-fast: false
      matrix:
        platform: ${{ fromJson(needs.prepare.outputs.artifact-platforms) }}
    steps:
      -
        name: Prepare
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV          
      -
        name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Build
        uses: docker/bake-action@v4
        with:
          targets: artifact
          provenance: mode=max
          sbom: true
          pull: true
          set: |
            *.platform=${{ matrix.platform }}
            *.cache-from=type=gha,scope=artifact-${{ env.PLATFORM_PAIR }}
            *.cache-to=type=gha,scope=artifact-${{ env.PLATFORM_PAIR }},mode=max            
      -
        name: Rename provenance and sbom
        working-directory: ${{ env.DESTDIR }}/artifact
        run: |
          binname=$(find . -name 'diun_*')
          filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//')
          mv "provenance.json" "${filename}.provenance.json"
          mv "sbom-binary.spdx.json" "${filename}.sbom.json"
          find . -name 'sbom*.json' -exec rm {} \;          
      -
        name: List artifacts
        run: |
          tree -nh ${{ env.DESTDIR }}          
      -
        name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
          name: diun-${{ env.PLATFORM_PAIR }}
          path: ${{ env.DESTDIR }}
          if-no-files-found: error

  release:
    runs-on: ubuntu-latest
    needs:
      - artifact
      - test
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Download artifacts
        uses: actions/download-artifact@v4
        with:
          path: ${{ env.DESTDIR }}
          pattern: diun-*
          merge-multiple: true
      -
        name: List artifacts
        run: |
          tree -nh ${{ env.DESTDIR }}          
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Build
        uses: docker/bake-action@v4
        with:
          targets: release
          provenance: false
      -
        name: GitHub Release
        uses: softprops/action-gh-release@v2
        if: startsWith(github.ref, 'refs/tags/')
        with:
          draft: true
          files: |
            ${{ env.DESTDIR }}/release/*            
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  image:
    runs-on: ubuntu-latest
    needs:
      - artifact
      - test
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      -
        name: Prepare
        run: |
          cfroms=
          while read -r platform; do
            if [ -n "$cfroms" ]; then cfroms="${cfroms}\n"; fi
            cfroms="${cfroms}*.cache-from=type=gha,scope=artifact-${platform//\//-}"
          done < <(docker buildx bake artifact-all --print | jq -r '.target."artifact-all".platforms[]')
          echo "CACHE_FROMS<<EOF" >> $GITHUB_ENV
          echo -e "$cfroms" >> $GITHUB_ENV
          echo "EOF" >> $GITHUB_ENV          
      -
        name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.DOCKERHUB_SLUG }}
            ${{ env.GHCR_SLUG }}            
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
            type=ref,event=pr
            type=edge            
          labels: |
            org.opencontainers.image.title=Diun
            org.opencontainers.image.description=Docker image update notifier
            org.opencontainers.image.vendor=CrazyMax            
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Login to DockerHub
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      -
        name: Login to GHCR
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Build
        uses: docker/bake-action@v4
        with:
          files: |
            ./docker-bake.hcl
            ${{ steps.meta.outputs.bake-file }}            
          targets: image-all
          provenance: mode=max
          sbom: true
          pull: true
          push: ${{ github.event_name != 'pull_request' }}
          set: |
            ${{ env.CACHE_FROMS }}            
      -
        name: Check manifest
        if: github.event_name != 'pull_request'
        run: |
          docker buildx imagetools inspect ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }}
          docker buildx imagetools inspect ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }}          
      -
        name: Inspect image
        if: github.event_name != 'pull_request'
        run: |
          docker pull ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }}
          docker image inspect ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }}
          docker pull ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }}
          docker image inspect ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }}