.github/workflows/sandbox-build-push.yml

name: Sandbox build and push latest

on:
  workflow_run:
    workflows: ["docker checker"]
    branches: [develop]
    types:
      - completed
  release:
    types: [published]
    
env:
  IMAGE_NAME: geoscienceaustralia/sandbox

permissions:
  id-token: write   # This is required for requesting the JWT
  contents: read    # This is required for actions/checkout

jobs:
  set_dev_tags:
    if: github.ref == 'refs/heads/develop'
      && github.event.workflow_run.conclusion == 'success'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Build a new docker image with tag
        id: tag-image
        run: |
          echo "TAG=dev$(git rev-parse --short HEAD)" \
          >> $GITHUB_OUTPUT
    outputs:
      image_tag: ${{ steps.tag-image.outputs.TAG }}

  set_release_tags:
    if: github.ref_type == 'tag'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Build a new docker image with tag
        id: tag-image
        run: |
          echo "TAG=${{ github.ref_name }}" \
          >> $GITHUB_OUTPUT
    outputs:
      image_tag: ${{ steps.tag-image.outputs.TAG }}

  push_ecr:
    name: Push image
    if: ${{ always() && contains(join(needs.*.result, ','), 'success') }}
    needs: [set_dev_tags, set_release_tags]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Get image tag
        id: tag-image
        run: |
          # check if the tag string is empty
          # tag = `dev_tag` if triggered by pr merged 
          # or `release_tag, stable` if triggered by release published 
          # or `dev_tag,release_tag, stable`, which should not happen given current workflow though
          if [[ ! -z "${{ needs.set_dev_tags.outputs.image_tag }}" ]]; then \
          tag="${{ needs.set_dev_tags.outputs.image_tag }}"; fi
          if [[ ! -z "${{ needs.set_release_tags.outputs.image_tag }}" ]]; then \
          if [[ ! -z $tag ]]; then \
          tag=$tag",${{ needs.set_release_tags.outputs.image_tag }}"; else \
          tag="${{ needs.set_release_tags.outputs.image_tag }}"; fi; \
          tag=$tag",stable"; fi
          echo "TAG=$tag" >>  $GITHUB_OUTPUT

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: arn:aws:iam::538673716275:role/github-actions-role
          aws-region: ap-southeast-2

      - name: Wait for tests to succeed
        uses: lewagon/wait-on-check-action@v1.3.1
        with:
          ref: ${{ github.ref }}
          running-workflow-name: 'Push image'
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          wait-interval: 20

      - name: Free disk space
        run: |
          sudo rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc /usr/local/share/boost "$AGENT_TOOLSDIRECTORY" || true
          sudo apt purge aria2 ansible azure-cli shellcheck rpm xorriso zsync \
            clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \
            clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \
            esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \
            google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \
            ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \
            cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \
            libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \
            mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \
            mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \
            libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \
            php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \
            php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \
            php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \
            php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \
            php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \
            php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \
            php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \
            php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \
            php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \
            php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \
            php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \
            php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \
            php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \
            php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \
            php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \
            php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \
            php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \
            php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \
            php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \
            php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \
            php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \
            php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \
            php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \
            php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \
            sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true
          sudo apt-get autoremove -y >/dev/null 2>&1 || true
          sudo apt-get autoclean -y >/dev/null 2>&1 || true
          sudo rm -rf ${GITHUB_WORKSPACE}/.git

      - name: Push image to ECR
        uses: whoan/docker-build-with-cache-action@master
        with:
          context: ./docker
          registry: 538673716275.dkr.ecr.ap-southeast-2.amazonaws.com
          image_name: ${{ env.IMAGE_NAME }}
          image_tag: latest,${{ steps.tag-image.outputs.TAG }}
          build_extra_args: '{"--build-arg": "UPDATE_VERSION=${{ steps.tag-image.outputs.TAG }}"}'