.github/workflows/main.yaml

name: CI

on:
  push:
    branches: [ "main" ]

env:
  DOCKER_REPO: docker.io/soders
  DOCKER_IMAGE: docker.io/soders/go-semver-release
  GIT_CI_USERNAME: go-semver-ci
  GIT_CI_EMAIL: go-semver@release.ci

jobs:
  go-build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    outputs:
      release: ${{ steps.go-semver.outputs.NEW_RELEASE }}
      semver: ${{ steps.go-semver.outputs.SEMVER }}
    steps:
      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          fetch-depth: 0

      - name: Set up Go
        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
        with:
          go-version: 1.22

      - name: Go Build
        run: go build -v -o go-semver-release main.go

      - name: Go Test
        run: go test -race -v -covermode=atomic -coverprofile=coverage.out ./...

      - name: Upload coverage reports to Codecov
        uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed # v4.3.0
        with:
          token: ${{ secrets.CODECOV_TOKEN }}

      - name: Go Semver Release
        id: go-semver
        run: ./go-semver-release local . --release-branch main --tag-prefix v --verbose

  docker-build-scan-push:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    needs: go-build
    if: ${{needs.go-build.outputs.release == 'true'}}
    env:
      PRERELEASE_TAG: '${{needs.go-build.outputs.semver}}-${{ github.sha }}'
      RELEASE_TAG: ${{needs.go-build.outputs.semver}}
    steps:
      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0

      - name: Login to Docker Hub
        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Docker build pre-release
        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
        with:
          context: .
          file: ./build/Dockerfile
          push: true
          build-args: |
            APP_VERSION="${{ needs.go-build.outputs.semver }}"
            APP_BUILD_NUMBER="${{ github.run_id }}"
            APP_COMMIT_HASH="${{ github.sha }}"
          tags: soders/go-semver-release:${{ env.PRERELEASE_TAG }}

      - name: Trivy Scan
        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
        with:
          image-ref: '${{ env.DOCKER_IMAGE }}:${{ env.PRERELEASE_TAG }}'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH,MEDIUM'

      - name: Install Crane
        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3.0

      - name: Crane Add Release Tags
        run: |
          crane tag ${{ env.DOCKER_IMAGE }}:${{ env.PRERELEASE_TAG }} ${{ env.RELEASE_TAG }}
          crane tag ${{ env.DOCKER_IMAGE }}:${{ env.PRERELEASE_TAG }} latest

  release-tag:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    needs:
      - docker-build-scan-push
      - go-build
    if: ${{needs.go-build.outputs.release == 'true'}}
    env:
      PRERELEASE_TAG: '${{needs.go-build.outputs.semver}}-${{ github.sha }}'
      RELEASE_TAG: ${{needs.go-build.outputs.semver}}
    steps:
      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

      - name: Import GPG Key
        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          git_user_signingkey: true
          git_commit_gpgsign: true
          git_tag_gpgsign: true

      - name: Git Configuration
        run: |
          git config --global user.email "${{ env.GIT_CI_EMAIL }}"
          git config --global user.name "${{ env.GIT_CI_USERNAME }}"
          git config --global commit.gpgsign true

      - name: Tag and Push
        run: |
          git tag -a ${{needs.go-build.outputs.semver}} -m "${{needs.go-build.outputs.semver}}"
          git tag -s ${{needs.go-build.outputs.semver}}
          git push origin ${{needs.go-build.outputs.semver}}