.github/workflows/docker-publish.yml

name: Build and publish Docker images

on:
  push:
    branches: [ "**" ]
    paths-ignore:
      - "Website/**"
      - "*.md"
  pull_request_target:
    paths-ignore:
      - "Website/**"
      - "*.md"
  workflow_dispatch:

env:
  REGISTRY: ghcr.io

jobs:
  build:
    runs-on: "ubuntu-latest"
    if: github.repository == 'SaptarshiSarkar12/Drifty'
    strategy:
      matrix:
        docker_context: [CLI, GUI]
        image_name: [ drifty-cli, drifty-gui ]
        exclude:
          - docker_context: CLI
            image_name: drifty-gui
          - docker_context: GUI
            image_name: drifty-cli
      fail-fast: false
    permissions:
      contents: read
      packages: write
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Get Drifty version
        run: echo "VERSION=$(jq .version version.json | sed -r 's/"//g')" >> $GITHUB_ENV
      - name: Split up Version into semantic parts
        run: |
          echo "VERSION_NUMBER=$(echo $VERSION | cut -d '-' -f1)" >> $GITHUB_ENV
          if [[ $VERSION == *-* ]]; then
              RELEASE_STAGE_SHORT=$(echo $VERSION | cut -d '-' -f2 | cut -d '.' -f1)
              REVISION_NUMBER=$(echo $VERSION | cut -d '-' -f2 | cut -d '.' -f2)
          else
              RELEASE_STAGE_SHORT="Stable"
              REVISION_NUMBER=0
          fi
          echo "RELEASE_STAGE_SHORT=$RELEASE_STAGE_SHORT" >> $GITHUB_ENV
          echo "REVISION_NUMBER=$REVISION_NUMBER" >> $GITHUB_ENV
          if [[ $RELEASE_STAGE_SHORT == "alpha" ]]; then
              echo "RELEASE_STAGE=Alpha" >> $GITHUB_ENV
          elif [[ $RELEASE_STAGE_SHORT == "beta" ]]; then
              echo "RELEASE_STAGE=Beta" >> $GITHUB_ENV
          elif [[ $RELEASE_STAGE_SHORT == "rc" ]]; then
              echo "RELEASE_STAGE=Release Candidate" >> $GITHUB_ENV
          else
              echo "RELEASE_STAGE=Stable" >> $GITHUB_ENV
          fi
      - name: Update system packages
        if: matrix.docker_context == 'GUI'
        run: sudo apt-get update
      - name: Install build dependencies
        if: matrix.docker_context == 'GUI'
        run: |
          sudo apt-get install libasound2-dev libavcodec-dev libavformat-dev libavutil-dev libfreetype6-dev
          sudo apt-get install libgl-dev libglib2.0-dev libgtk-3-dev libpango1.0-dev libx11-dev libxtst-dev zlib1g-dev
      - name: Update yt-dlp
        if: ${{ github.event_name != 'pull_request_target' && github.repository == 'SaptarshiSarkar12/Drifty' && !contains(github.ref_name, 'dependabot') }}
        run: |
          chmod +x Core/src/main/resources/yt-dlp
          Core/src/main/resources/yt-dlp -U
      - name: Set up GraalVM JDK 21
        uses: graalvm/setup-graalvm@v1
        with:
          java-version: '21'
          distribution: 'graalvm'
          github-token: ${{ secrets.GITHUB_TOKEN }}
          set-java-home: true
          cache: 'maven'
      - name: Package Drifty CLI with GraalVM
        if: matrix.docker_context == 'CLI'
        run: mvn -P build-drifty-cli-for-ubuntu-latest package
      - name: Set Up Maven version 3.8.8 # For GUI build issues, maven version 3.8.8 needs to be used
        if: matrix.docker_context == 'GUI'
        uses: stCarolas/setup-maven@v5
        with:
          maven-version: 3.8.8
      - name: Build platform-specific C object for missing jdk libraries
        if: matrix.docker_context == 'GUI'
        run: gcc -c config/missing_symbols.c -o config/missing_symbols-ubuntu-latest.o
      - name: Install dependency modules for GUI
        if: matrix.docker_context == 'GUI'
        run: mvn -U clean install
      - name: Package Drifty GUI with GraalVM
        if: matrix.docker_context == 'GUI'
        run: mvn -P build-drifty-gui-for-ubuntu-latest gluonfx:build gluonfx:package -rf :GUI
      - name: Categorise build artifacts for CLI
        if: matrix.docker_context == 'CLI'
        run: |
          mkdir build
          mkdir build/CLI
          mv "CLI/target/CLI/linux/Drifty CLI" "CLI/target/CLI/linux/Drifty_CLI"
          mv "CLI/target/CLI/linux/Drifty_CLI" -t build/CLI
      - name: Categorise build artifacts for GUI
        if: matrix.docker_context == 'GUI'
        run: |
          mkdir build
          mkdir build/GUI
          mv "GUI/target/gluonfx/x86_64-linux/Drifty GUI" "GUI/target/gluonfx/x86_64-linux/Drifty_GUI"
          mv "GUI/target/gluonfx/x86_64-linux/Drifty_GUI" -t build/GUI

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      # Set up BuildKit Docker container builder to be able to build
      # multi-platform images and export cache
      # https://github.com/docker/setup-buildx-action
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3.6.1

      # Login to GitHub Container Registry
      # https://github.com/docker/login-action
      - name: Log into registry
        uses: docker/login-action@v3.3.0
        if: github.event_name != 'pull_request_target'
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      # Extract metadata (tags, labels) for Docker
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v5.5.1
        with:
          images: |
            ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.image_name }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=raw,value=alpha,enable=${{ env.RELEASE_STAGE == 'Alpha' && github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }}
            type=raw,value=beta,enable=${{ env.RELEASE_STAGE == 'Beta' && github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }}
            type=raw,value=rc,enable=${{ env.RELEASE_STAGE == 'Release Candidate' && github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }}
            type=raw,value=latest,enable=${{ env.RELEASE_STAGE == 'Stable' && github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }}
            type=raw,value=${{ env.VERSION }},enable=${{ github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }}
            type=raw,value=${{ env.VERSION_NUMBER }}-${{ env.RELEASE_STAGE_SHORT }},enable=${{ env.RELEASE_STAGE != 'Stable' && github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }} 
            type=sha
          flavor: |
            latest=false

      - name: Set Image Description prefix
        run: |
          if ${{ github.event_name == 'workflow_dispatch' && github.repository == 'SaptarshiSarkar12/Drifty' && github.ref_name == 'master' }}; then
            echo "IMAGE_DESCRIPTION_PREFIX=The ${{ env.RELEASE_STAGE }}" >> $GITHUB_ENV
          elif ${{ github.event_name == 'push' && github.repository == 'SaptarshiSarkar12/Drifty' }}; then
            echo "IMAGE_DESCRIPTION_PREFIX=The Branch Preview" >> $GITHUB_ENV
          else
            echo "IMAGE_DESCRIPTION_PREFIX=The" >> $GITHUB_ENV
          fi

      # Build and push Docker image with Buildx (don't push on PR and branches created by Dependabot)
      # https://github.com/docker/build-push-action
      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v6.7.0
        with:
          context: build/${{ matrix.docker_context }}
          push: ${{ github.event_name != 'pull_request_target' && github.repository == 'SaptarshiSarkar12/Drifty' && !contains(github.ref_name, 'dependabot') }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          file: Docker/prod/${{ matrix.docker_context }}/Dockerfile
          platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6
          outputs: "type=image,name=target,\
            annotation-index.org.opencontainers.image.source=https://github.com/SaptarshiSarkar12/Drifty,\
            annotation-index.org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION_PREFIX }} docker image for Drifty ${{ matrix.docker_context }},\
            annotation-index.org.opencontainers.image.licenses=Apache-2.0"

      - name: Build same image with different tag # cached build, so, will be faster, and it will be used for security scan
        run: docker build -t ${{ matrix.image_name }} -f Docker/prod/${{ matrix.docker_context }}/Dockerfile build/${{ matrix.docker_context }}

      - name: Run Trivy security scan
        uses: aquasecurity/trivy-action@0.24.0
        continue-on-error: true
        with:
          image-ref: ${{ matrix.image_name }}
          format: 'sarif'
          exit-code: 1
          vuln-type: os,library
          ignore-unfixed: true
          output: 'trivy-report.sarif'
          hide-progress: false
          scanners: vuln,secret,misconfig

      - name: Upload Trivy security scan results
        uses: github/codeql-action/upload-sarif@main
        with:
          sarif_file: trivy-report.sarif