name: Rest proxy

on:
  push:
    branches:
      - 'main'
    paths:
      - '.github/workflows/rest-proxy.yml'
      - 'proxies/rest/**'
  pull_request:
    paths:
      - '.github/workflows/rest-proxy.yml'
      - 'proxies/rest/**'
  schedule:
    - cron: '0 0 * * *'

jobs:
  build:
    name: Build docker image
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Cache Docker layers
        uses: actions/cache@v3
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-single-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-single-buildx
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Build and push
        uses: docker/build-push-action@v4
        with:
          push: false
          tags: discordeno/rest-proxy:latest
          context: proxies/rest
          target: runner
          outputs: type=docker,dest=/tmp/rest-proxy-image.tar
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
      - # Temp fix
        # https://github.com/docker/build-push-action/issues/252
        # https://github.com/moby/buildkit/issues/1896
        name: Move cache
        run: |
          rm -rf /tmp/.buildx-cache
          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
      - name: Upload artifact
        uses: actions/upload-artifact@v3
        with:
          name: rest-proxy-image
          path: /tmp/rest-proxy-image.tar

  image-scan:
    name: Image scan
    runs-on: ubuntu-latest
    needs: build
    steps:
      - uses: actions/checkout@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Download artifact
        uses: actions/download-artifact@v3
        with:
          name: rest-proxy-image
          path: /tmp
      - name: Load Docker image
        run: docker load --input /tmp/rest-proxy-image.tar
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'discordeno/rest-proxy:latest'
          format: 'table'
          exit-code: '0'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        if: ${{ github.event_name == 'schedule' || github.event_name == 'push' }}
        with:
          image-ref: 'discordeno/rest-proxy:latest'
          exit-code: '0'
          vuln-type: 'os,library'
          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
          format: 'sarif'
          output: 'trivy-results.sarif'
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        if: ${{ github.event_name == 'schedule' || github.event_name == 'push' }}
        with:
          sarif_file: 'trivy-results.sarif'

      - name: Run Snyk to check Docker image for vulnerabilities
        if: ${{ github.event_name == 'schedule' || github.event_name == 'push' }}
        continue-on-error: true
        uses: snyk/actions/docker@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: 'discordeno/rest-proxy:latest'
          args: --file=proxies/rest/Dockerfile
      - name: Upload result to GitHub Code Scanning
        if: ${{ github.event_name == 'schedule' || github.event_name == 'push' }}
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: snyk.sarif

  build-all-arch:
    name: Build image for all architectures
    needs: build
    if: ${{ github.event_name != 'schedule' }}
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Cache Docker layers
        uses: actions/cache@v3
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-single-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-single-buildx
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Build Docker image
        uses: docker/build-push-action@v4
        with:
          context: proxies/rest
          push: false
          tags: 'discordeno/rest-proxy:latest'
          # linux/s390x stuck at yarn install, remove it for now
          platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le
          target: runner
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
      - # Temp fix
        # https://github.com/docker/build-push-action/issues/252
        # https://github.com/moby/buildkit/issues/1896
        name: Move cache
        run: |
          rm -rf /tmp/.buildx-cache
          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

  publish:
    name: Publish image
    needs: build-all-arch
    if: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Log in to the Container registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Build and push Docker image
        uses: docker/build-push-action@v4
        with:
          context: proxies/rest
          push: true
          tags: 'ghcr.io/discordeno/rest-proxy:latest'
          # linux/s390x stuck at yarn install, remove it for now
          platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le
          target: runner