.github/workflows/build.yaml

name: Build release images

on:
  push:
    branches:
      - 'main'
    paths:
      - 'NGINX_BASE'
      - 'TAG'

permissions:
  contents: read

jobs:
  changes:
    name: Changes
    permissions:
      contents: read
      pull-requests: read
    runs-on: ubuntu-latest
    outputs:
      base: ${{ steps.filter.outputs.base }}
      controller: ${{ steps.filter.outputs.controller }}
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.0.2

      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2
        id: filter
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          filters: |
            base:
              - 'NGINX_BASE'
            controller:
              - 'TAG'

  build:
    name: Build and push images
    runs-on: self-hosted-8cpu
    if: |
      (needs.changes.outputs.base == 'true' || needs.changes.outputs.controller == 'true')
    needs:
      - changes
    outputs:
      matrix: ${{ steps.items.outputs.matrix }}
    steps:
      - name: Import secrets
        uses: hashicorp/vault-action@cb841f2c86fb6d07cff94fda240828c1abc5ba43 # v2.7.3
        id: secrets
        with:
          exportEnv: false
          url: ${{ secrets.VAULT_URL }}
          role: ${{ secrets.VAULT_ROLE }}
          method: kubernetes
          secrets: |
            kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
            kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;
            kv-gitlab-ci/data/github/shared/node-repo-key key | NODE_REPO_KEY ;

      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.0.2

      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.0.0
        with:
          version: latest
          use: false

      - name: Docker login
        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc
        with:
          username: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
          password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}

      - name: Build and push base image
        if: needs.changes.outputs.base == 'true'
        run: |
          eval $(ssh-agent -s)
          echo "${{ steps.secrets.outputs.NODE_REPO_KEY }}" | tr -d '\r' | ssh-add -
          make -C images/nginx push

      - name: Build and push controller images
        env:
          ARCH: amd64
          USER: runner
        if: needs.changes.outputs.controller == 'true'
        run: make release

      - name: Prepare list of images to sign
        id: items
        run: |
          cat <<EOF > matrix.json
          {
            "include": [
              {
                "item": "base",
                "image": "$(cat NGINX_BASE)"
              },
              {
                "item": "controller",
                "image": "wallarm/ingress-controller:$(cat TAG)"
              },
              {
                "item": "controller-chroot",
                "image": "wallarm/ingress-controller-chroot:$(cat TAG)"
              }
            ]
          }
          EOF
          
          if [ ! ${{ needs.changes.outputs.controller }} = true ]; then
            cat <<< $(jq 'del(.include[] | select (.item =="controller" or .item =="controller-chroot"))' matrix.json) > matrix.json
          fi
          
          if [ ! ${{ needs.changes.outputs.base }} = true ]; then
            cat <<< $(jq 'del(.include[] | select (.item =="base"))' matrix.json) > matrix.json
          fi
          
          cat matrix.json
          echo "matrix=$(cat matrix.json | jq -c '.')" >> $GITHUB_OUTPUT

  sign:
    name: Sign images
    runs-on: self-hosted-1cpu
    needs:
      - changes
      - build
    strategy:
      fail-fast: false
      matrix: ${{ fromJson(needs.build.outputs.matrix) }}
    steps:
      - name: Import secrets
        uses: hashicorp/vault-action@cb841f2c86fb6d07cff94fda240828c1abc5ba43 # v2.7.3
        id: secrets
        with:
          exportEnv: false
          url: ${{ secrets.VAULT_URL }}
          role: ${{ secrets.VAULT_ROLE }}
          method: kubernetes
          secrets: |
            kv-gitlab-ci/data/node/build/cosign password | COSIGN_PASSWORD ;
            kv-gitlab-ci/data/node/build/cosign private_key | COSIGN_PRIVATE_KEY ;
            kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
            kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;

      - name: Docker login
        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc
        with:
          username: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
          password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}

      - name: Sign image ${{ matrix.image }}
        id: sign
        env:
          COSIGN_PRIVATE_KEY: ${{ steps.secrets.outputs.COSIGN_PRIVATE_KEY }}
          COSIGN_PASSWORD: ${{ steps.secrets.outputs.COSIGN_PASSWORD }}
        run: |
          IMAGE_NAME="${{ matrix.image }}"
          docker pull -q ${IMAGE_NAME}
          
          IMAGE_TAG=$(echo ${IMAGE_NAME} | awk -F':' '{print $2}')
          IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMAGE_NAME})
          IMAGE_URI=$(echo $IMAGE_DIGEST | sed -e 's/\@sha256:/:sha256-/')
          SBOM_SPDX="${{ matrix.item }}_${IMAGE_TAG}_spdx.json"
          
          syft -o spdx-json ${IMAGE_NAME} > ${SBOM_SPDX}
          cosign attach sbom --sbom ${SBOM_SPDX} ${IMAGE_DIGEST}
          cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${IMAGE_URI}.sbom"
          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${IMAGE_DIGEST}
          
          echo "sbom=${SBOM_SPDX}" >> $GITHUB_OUTPUT
          
      - name: Upload SBOM
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
        with:
          retention-days: 30
          name: ${{ steps.sign.outputs.sbom }}
          path: ${{ steps.sign.outputs.sbom }}