.github/workflows/publish.yml

name: "Release Build"
on:
  release:
    types: [published]
env:
  CONTAINER_REGISTRY: ghcr.io/juice-shop
jobs:
  helmRelease:
    name: "Publish Helm Chart"
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - uses: actions/checkout@v4

      - id: release-version
        name: Parse Release Version
        run: |
          RELEASE_VERSION="${GITHUB_REF#refs/*/}"
          # Remove leading 'v' from git tag to create valid semver
          RELEASE_VERSION="${RELEASE_VERSION//v}"
          echo "version=$RELEASE_VERSION" >> "$GITHUB_OUTPUT"

      - name: "Login to Package Registry"
        run: 'echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login --username ${{ github.actor }} --password-stdin ${{ env.CONTAINER_REGISTRY }}'

      - name: "Package Helm Chart"
        working-directory: helm/multi-juicer/
        run: |
          helm package --version "${{ steps.release-version.outputs.version }}" .

      - name: "Push Helm Chart"
        working-directory: helm/multi-juicer/
        run: |
          helm push "multi-juicer-${{ steps.release-version.outputs.version }}.tgz" oci://${{ env.CONTAINER_REGISTRY }}/multi-juicer/helm

  dockerBuilds:
    name: "Build"
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write # needed for signing the images with GitHub OIDC Token
    strategy:
      matrix:
        component:
          - progress-watchdog
          - cleaner
          - balancer
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Cosign
        uses: sigstore/cosign-installer@v3

      - id: image-metadata
        name: Container Image Metadata
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.CONTAINER_REGISTRY }}/multi-juicer/${{ matrix.component }}
          tags: |
            type=semver,pattern={{raw}}

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          registry: ${{ env.CONTAINER_REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract JuiceShop Version from Helm Values
        id: extract-juice-shop-version
        run: |
          JUICE_SHOP_VERSION=$(yq eval '.config.juiceShop.tag' helm/multi-juicer/values.yaml)
          echo "version=$JUICE_SHOP_VERSION" >> "$GITHUB_OUTPUT"

      - id: build-and-push
        name: Build and Push
        uses: docker/build-push-action@v6
        with:
          context: ./${{ matrix.component }}
          file: ./${{ matrix.component }}/Dockerfile
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.image-metadata.outputs.tags }}
          labels: ${{ steps.image-metadata.outputs.labels }}
          build-args: |
            JUICE_SHOP_VERSION=${{ steps.extract-juice-shop-version.outputs.version }}

      - name: Sign the images with GitHub OIDC Token
        env:
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
          TAGS: ${{ steps.image-metadata.outputs.tags }}
        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}