.github/workflows/build.yml

name: kwctl build
on:
  workflow_call:
  push:
    branches:
      - "main"
      - "feat-**"

env:
  CARGO_TERM_COLOR: always

jobs:
  build-linux-binaries:
    name: Build linux binaries
    runs-on: ubuntu-latest
    strategy:
      matrix:
        targetarch:
          - aarch64
          - x86_64

    permissions:
      packages: write
      id-token: write

    steps:
      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

      - name: checkout code
        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

      - name: setup rust toolchain
        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
        with:
          toolchain: stable
          target: ${{matrix.targetarch}}-unknown-linux-musl
          override: true

      - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
        with:
          use-cross: true
          command: build
          args: --release --target ${{matrix.targetarch}}-unknown-linux-musl

      - name: Sign kwctl
        run: |
          mv target/${{ matrix.targetarch }}-unknown-linux-musl/release/kwctl kwctl-linux-${{ matrix.targetarch }}
          cosign sign-blob --yes kwctl-linux-${{ matrix.targetarch }} --output-certificate kwctl-linux-${{ matrix.targetarch}}.pem --output-signature kwctl-linux-${{ matrix.targetarch }}.sig

      - run: zip -j9 kwctl-linux-${{ matrix.targetarch }}.zip kwctl-linux-${{ matrix.targetarch }} kwctl-linux-${{ matrix.targetarch }}.sig kwctl-linux-${{ matrix.targetarch }}.pem

      - name: Upload binary
        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: kwctl-linux-${{ matrix.targetarch }}
          path: kwctl-linux-${{ matrix.targetarch }}.zip

      - name: Install the syft command
        uses: kubewarden/github-actions/syft-installer@5eea0bfad475f7b24620b26208b121c545ef21f1 # v3.1.19

      - name: Create SBOM file
        shell: bash
        run: |
          syft \
          --file kwctl-linux-${{ matrix.targetarch }}-sbom.spdx \
          --output spdx-json \
          --source-name kwctl-linux-${{ matrix.targetarch }} \
          --source-version ${{ github.sha }} \
          -vv \
          dir:. # use dir default catalogers, which includes Cargo.toml

      - name: Sign SBOM file
        run: |
          cosign sign-blob --yes \
            --output-certificate kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.cert \
            --output-signature kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.sig \
            kwctl-linux-${{ matrix.targetarch }}-sbom.spdx

      - name: Upload kwctl SBOM files
        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: kwctl-linux-${{ matrix.targetarch }}-sbom
          path: |
            kwctl-linux-${{ matrix.targetarch }}-sbom.spdx
            kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.cert
            kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.sig

      - name: Upload kwctl air gap scripts
        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        if: matrix.targetarch == 'x86_64' # only upload the scripts once
        with:
          name: kwctl-airgap-scripts
          path: |
            scripts/kubewarden-load-policies.sh
            scripts/kubewarden-save-policies.sh

  build-darwin-binaries:
    name: Build darwin binary
    strategy:
      matrix:
        targetarch: ["aarch64", "x86_64"]
    runs-on: macos-latest
    permissions:
      id-token: write
    steps:
      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

      - name: Setup rust toolchain
        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
        with:
          toolchain: stable
          target: ${{ matrix.targetarch }}-apple-darwin
          override: true

      - run: rustup target add ${{ matrix.targetarch }}-apple-darwin

      - name: Build kwctl
        uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
        with:
          command: build
          args: --target=${{ matrix.targetarch }}-apple-darwin --release

      - run: mv target/${{ matrix.targetarch }}-apple-darwin/release/kwctl kwctl-darwin-${{ matrix.targetarch }}

      - name: Smoke test build
        if: matrix.targetarch == 'x86_64'
        run: ./kwctl-darwin-x86_64 --help

      - name: Sign kwctl
        run: cosign sign-blob --yes kwctl-darwin-${{ matrix.targetarch }} --output-certificate kwctl-darwin-${{ matrix.targetarch }}.pem --output-signature kwctl-darwin-${{ matrix.targetarch }}.sig

      - run: zip -j9 kwctl-darwin-${{ matrix.targetarch }}.zip kwctl-darwin-${{ matrix.targetarch }} kwctl-darwin-${{ matrix.targetarch }}.sig kwctl-darwin-${{ matrix.targetarch }}.pem

      - name: Upload binary
        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: kwctl-darwin-${{ matrix.targetarch }}
          path: kwctl-darwin-${{ matrix.targetarch }}.zip

      - name: Install the syft command
        uses: kubewarden/github-actions/syft-installer@5eea0bfad475f7b24620b26208b121c545ef21f1 # v3.1.19
        with:
          arch: darwin_amd64

      - name: Create SBOM file
        shell: bash
        run: |
          syft \
          --file kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx \
          --output spdx-json \
          --source-name kwctl-darwin-${{ matrix.targetarch }} \
          --source-version ${{ github.sha }} \
          -vv \
          dir:. # use dir default catalogers, which includes Cargo.toml

      - name: Sign SBOM file
        run: |
          cosign sign-blob --yes \
            --output-certificate kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.cert \
            --output-signature kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.sig \
            kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx

      - name: Upload kwctl SBOM files
        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: kwctl-darwin-${{ matrix.targetarch }}-sbom
          path: |
            kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx
            kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.cert
            kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.sig

  build-windows-x86_64:
    name: Build windows (x86_64) binary
    strategy:
      matrix:
        # workaround to have the same GH UI for all jobs
        targetarch: ["x86_64"]
        os: ["windows-latest"]
    runs-on: ${{ matrix.os }}
    permissions:
      id-token: write
    steps:
      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

      - name: Setup rust toolchain
        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
        with:
          toolchain: stable
      - run: rustup target add x86_64-pc-windows-msvc

      - name: enable git long paths on Windows
        if: matrix.os == 'windows-latest'
        run: git config --global core.longpaths true

      - name: Build kwctl
        uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
        with:
          command: build
          args: --target=x86_64-pc-windows-msvc --release

      - run: mv target/x86_64-pc-windows-msvc/release/kwctl.exe kwctl-windows-x86_64.exe

      - name: Smoke test build
        run: .\kwctl-windows-x86_64.exe --help

      - name: Sign kwctl
        run: cosign sign-blob --yes kwctl-windows-x86_64.exe --output-certificate kwctl-windows-x86_64.pem --output-signature kwctl-windows-x86_64.sig

      - run: |
          "/c/Program Files/7-Zip/7z.exe" a kwctl-windows-x86_64.exe.zip kwctl-windows-x86_64.exe kwctl-windows-x86_64.sig kwctl-windows-x86_64.pem
        shell: bash

      - name: Upload binary
        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: kwctl-windows-x86_64
          path: kwctl-windows-x86_64.exe.zip

      - name: Install the syft command
        uses: kubewarden/github-actions/syft-installer@5eea0bfad475f7b24620b26208b121c545ef21f1 # v3.1.19
        with:
          arch: windows_amd64

      - name: Create SBOM file
        shell: bash
        run: |
          syft \
          --file kwctl-windows-x86_64-sbom.spdx \
          --output spdx-json \
          --source-name kwctl-windows-x86_64 \
          --source-version ${{ github.sha }} \
          -vv \
          dir:. # use dir default catalogers, which includes Cargo.toml

      - name: Sign SBOM file
        shell: bash
        run: |
          cosign sign-blob --yes \
          --output-certificate kwctl-windows-x86_64-sbom.spdx.cert \
          --output-signature kwctl-windows-x86_64-sbom.spdx.sig \
          kwctl-windows-x86_64-sbom.spdx

      - name: Upload kwctl SBOM files
        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: kwctl-windows-x86_64-sbom
          path: |
            kwctl-windows-x86_64-sbom.spdx
            kwctl-windows-x86_64-sbom.spdx.cert
            kwctl-windows-x86_64-sbom.spdx.sig