.github/workflows/release.yaml

name: Release

on:
  push:
    tags:
      - v*
    branches:
      - master
      - dev-*

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

defaults:
  run:
    shell: bash

permissions:
  contents: read

jobs:
  build-linux:
    name: Build & push linux
    if: github.repository == 'pipekit/argo-workflows'
    runs-on: ubuntu-latest
    strategy:
      matrix:
        platform: [ linux/amd64, linux/arm64 ]
        target: [ workflow-controller, argocli, argoexec ]
    steps:
      - uses: actions/checkout@v3

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
          version: v0.10.4

      - name: Cache Docker layers
        uses: actions/cache@v3
        id: cache
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-${{ matrix.platform }}-${{ matrix.target }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-${{ matrix.platform }}-${{ matrix.target }}-buildx-

      - name: Docker Login
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERIO_USERNAME }}
          password: ${{ secrets.DOCKERIO_PASSWORD }}

      - name: Docker Login
        uses: docker/login-action@v2
        with:
          registry: quay.io
          username: ${{ secrets.QUAYIO_USERNAME }}
          password: ${{ secrets.QUAYIO_PASSWORD }}

      - name: Docker Buildx
        env:
          DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
          PLATFORM: ${{ matrix.platform }}
          TARGET: ${{ matrix.target }}
        run: |
          tag=$(basename $GITHUB_REF)
          if [ $tag = "master" ]; then
            tag="latest"
          fi

          tag_suffix=$(echo $PLATFORM | sed -r "s/\//-/g")
          image_name="${DOCKERIO_ORG}/${TARGET}:${tag}-${tag_suffix}"

          docker buildx build \
            --cache-from "type=local,src=/tmp/.buildx-cache" \
            --cache-to "type=local,dest=/tmp/.buildx-cache" \
            --output "type=image,push=true" \
            --platform="${PLATFORM}" \
            --target $TARGET \
            --provenance=false \
            --tag $image_name \
            --tag quay.io/$image_name .

  # build-windows:
  #   name: Build & push windows
  #   if: github.repository == 'pipekit/argo-workflows'
  #   runs-on: windows-2019
  #   steps:
  #     - uses: actions/checkout@v3
  #     - name: Docker Login
  #       uses: Azure/docker-login@v1
  #       with:
  #         username: ${{ secrets.DOCKERIO_USERNAME }}
  #         password: ${{ secrets.DOCKERIO_PASSWORD }}

  #     - name: Login to Quay
  #       uses: Azure/docker-login@v1
  #       with:
  #         login-server: quay.io
  #         username: ${{ secrets.QUAYIO_USERNAME }}
  #         password: ${{ secrets.QUAYIO_PASSWORD }}
   
  #     - name: Build & Push Windows Docker Images
  #       env:
  #         DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
  #       run: |
  #         docker_org=$DOCKERIO_ORG

  #         tag=$(basename $GITHUB_REF)
  #         if [ $tag = "master" ]; then
  #           tag="latest"
  #         fi

  #         targets="argoexec"
  #         for target in $targets; do
  #           image_name="${docker_org}/${target}:${tag}-windows"
  #           docker build --target $target -t $image_name -f Dockerfile.windows .
  #           docker push $image_name

  #           docker tag $image_name quay.io/$image_name
  #           docker push quay.io/$image_name

  #         done

  push-images:
    name: Push manifest with all images
    if: github.repository == 'pipekit/argo-workflows'
    runs-on: ubuntu-latest
    # needs: [ build-linux-amd64, build-linux-arm64, build-windows ]
    needs: [ build-linux ]
    steps:
      - uses: actions/checkout@v3
      - name: Docker Login
        uses: Azure/docker-login@v1
        with:
          username: ${{ secrets.DOCKERIO_USERNAME }}
          password: ${{ secrets.DOCKERIO_PASSWORD }}

      - name: Login to Quay
        uses: Azure/docker-login@v1
        with:
          login-server: quay.io
          username: ${{ secrets.QUAYIO_USERNAME }}
          password: ${{ secrets.QUAYIO_PASSWORD }}

      # - name: Install cosign
      #   uses: sigstore/cosign-installer@main
      #   with:
      #     cosign-release: 'v1.13.0'

      - name: Push Multiarch Image
        env:
          DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
          # COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
          # COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
        run: |
          echo $(jq -c '. + { "experimental": "enabled" }' ${DOCKER_CONFIG}/config.json) > ${DOCKER_CONFIG}/config.json

          docker_org=$DOCKERIO_ORG

          tag=$(basename $GITHUB_REF)
          if [ $tag = "master" ]; then
            tag="latest"
          fi

          targets="workflow-controller argoexec argocli"
          for target in $targets; do
            image_name="${docker_org}/${target}:${tag}"

            if [ $target = "argoexec" ]; then
              # docker manifest create $image_name ${image_name}-linux-arm64 ${image_name}-linux-amd64 ${image_name}-windows
              # docker manifest create quay.io/$image_name quay.io/${image_name}-linux-arm64 quay.io/${image_name}-linux-amd64 quay.io/${image_name}-windows
              docker manifest create $image_name ${image_name}-linux-amd64 ${image_name}-linux-arm64
              docker manifest create quay.io/$image_name quay.io/${image_name}-linux-amd64 quay.io/${image_name}-linux-arm64
            else
              docker manifest create $image_name ${image_name}-linux-arm64 ${image_name}-linux-amd64
              docker manifest create quay.io/$image_name quay.io/${image_name}-linux-arm64 quay.io/${image_name}-linux-amd64
            fi

            docker manifest push $image_name
            docker manifest push quay.io/$image_name

            # cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/$image_name

          done

  test-images-linux-amd64:
    name: Try pulling linux/amd64
    if: github.repository == 'pipekit/argo-workflows'
    runs-on: ubuntu-latest
    needs: [ push-images ]
    strategy:
      matrix:
        platform: [ linux/amd64 ]
        target: [ workflow-controller, argocli, argoexec ]
    steps:
      - name: Docker Login
        uses: Azure/docker-login@v1
        with:
          username: ${{ secrets.DOCKERIO_USERNAME }}
          password: ${{ secrets.DOCKERIO_PASSWORD }}

      - name: Login to Quay
        uses: Azure/docker-login@v1
        with:
          login-server: quay.io
          username: ${{ secrets.QUAYIO_USERNAME }}
          password: ${{ secrets.QUAYIO_PASSWORD }}

      - name: Docker Buildx
        env:
          DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
          PLATFORM: ${{ matrix.platform }}
          TARGET: ${{ matrix.target }}
        run: |
          tag=$(basename $GITHUB_REF)
          if [ $tag = "master" ]; then
            tag="latest"
          fi

          image_name="${DOCKERIO_ORG}/${TARGET}:${tag}"
          docker pull $image_name
          docker pull quay.io/$image_name

  # test-images-windows:
  #   name: Try pulling windows
  #   if: github.repository == 'pipekit/argo-workflows'
  #   runs-on: windows-2019
  #   needs: [ push-images ]
  #   steps:
  #     - name: Docker Login
  #       uses: Azure/docker-login@v1
  #       with:
  #         username: ${{ secrets.DOCKERIO_USERNAME }}
  #         password: ${{ secrets.DOCKERIO_PASSWORD }}

  #     - name: Login to Quay
  #       uses: Azure/docker-login@v1
  #       with:
  #         login-server: quay.io
  #         username: ${{ secrets.QUAYIO_USERNAME }}
  #         password: ${{ secrets.QUAYIO_PASSWORD }}
  #     - name: Try pulling
  #       env:
  #         DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
  #       run: |
  #         docker_org=$DOCKERIO_ORG
  #         tag=$(basename $GITHUB_REF)
  #         if [ $tag = "master" ]; then
  #           tag="latest"
  #         fi

  #         targets="argoexec"
  #         for target in $targets; do
  #           image_name="${docker_org}/${target}:${tag}"
  #           docker pull $image_name
  #           docker pull quay.io/$image_name
  #         done

  publish-release:
    permissions:
      contents: write  # for softprops/action-gh-release to create GitHub release
    runs-on: ubuntu-latest
    if: github.repository == 'pipekit/argo-workflows'
    # needs: [ push-images, test-images-linux-amd64, test-images-windows ]
    needs: [ push-images, test-images-linux-amd64 ]
    env:
      NODE_OPTIONS: --max-old-space-size=4096
      # COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
      # COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: "19"
      - uses: actions/setup-go@v3
        with:
          go-version: "1.19"
      - uses: actions/cache@v3
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v1-${{ hashFiles('**/yarn.lock') }}
      - uses: actions/cache@v3
        with:
          path: /home/runner/.cache/go-build
          key: GOCACHE-v2-${{ hashFiles('**/go.mod') }}
      - uses: actions/cache@v3
        with:
          path: /home/runner/go/pkg/mod
          key: GOMODCACHE-v2-${{ hashFiles('**/go.mod') }}
      # - name: Install cosign
      #   uses: sigstore/cosign-installer@main
      #   with:
      #     cosign-release: 'v1.13.0'
      # https://stackoverflow.com/questions/58033366/how-to-get-current-branch-within-github-actions
      - run: |
          if [ ${GITHUB_REF##*/} = master ]; then
           echo "VERSION=latest" >> $GITHUB_ENV
          else
            echo "VERSION=${GITHUB_REF##*/}" >> $GITHUB_ENV
          fi
      - run: go install sigs.k8s.io/bom/cmd/bom@v0.2.0
      - run: go install github.com/spdx/spdx-sbom-generator/cmd/generator@v0.0.13
      - run: mkdir -p dist
      - run: generator -o dist -p .
      - run: yarn --cwd ui install
      - run: generator -o dist -p ui
      - run: bom generate --image quay.io/pipekitdev/workflow-controller:$VERSION -o dist/workflow-controller.spdx
      - run: bom generate --image quay.io/pipekitdev/argocli:$VERSION -o dist/argocli.spdx
      - run: bom generate --image quay.io/pipekitdev/argoexec:$VERSION -o dist/argoexec.spdx
      # pack the boms into one file to make it easy to download
      - run: tar -zcf dist/sbom.tar.gz dist/*.spdx
      - run: make release-notes VERSION=$VERSION
      - run: cat release-notes
      - run: make manifests VERSION=$VERSION
      - name: Print image tag (please check it is not `:latest`)
        run: |
          grep image: dist/manifests/install.yaml
      - run: go mod download
      - run: make clis STATIC_FILES=true VERSION=$VERSION
      - name: Print version (please check it is not dirty)
        run: dist/argo-linux-amd64 version
      - run: make checksums
      # - name: Sign checksums and create public key for release assets
      #   run: |
      #     cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argo-workflows-cli-checksums.txt > ./dist/argo-workflows-cli-checksums.sig
      #     # Retrieves the public key to release as an asset
      #     cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argo-workflows-cosign.pub

      # https://github.com/softprops/action-gh-release
      # This will publish the release and upload assets.
      # If a conflict occurs (because you are not on a tag), the release will not be updated. This is a short coming
      # of this action.
      # Instead, delete the release so it is re-created.
      - uses: softprops/action-gh-release@v1
        if: startsWith(github.ref, 'refs/tags/v')
        with:
          prerelease: ${{ startsWith(github.ref, 'refs/tags/v0') || contains(github.ref, 'rc') }}
          body_path: release-notes
          files: |
            dist/argo-*.gz
            dist/argo-workflows-cli-checksums.txt
            dist/argo-workflows-cli-checksums.sig
            dist/manifests/*.yaml
            # dist/argo-workflows-cosign.pub
            dist/sbom.tar.gz
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}