.github/workflows/merge.yaml

name: Check,Build,Deploy

on:
  push:
    branches:
      - develop
      - test
      - staging
      - main

permissions:
  contents: write
  pull-requests: write
  packages: write

env:
  ENVIRONMENT: ${{ (github.ref_name == 'main' && 'prod-govtool') || (github.ref_name == 'staging' && 'pre-prod-govtool') || (github.ref_name == 'test' && 'qa-govtool') || (github.ref_name == 'develop' && 'dev-govtool') }}

jobs:
  check-build-deploy:
    environment:  ${{ (github.ref_name == 'main' && 'prod-govtool') || (github.ref_name == 'staging' && 'pre-prod-govtool') || (github.ref_name == 'test' && 'qa-govtool') || (github.ref_name == 'develop' && 'dev-govtool') }}
    strategy:
      fail-fast: false
      matrix:
        include:
          - workdir: ./govtool/backend
            name: govtool-backend
            dockerfile: ./govtool/backend/Dockerfile.qovery
            image: ghcr.io/${{ github.repository }}-govtool-backend
            qovery_container_name: govtool-backend
          - workdir: ./govtool/frontend
            name: govtool-frontend
            dockerfile: ./govtool/frontend/Dockerfile.qovery
            image: ghcr.io/${{ github.repository }}-govtool-frontend
            qovery_container_name: govtool-frontend
          - workdir: ./govtool/metadata-validation
            name: govtool-metadata-validation
            dockerfile: ./govtool/metadata-validation/Dockerfile
            image: ghcr.io/${{ github.repository }}-govtool-metadata-validation
            qovery_container_name: govtool-metadata-validation

    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Set TAG Environment Variable
        id: set_tag
        run: |
          if [ "${{ github.ref_name }}" = "main" ]; then
            echo "TAG=${{ github.sha }}" >> $GITHUB_ENV
          else
            echo "TAG=${{ github.ref_name }}-${{ github.sha }}" >> $GITHUB_ENV
          fi

      - name: Lint Dockerfile
        id: hadolint
        uses: hadolint/hadolint-action@v3.1.0
        with:
          failure-threshold: error
          format: json
          dockerfile: ${{ matrix.dockerfile }}
          # output-file: hadolint_output.json

      - name: Save Hadolint output
        id: save_hadolint_output
        if: always()
        run: cd ${{ matrix.workdir }} && echo "$HADOLINT_RESULTS" | jq '.' > hadolint_output.json

      - name: Print Dockerfile lint output
        run: |
          cd ${{ matrix.workdir }}
          echo "-----HADOLINT RESULT-----"
          echo "Outcome: ${{ steps.hadolint.outcome }}"
          echo "-----DETAILS--------"
          cat hadolint_output.json
          echo "--------------------"

      - name: Code lint
        id: code_lint
        run: |
          cd ${{ matrix.workdir }}
          if [ ! -f lint.sh ]; then
            echo "lint skipped" | tee code_lint_output.txt
            exit 0
          fi
          set -o pipefail
          sudo chmod +x lint.sh && ./lint.sh 2>&1 | tee code_lint_output.txt


      - name: Unit tests
        id: unit_tests
        run: |
          cd ${{ matrix.workdir }}
          if [ ! -f unit-test.sh ]; then
            echo "unit tests skipped" | tee code_lint_output.txt
            exit 0
          fi
          set -o pipefail
          sudo chmod +x unit-test.sh && ./unit-test.sh 2>&1 | tee unit_test_output.txt

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Cache Docker layers
        uses: actions/cache@v3
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-

      - id: image_lowercase
        uses: ASzc/change-string-case-action@v6
        with:
          string: ${{ matrix.image }}

      - name: Build Docker image
        uses: docker/build-push-action@v5
        with:
          context: ${{ matrix.workdir }}
          file: ${{ matrix.dockerfile }}
          tags: ${{ steps.image_lowercase.outputs.lowercase }}:${{ env.TAG }}
          load: false
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache
          outputs: type=docker,dest=/tmp/image-${{ matrix.name }}-${{ env.ENVIRONMENT }}.tar
          build-args: |
            VITE_APP_ENV=${{ secrets.VITE_APP_ENV }}
            VITE_BASE_URL=${{ secrets.VITE_BASE_URL }}
            VITE_METADATA_API_URL=${{ secrets.VITE_METADATA_API_URL }}
            VITE_GTM_ID=${{ secrets.VITE_GTM_ID }}
            VITE_NETWORK_FLAG=${{ secrets.VITE_NETWORK_FLAG }}
            VITE_SENTRY_DSN=${{ secrets.VITE_SENTRY_DSN }}
            NPMRC_TOKEN=${{ secrets.NPMRC_TOKEN }}
            VITE_USERSNAP_SPACE_API_KEY=${{ secrets.VITE_USERSNAP_SPACE_API_KEY }}
            VITE_IS_PROPOSAL_DISCUSSION_FORUM_ENABLED=${{ secrets.VITE_IS_PROPOSAL_DISCUSSION_FORUM_ENABLED }}
            VITE_PDF_API_URL=${{ secrets.VITE_PDF_API_URL }}

      - name: Login to GHCR
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Scan Docker image with Dockle
        id: dockle
        run: |
            wget -q https://github.com/goodwithtech/dockle/releases/download/v0.4.14/dockle_0.4.14_Linux-64bit.tar.gz
            tar zxf dockle_0.4.14_Linux-64bit.tar.gz
            sudo mv dockle /usr/local/bin

            dockle --exit-code 1 --exit-level fatal --format json -ak GHC_RELEASE_KEY -ak CABAL_INSTALL_RELEASE_KEY -ak STACK_RELEASE_KEY -ak KEY_SHA512 --input '/tmp/image-${{ matrix.name }}-${{ env.ENVIRONMENT }}.tar' --output ${{ matrix.workdir }}/dockle_scan_output.json
            echo " dockle exited w/ $?"
            cat ${{ matrix.workdir }}/dockle_scan_output.json

            echo "outcome=success" >> $GITHUB_OUTPUT

      - name: Push Docker image to GHCR
        run: |
          docker load -i '/tmp/image-${{ matrix.name }}-${{ env.ENVIRONMENT }}.tar'
          rm -rf '/tmp/image-${{ matrix.name }}-${{ env.ENVIRONMENT }}.tar'
          docker push ${{ steps.image_lowercase.outputs.lowercase }}:${{ env.TAG }}

      - name: Add tag as a PR comment
        uses: ubie-oss/comment-to-merged-pr-action@v0.3.3
        id: comment-to-merged-pr
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          message: |-
            This PR is in the tag: ${{ env.TAG }} , for ${{ matrix.name }} service