go-base.yaml

name: go-base
env :
  image_tag: v1

on:
  push:

jobs:
  prepare-go-dev:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Run Prepare Action
        uses: buildsafedev/multiarch-build--action/prepare-action@main
        with:
          oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
          oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
          image_name: holiodin01/go-base-dev
          ociBlock: go-dev
          tag: ${{ env.image_tag }}

  prepare-go-runtime:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Run Prepare Action
        uses: buildsafedev/multiarch-build--action/prepare-action@main
        with:
          oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
          oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
          image_name: holiodin01/go-base-runtime
          ociBlock: go-runtime
          tag: ${{ env.image_tag }}

  # Build the oci images for dev and runtime
  build:
    needs : [prepare-go-dev, prepare-go-runtime]
    strategy:
      fail-fast: false
      matrix:
        platform: [ubuntu-latest, linux-arm64]  
    runs-on: ${{ matrix.platform }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      
      - name: Run Build Action
        uses: buildsafedev/multiarch-build--action/build-action@main
        with:
          oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
          oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
          ociBlocks: go-dev go-runtime
          directory: 'go-server-example'

  # This pirticular job is used to merge the development image of arm64 and amd64
  merge-dev:
    needs: build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      
      - name: Run Merge Action
        uses: buildsafedev/multiarch-build--action/merge-action@main
        with:
          oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
          oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
          image_name: holiodin01/go-base-dev
          ociBlock: go-dev
          tag: ${{ env.image_tag }}
  merge-runtime:
    needs: build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      
      - name: Run Merge Action
        uses: buildsafedev/multiarch-build--action/merge-action@main
        with:
          oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
          oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
          image_name: holiodin01/go-base-runtime
          ociBlock: go-runtime
          tag: ${{ env.image_tag }}
  
  sign-the-image:
    needs: [merge-dev, merge-runtime]
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    steps:
      - name: Install Cosign
        uses: sigstore/cosign-installer@v3.7.0
        with:
          cosign-release: 'v2.4.1'

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}


      - name: Sign and push image
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: |

          base_img_digest=$(docker manifest inspect holiodin01/go-base-dev:${image_tag} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest')
          runtime_img_digest=$(docker manifest inspect holiodin01/go-base-runtime:${image_tag} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest')

          cosign sign --yes holiodin01/go-base-dev@${base_img_digest}
          cosign verify \
          --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/go-base.yaml@refs/heads/multiarch-builds" \
          --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
          holiodin01/go-base-dev@${base_img_digest}

          cosign triangulate holiodin01/go-base-dev@${base_img_digest}

          #  Sign and verify the runtime image
          cosign sign --yes holiodin01/go-base-runtime@${runtime_img_digest}
          cosign verify \
          --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/go-base.yaml@refs/heads/multiarch-builds" \
          --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
          holiodin01/go-base-runtime@${runtime_img_digest}

          cosign triangulate holiodin01/go-base-runtime@${runtime_img_digest}



  hermetic_builds:
    needs: [merge-dev, merge-runtime]
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name : Build hermetic image
        working-directory: go-server-example
        run: |

          # Use command substitution to assign the digests
          base_img_digest=$(docker manifest inspect holiodin01/go-base-dev:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest')
          runtime_img_digest=$(docker manifest inspect holiodin01/go-base-runtime:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest')


          docker buildx create --name mybuilder --use --driver docker-container

          docker buildx build \
            --build-arg BASE_IMAGE=holiodin01/go-base-dev@${base_img_digest} \
            --build-arg RUNTIME_IMAGE=holiodin01/go-base-runtime@${runtime_img_digest} \
            --no-cache \
            --tag holiodin01/go-final:${{ env.image_tag }} \
            --network=none \
            --attest type=provenance,mode=min \
            --platform=linux/amd64 \
            --push \
            --output type=oci \
            https://github.com/buildsafedev/examples.git\#multiarch-builds:go-server-example 
        
      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@main
      
          # Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url
      - name: Setup Nix development environment
        uses: nicknovitski/nix-develop@v1
        with:
          arguments: ./go-server-example/bsf/.#devShell
      
      - name: Is hermetic build
        run: |
            docker buildx imagetools inspect holiodin01/go-final:${{ env.image_tag }} --format "{{ json .Provenance.SLSA }}" > slsa.json
            cat slsa.json
            if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then
              echo "Hermetic build"
            else
              echo "Not a hermetic build"
            fi
          
      # Check for vulnerabilities :)
      - name: Check for vulnerabilities
        run: grype holiodin01/go-final:${{ env.image_tag }} --only-fixed --fail-on high


  sign-final-image:
    needs: hermetic_builds
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    steps:
      - name: Install Cosign
        uses: sigstore/cosign-installer@v3.7.0
        with:
          cosign-release: 'v2.4.1'

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}


      - name: Sign and push image
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: |
          cosign sign --yes holiodin01/go-final:${{ env.image_tag }}
          cosign verify \
          --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/go-base.yaml@refs/heads/multiarch-builds" \
          --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
          holiodin01/go-final:${{ env.image_tag }}

          cosign triangulate holiodin01/go-final:${{ env.image_tag }}