.github/workflows/build.yml

name: Continuous Delivery

on:
  push:
    branches:
      - main
  workflow_dispatch:

env:
  IMAGE_STAGING: enterprisedb/postgresql-testing
  IMAGE_RELEASE: enterprisedb/postgresql

jobs:
  generate-jobs:
    name: Generate Jobs
    runs-on: ubuntu-20.04
    outputs:
      strategy: ${{ steps.generate-jobs.outputs.strategy }}
    steps:
      - name: Checkout Code
        uses: actions/checkout@v3
      - name: Generate Jobs
        id: generate-jobs
        shell: bash
        run: |
          bash .github/generate-strategy.sh

  build:
    needs: generate-jobs
    strategy: ${{ fromJson(needs.generate-jobs.outputs.strategy) }}
    name: ${{ matrix.name }}
    runs-on: ubuntu-20.04
    permissions:
      contents: read
      packages: write
    steps:
    - name: Checkout Code
      uses: actions/checkout@v3

    - name: Set up QEMU
      uses: docker/setup-qemu-action@v1.2.0

    - name: Docker meta
      id: docker-meta
      env:
        TAGS: ${{ toJson(matrix.tags) }}
      run: |
        RESULT=""
        for tag in $(jq -r '.[]' <<< "${TAGS}")
        do
          RESULT="${RESULT},quay.io/${IMAGE_STAGING}:${tag},ghcr.io/${IMAGE_STAGING}:${tag}"
          # If we are running the pipeline in the main branch images are pushed in both -testing and PROD repo
          if [ "${GITHUB_REF#refs/heads/}" == main ]
          then
            RESULT="${RESULT},quay.io/${IMAGE_RELEASE}:${tag},ghcr.io/${IMAGE_RELEASE}:${tag}"
          fi
        done
        echo "::set-output name=tags::${RESULT%,}"

    - name: Set up Docker Buildx
      id: buildx
      uses: docker/setup-buildx-action@v1.6.0

    - name: Login to quay.io
      uses: docker/login-action@v1.14.1
      with:
        registry: quay.io/enterprisedb
        username: ${{ secrets.QUAY_USERNAME }}
        password: ${{ secrets.QUAY_TOKEN }}

    - name: Log in to the GitHub Container registry
      uses: docker/login-action@v1.14.1
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

    - name: Build and load
      uses: docker/build-push-action@v2.10.0
      with:
        context: ${{ matrix.dir }}
        file: ${{ matrix.file }}
        secrets: |
          "cs_script=${{ secrets.CS_SCRIPT }}"
          "subscription=${{ secrets.SUBSCRIPTION }}"
        push: false
        load: true
        tags: ${{ steps.docker-meta.outputs.tags }}

    - name: Dockle scan
      uses: erzz/dockle-action@v1.1.1
      with:
        image: "quay.io/${{ env.IMAGE_STAGING }}:${{ matrix.tags[0] }}"
        exit-code: '1'
        failure-threshold: WARN
        accept-filenames: usr/share/cmake/Templates/Windows/Windows_TemporaryKey.pfx,etc/trusted-key.key,usr/share/doc/perl-IO-Socket-SSL/certs/server_enc.p12,usr/share/doc/perl-IO-Socket-SSL/certs/server.p12,usr/local/lib/python3.8/site-packages/azure/core/settings.py,usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,usr/local/lib/python3.7/dist-packages/azure/core/settings.py,etc/ssl/private/ssl-cert-snakeoil.key

    - name: Build and push
      uses: docker/build-push-action@v2.10.0
      with:
        context: ${{ matrix.dir }}
        file: ${{ matrix.file }}
        secrets: |
          "cs_script=${{ secrets.CS_SCRIPT }}"
          "subscription=${{ secrets.SUBSCRIPTION }}"
        # Available architecture on UBI8 are: linux/amd64, linux/s390x, linux/ppc64le
        platforms: ${{ matrix.platforms }}
        push: true
        tags: ${{ steps.docker-meta.outputs.tags }}
        labels: ${{ github.ref != 'refs/heads/main' && 'quay.expires-after=7d' || '' }}

    - name: Slack Notification
      uses: rtCamp/action-slack-notify@v2
      if: ${{ failure() }}
      env:
        SLACK_COLOR: ${{ job.status }}
        SLACK_ICON: https://avatars.githubusercontent.com/u/44036562?size=48
        SLACK_USERNAME: ghBot
        SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
  # Send a notification if new public images are released
  notify:
    needs: build
    name: Notify update on Slack
    runs-on: ubuntu-20.04
    steps:
    - name: Slack Notification
      uses: rtCamp/action-slack-notify@v2
      # Only images built from the main branch go public, and we limit the
      # amount of notifications to those.
      if: ${{ github.ref == 'refs/heads/main' }}
      env:
        SLACK_ICON: https://avatars.githubusercontent.com/u/44036562?size=48
        SLACK_USERNAME: ghBot
        SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
        SLACK_MESSAGE: New PostgreSQL images pushed on Quay.io