.github/workflows/publish.yaml

name: Release
on:
  push:
    branches:
      - main
jobs:
  semantic-release:
    runs-on: ubuntu-latest
    outputs:
      release-version: ${{ steps.semantic.outputs.release-version }}
      new-release-published: ${{ steps.semantic.outputs.new-release-published }}
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
        with:
          egress-policy: audit

      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
        with:
          token: ${{ secrets.FLANKBOT }}

      - uses: codfish/semantic-release-action@cbd853afe12037afb1306caca9d6b1ab6a58cf2a # v1.10.0
        id: semantic
        with:
          additional_packages: |
            ['@semantic-release/git']
        env:
          GITHUB_TOKEN: ${{ secrets.FLANKBOT }}

  docker:
    needs: semantic-release
    runs-on: ubuntu-latest
    if: ${{ needs.semantic-release.outputs.new-release-published == 'true' }}
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
        with:
          egress-policy: audit

      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0

      - name: Publish canary-checker-ui to Registry
        uses: elgohr/Publish-Docker-Github-Action@742a180fa47f3adfb5115902ae4955acc6ad769b # v4
        env:
          APP_DEPLOYMENT: CANARY_CHECKER
          WITHOUT_AUTH: 'true'
        with:
          name: flanksource/canary-checker-ui
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
          buildargs: APP_DEPLOYMENT,WITHOUT_AUTH
          snapshot: true
          tags: "latest,v${{ needs.semantic-release.outputs.release-version }}"

      - name: Publish incident-manager-ui to Registry
        uses: elgohr/Publish-Docker-Github-Action@742a180fa47f3adfb5115902ae4955acc6ad769b # v4
        env:
          APP_DEPLOYMENT: 'INCIDENT_MANAGER'
          WITHOUT_AUTH: 'false'
        with:
          name: flanksource/incident-manager-ui
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
          buildargs: APP_DEPLOYMENT,WITHOUT_AUTH
          snapshot: true
          tags: "latest,v${{ needs.semantic-release.outputs.release-version }}"

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.ECR_AWS_ACCESS_KEY }}
          aws-secret-access-key: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1

      - name: Login to Amazon ECR Public
        id: login-ecr-public
        uses: aws-actions/amazon-ecr-login@v2
        with:
          registry-type: public

      - name: Publish canary-checker-ui to ECR Public
        env:
          REGISTRY: ${{ steps.login-ecr-public.outputs.registry }}
          REGISTRY_ALIAS: k4y9r6y5
          REPOSITORY: canary-checker-ui
          IMAGE_TAG: "v${{ needs.semantic-release.outputs.release-version }}"
          APP_DEPLOYMENT: CANARY_CHECKER
          WITHOUT_AUTH: 'true'
        run: |
          docker build --build-arg APP_DEPLOYMENT --build-arg WITHOUT_AUTH -t $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG .
          docker push $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG

      - name: Publish incident-manager-ui to ECR Public
        env:
          REGISTRY: ${{ steps.login-ecr-public.outputs.registry }}
          REGISTRY_ALIAS: k4y9r6y5
          REPOSITORY: incident-manager-ui
          IMAGE_TAG: "v${{ needs.semantic-release.outputs.release-version }}"
          APP_DEPLOYMENT: 'INCIDENT_MANAGER'
          WITHOUT_AUTH: 'false'
        run: |
          docker build --build-arg APP_DEPLOYMENT --build-arg WITHOUT_AUTH -t $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG .
          docker push $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG

  helm:
    runs-on: ubuntu-latest
    needs: [semantic-release, docker]
    if: ${{ needs.semantic-release.outputs.new-release-published == 'true' }}
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
        with:
          egress-policy: audit

      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
      - name: Download yq
        run: |
          wget -nv -nc -O yq https://github.com/mikefarah/yq/releases/download/v4.20.2/yq_linux_amd64
          chmod +x yq
      - name: Update chart version
        run: ./yq -i e '.version = "${{ needs.semantic-release.outputs.release-version }}"' chart/Chart.yaml
      - name: Update app version
        run: ./yq -i e '.appVersion = "${{ needs.semantic-release.outputs.release-version }}"' chart/Chart.yaml
      - name: Update image tags
        run: ./yq -i e '.image.tag = "v${{ needs.semantic-release.outputs.release-version }}"' chart/values.yaml
      - name: Set up Helm
        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab # v1.1
        with:
          version: v3.8.0
      - name: Package Helm chart
        run: |
          helm package ./chart
      - name: Clone charts repo
        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
        with:
          repository: "${{ github.repository_owner }}/charts"
          path: charts
          token: "${{ secrets.FLANKBOT }}"
      - name: Update chart repo
        run: |
          cd charts
          cp ../flanksource-ui-*.tgz ./
          helm repo index --merge index.yaml .
      - name: Push changes to chart repo
        uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4.16.0
        with:
          commit_message: "Release ${{ needs.semantic-release.outputs.release-version }} of ${{ github.repository }}"
          branch: gh-pages
          repository: ./charts

  update-canary-checker:
    runs-on: ubuntu-latest
    needs: [docker, helm, semantic-release]
    if: ${{ needs.semantic-release.outputs.new-release-published == 'true' }}
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
        with:
          egress-policy: audit

      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
        with:
          repository: "${{ github.repository_owner }}/canary-checker"
          token: ${{ secrets.FLANKBOT }}
          path: ./canary-checker
      - name: Install yq
        run: |
          wget https://github.com/mikefarah/yq/releases/download/${VERSION}/${BINARY}.tar.gz -O - |\
          tar xz && sudo mv ${BINARY} /usr/bin/yq
        env:
          VERSION: v4.25.1
          BINARY: yq_linux_amd64
      - name: Update flanksource-ui version in canary-checker
        run: |
          cd canary-checker
          yq eval-all -i  '(.dependencies[] | select(.name == "flanksource-ui")) ref $d | $d.version = "${{ needs.semantic-release.outputs.release-version }}"' chart/Chart.yaml
      - name: Create pull request
        uses: peter-evans/create-pull-request@v6
        with:
          commit-message: "chore: update flanksource-ui to ${{ needs.semantic-release.outputs.release-version }}"
          token: ${{ secrets.FLANKBOT }}
          title: "chore: update flanksource-ui to ${{ needs.semantic-release.outputs.release-version }}"
          branch: "update-flanksource-ui"
          path: ./canary-checker

  update-incident-commander:
    runs-on: ubuntu-latest
    needs: [docker, helm, semantic-release]
    if: ${{ needs.semantic-release.outputs.new-release-published == 'true' }}
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
        with:
          egress-policy: audit

      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
        with:
          repository: "${{ github.repository_owner }}/incident-commander-chart"
          token: ${{ secrets.FLANKBOT }}
          path: ./incident-commander-chart
      - name: Install yq
        run: |
          wget https://github.com/mikefarah/yq/releases/download/${VERSION}/${BINARY}.tar.gz -O - |\
          tar xz && sudo mv ${BINARY} /usr/bin/yq
        env:
          VERSION: v4.25.1
          BINARY: yq_linux_amd64
      - name: Update flanksource-ui version in Incident-commander
        run: |
          cd incident-commander-chart
          yq eval-all -i  '(.dependencies[] | select(.name == "flanksource-ui")) ref $d | $d.version = "${{ needs.semantic-release.outputs.release-version }}"' chart/Chart.yaml
      - name: Push changes to chart repo
        uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4.16.0
        with:
          commit_message: "chore: update flanksource-ui chart dependency to ${{ needs.semantic-release.outputs.release-version }}"
          repository: ./incident-commander-chart