.github/workflows/ci.yaml

name: Continuous integration

on:
  push:
  pull_request:
    types: [ opened, reopened ]
  workflow_dispatch:

jobs:
  build:
    name: Build
    runs-on: ubuntu-20.04
    steps:
      - name: Set up Go
        uses: actions/setup-go@v2.1.5
        with:
          go-version: 1.17

      - name: Checkout
        uses: actions/checkout@v2.4.0

      - name: Cache Go modules
        uses: actions/cache@v2.1.7
        id: go-mod-cache
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-

      - name: Get dependencies
        run: make download

      - name: Lint
        run: |
          result="$(make  lint)"
          echo "$result"
          [ -n "$(echo "$result" | grep 'diff -u')" ] && exit 1 || exit 0

      - name: Build
        run: make build

      - name: Test
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: make test-race

      - name: Coverage
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: make coverage-out

      - name: Upload Code Coverage
        uses: codecov/codecov-action@v2.1.0
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: ./coverage.out
          flags: unittests
          name: codecov-umbrella
          fail_ci_if_error: true
          verbose: true

  release:
    name: release
    needs: [build]
    outputs:
      container_digest: ${{ steps.container_info.outputs.container_digest }}
      container_tags: ${{ steps.container_info.outputs.container_tags }}
      container_repos: ${{ steps.container_info.outputs.container_repos }}

    runs-on: ubuntu-20.04

    steps:
      - name: Set up Go
        uses: actions/setup-go@v2.1.5
        with:
          go-version: 1.17

      - name: Install cosign
        uses: sigstore/cosign-installer@v2.0.0
        with:
          cosign-release: 'v1.5.1'

      - name: Checkout
        uses: actions/checkout@v2.4.0
        with:
          fetch-depth: 0

      - name: Login to Container registries
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin
          echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io

      - name: Set release variables
        id: release-vars
        run: |
          make release-vars > /tmp/spiffe-vault-release-vars.env
          source /tmp/spiffe-vault-release-vars.env
          if [[ -n "$LDFLAGS" ]]; then
            echo "::set-output name=LDFLAGS::$LDFLAGS"
          fi
          if [[ -n "$GIT_HASH" ]]; then
            echo "::set-output name=GIT_HASH::$GIT_HASH"
          fi
          rm -f /tmp/spiffe-vault-release-vars.env

      - name: Install signing key
        run: |
          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key

      - name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }}
        uses: goreleaser/goreleaser-action@v2
        with:
          version: latest
          args: release --rm-dist ${{ (!startsWith(github.ref, 'refs/tags/') && '--snapshot') || '' }} ${{ ((startsWith(github.ref, 'refs/tags/') && endsWith(github.ref, '-draft')) && '-f .goreleaser.draft.yml') || '' }}
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }}
          GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }}
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

      - name: Get container info
        id: container_info
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          export CONTAINER_DIGEST=$(make container-digest GITHUB_REF=${{ github.ref_name }})
          echo "::set-output name=container_digest::$CONTAINER_DIGEST"
          echo "::set-output name=container_tags::$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" | paste -s -d ',' -)"
          echo "::set-output name=container_repos::$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)"

      - name: Logout from Container registries
        if: ${{ always() }}
        run: |
          docker logout
          docker logout ghcr.io

      - name: Cleanup signing keys
        if: ${{ always() }}
        run: rm -f cosign.key

  container-provenance:
    name: container-provenance
    needs: [release]
    if: startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-20.04

    strategy:
      matrix:
        repo: ${{ fromJSON(needs.release.outputs.container_repos) }}

    steps:
      - name: Install cosign
        uses: sigstore/cosign-installer@v2.0.0
        with:
          cosign-release: 'v1.5.1'

      - name: Generate provenance for ${{ matrix.repo }}
        uses: philips-labs/slsa-provenance-action@v0.7.0-rc
        with:
          command: generate
          subcommand: container
          arguments: --repository ${{ matrix.repo }} --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }}
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

      - name: Get slsa-provenance predicate
        run: |
          cat provenance.json | jq .predicate > provenance-predicate.json

      - name: Login to Container registries
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin
          echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io

      - name: Attach provenance to image
        run: |
          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
          cosign attest --predicate provenance-predicate.json --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
        env:
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

      - name: Verify attestation
        run: |
          echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
          cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}

      - name: Logout from Container registries
        if: ${{ always() }}
        run: |
          docker logout
          docker logout ghcr.io
          rm -f cosign.key

  provenance:
    name: provenance
    needs: [release]
    if: startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-20.04

    steps:
      - name: Generate provenance for Release
        uses: philips-labs/slsa-provenance-action@v0.7.0-rc
        with:
          command: generate
          subcommand: github-release
          arguments: --artifact-path release-assets --output-path provenance.json --tag-name ${{ github.ref_name }}
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"