name: Docker App - Rest Passthrough

on:
  push:
    branches:
      - 'main'
    paths:
      - '.github/workflows/docker-app-rest-passthrough.yml'
      - 'docker-apps/rest-passthrough/**'
  pull_request:
  merge_group:
  schedule:
    - cron: '0 0 * * *'

jobs:
  # Removing this for now until I can confirm a couple things and ensure it works fully
  #  - Matt H
  # run-release:
  #   name: Run release script
  #   runs-on: ubuntu-latest
  #   if: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
  #   steps:
  #     - name: Checkout repository
  #       uses: actions/checkout@v4
  #     - name: Git config
  #       run: |
  #         git config user.name github-actions
  #         git config user.email github-actions@github.com
  #     - name: Run release script
  #       run: |
  #         yarn install --immutable
  #         yarn release
  #         git push && git push --tags

  app-version:
    name: Get app version
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.package-version.outputs.current-version }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: get-npm-version
        id: package-version
        uses: martinbeentjes/npm-get-version-action@v1.3.1
        with:
          path: docker-apps/rest-passthrough

  build:
    name: Build docker image
    runs-on: ubuntu-latest
    needs: app-version
    steps:
      - uses: actions/checkout@v4
      - name: Cache Docker layers
        uses: actions/cache@v3
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-single-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-single-buildx
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          push: false
          tags: 'discordeno/app-rest-passthrough:latest, discordeno/app-rest-passthrough:v${{ needs.app-version.outputs.version }}'
          context: docker-apps/rest-passthrough
          target: runner
          outputs: type=docker,dest=/tmp/rest-passthrough-image.tar
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
      - # Temp fix
        # https://github.com/docker/build-push-action/issues/252
        # https://github.com/moby/buildkit/issues/1896
        name: Move cache
        run: |
          rm -rf /tmp/.buildx-cache
          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
      - name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
          name: rest-passthrough-image
          path: /tmp/rest-passthrough-image.tar

  image-scan:
    name: Image scan
    runs-on: ubuntu-latest
    needs: build
    steps:
      - uses: actions/checkout@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Download artifact
        uses: actions/download-artifact@v4
        with:
          name: rest-passthrough-image
          path: /tmp
      - name: Load Docker image
        run: docker load --input /tmp/rest-passthrough-image.tar
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        if: ${{ github.event_name == 'schedule' || github.event_name == 'push' }}
        with:
          image-ref: 'discordeno/app-rest-passthrough:latest'
          format: 'table'
          exit-code: '0'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        if: ${{ github.event_name == 'schedule' || github.event_name == 'push' }}
        with:
          image-ref: 'discordeno/app-rest-passthrough:latest'
          exit-code: '0'
          vuln-type: 'os,library'
          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
          format: 'sarif'
          output: 'trivy-results.sarif'
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: ${{ github.event_name == 'schedule' || github.event_name == 'push' }}
        with:
          sarif_file: 'trivy-results.sarif'

      - name: Run Snyk to check Docker image for vulnerabilities
        if: ${{ github.event_name == 'schedule' || github.event_name == 'push' }}
        continue-on-error: true
        uses: snyk/actions/docker@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: 'discordeno/app-rest-passthrough:latest'
          args: --file=docker-apps/rest-passthrough/Dockerfile
      # See https://github.com/github/codeql-action/issues/2187#issuecomment-2043220400 for for info
      - name: Replace security-severity undefined for license-related findings
        if: ${{ github.event_name == 'schedule' || github.event_name == 'push' }}
        run: |
          sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
      - name: Upload snyk scan results to GitHub Security tab
        if: ${{ github.event_name == 'schedule' || github.event_name == 'push' }}
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk.sarif

  build-all-arch:
    name: Build image for all architectures
    needs: [build, app-version]
    if: ${{ github.event_name != 'schedule' }}
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Cache Docker layers
        uses: actions/cache@v3
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-single-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-single-buildx
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: docker-apps/rest-passthrough
          push: false
          tags: 'discordeno/app-rest-passthrough:latest, discordeno/app-rest-passthrough:v${{ needs.app-version.outputs.version }}'
          # linux/s390x stuck at yarn install, remove it for now
          platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le
          target: runner
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
      - # Temp fix
        # https://github.com/docker/build-push-action/issues/252
        # https://github.com/moby/buildkit/issues/1896
        name: Move cache
        run: |
          rm -rf /tmp/.buildx-cache
          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

  publish:
    name: Publish image
    # needs: [run-release, build-all-arch, app-version]
    needs: [build-all-arch, app-version]
    if: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Log in to the Container registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build and push Docker image
        uses: docker/build-push-action@v6
        with:
          context: docker-apps/rest-passthrough
          push: true
          tags: 'ghcr.io/discordeno/app-rest-passthrough:latest, ghcr.io/discordeno/app-rest-passthrough:v${{ needs.app-version.outputs.version }}'
          # linux/s390x stuck at yarn install, remove it for now
          platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le
          target: runner