.github/workflows/ci-cd.yaml

name: CI-CD

on:
  push:
    paths-ignore: ['**.md', '.vscode/**','docs/**','docker/**','.clabot']
    branches:
      - main
  pull_request:
    types: [opened, synchronize, reopened]
    paths-ignore: ['**.md', '.vscode/**','docs/**','docker/**']
  
env:
  DOTNET_VERSION: '8.0.x'
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}
  # Use docker.io for Docker Hub if empty
  REGISTRY_DOCKERHUB: docker.io
  SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
  # Use `latest` as the tag to compare to if empty, assuming that it's already pushed
  COMPARE_TAG: latest
    # Base for the PR
  BASE_REPO: ${{ github.event.pull_request.base.repo.clone_url }}
  # Repository of PR
  PR_HEAD_REPO: ${{ github.event.pull_request.head.repo.clone_url }}

jobs:
  build_test_package:
    runs-on: ubuntu-latest

# Service containers to run with `runner-job`
    services:
      # posgres db service
      postgres:
        # Docker Hub image
        image: postgres:15-alpine
        # Provide the password for postgres
        env:
          POSTGRES_USER: postgres
          #POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
          POSTGRES_HOST_AUTH_METHOD: trust
          POSTGRES_DB: whmappertest 
        # Set health checks to wait until postgres has started
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
        ports:
          - 5432:5432

      # redis service
      redis:
        image: redis:7-alpine
        ports:
          - 6379:6379
    steps:
      - name: Setup JDK 17 🦴
        uses: actions/setup-java@v4
        with:
          distribution: 'oracle'
          java-version: 17

      - name: Setup .NET8 🦴
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{env.DOTNET_VERSION}}

      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          lfs: true
          # Disabling shallow clone is recommended for improving relevancy of reporting
          fetch-depth: 0

      # if external PR
      - name: Build For external PR🚀
        if: ${{ env.BASE_REPO != env.PR_HEAD_REPO }}
        run: dotnet build src/WHMapper -c Release

      - name: Test For external PR🧪
        if: ${{ env.BASE_REPO != env.PR_HEAD_REPO }}
        env:
          ConnectionStrings__DatabaseConnection: "server=localhost;port=5432;database=whmappertest;User Id=postgres;"
          ConnectionStrings__RedisConnection: "localhost:6379"
        run: dotnet test src/WHMapper.Tests -c Release
           
      - name: Install SonarCloud scanners
        if: ${{ env.BASE_REPO == env.PR_HEAD_REPO }}
        run: |
          dotnet tool install --global dotnet-sonarscanner
          dotnet tool install --global dotnet-coverage
      - name: SonarCloud Build and Analyze 🚀 🧪
        if: ${{ env.BASE_REPO == env.PR_HEAD_REPO }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          ConnectionStrings__DatabaseConnection: "server=localhost;port=5432;database=whmappertest;User Id=postgres;"
          ConnectionStrings__RedisConnection: "localhost:6379"
        run: |
          dotnet sonarscanner begin /k:"pfh59_eve-whmapper" /o:"pfh59" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.cs.vscoveragexml.reportsPaths=coverage.xml /d:sonar.verbose=false
          dotnet build src/WHMapper -c Release
          dotnet coverage collect "dotnet test src/WHMapper.Tests -c Release" -f xml -o "coverage.xml"
          dotnet sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}"

      - name: Generate Artifact
        if: github.event_name != 'pull_request'
        run: | 
          dotnet publish src/WHMapper/WHMapper.csproj -c Release -r linux-x64 --nologo --output ./release/linux-x64
          dotnet publish src/WHMapper/WHMapper.csproj -c Release -r linux-arm --nologo --output ./release/linux-arm
          dotnet publish src/WHMapper/WHMapper.csproj -c Release -r win-x64 --nologo --output ./release/win-x64
          
      - name: Upload Linux x64 Artifact
        if: github.event_name != 'pull_request'
        uses: actions/upload-artifact@v4
        with:
          name: WHMapper.linux-x64
          path: |
            /home/runner/work/eve-whmapper/eve-whmapper/release/linux-x64/
            !/home/runner/work/eve-whmapper/eve-whmapper/release/linux-x64/*.pdb
          if-no-files-found: error

      - name: Upload Linux arm Artifact
        if: github.event_name != 'pull_request'
        uses: actions/upload-artifact@v4
        with:
          name: WHMapper.linux-arm
          path: |
            /home/runner/work/eve-whmapper/eve-whmapper/release/linux-arm/
            !/home/runner/work/eve-whmapper/eve-whmapper/release/linux-arm/*.pdb
          if-no-files-found: error

      - name: Upload Windows x64 Artifact
        if: github.event_name != 'pull_request'
        uses: actions/upload-artifact@v4
        with:
          name: WHMapper.windows-x64
          path: |
            /home/runner/work/eve-whmapper/eve-whmapper/release/win-x64/
            !/home/runner/work/eve-whmapper/eve-whmapper/release/win-x64/*.pdb
          if-no-files-found: error

  build_test_docker_image:
    if: github.event.pull_request.base.repo.clone_url == github.event.pull_request.head.repo.clone_url
    #https://docs.docker.com/scout/integrations/ci/gha/
    runs-on: ubuntu-latest
    needs: [build_test_package]
    permissions:
      packages: write
      contents: read
      pull-requests: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: ${{ env.SHA }}
          lfs: true
          # Disabling shallow clone is recommended for improving relevancy of reporting
          fetch-depth: 0

      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v3

      # Extract metadata (tags, labels) for Docker
      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_DOCKERHUB }}/${{ env.IMAGE_NAME }}
          labels: |
            org.opencontainers.image.authors=${{ github.actor }}
          tags: |
            type=edge,branch=$repo.default_branch
            type=semver,pattern=v{{version}}
            type=sha,prefix=,suffix=,format=short

      - name: Authenticate to registry ${{ env.REGISTRY_DOCKERHUB }}
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY_DOCKERHUB }}
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

      # Build and push Docker image with Buildx (don't push on PR)
      # https://github.com/docker/build-push-action
      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v5
        with:
          context: ./src/WHMapper/
          sbom: ${{ github.event_name != 'pull_request' }}
          provenance: ${{ github.event_name != 'pull_request' }}
          push: ${{ github.event_name != 'pull_request' }}
          load: ${{ github.event_name == 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
      
      - name: Docker Scout
        id: docker-scout
        if: ${{ github.event_name == 'pull_request' }}
        uses: docker/scout-action@v1
        with:
          command: compare
          image: ${{ steps.meta.outputs.tags }}
          to: ${{ env.REGISTRY_DOCKERHUB }}/${{ env.IMAGE_NAME }}:${{ env.COMPARE_TAG }}
          ignore-unchanged: true
          only-severities: critical,high
          write-comment: true
          github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment


  prepare_docker_image_docker_io:
    if: github.event_name != 'pull_request' #PUSH only on merging
    needs: [build_test_package,build_test_docker_image]
    permissions:
      id-token: write
      packages: write
      contents: read

    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        platform:
          - linux/amd64
          - linux/arm64
    steps:
      - name: Prepare
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV   

      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          lfs: true
          # Disabling shallow clone is recommended for improving relevancy of reporting
          fetch-depth: 0
      
          # Add support for more platforms with QEMU (optional)
      # https://github.com/docker/setup-qemu-action
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
         
      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v3

      - name: Authenticate to registry ${{ env.REGISTRY }}
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata (tags, labels) for ${{ env.REGISTRY }}
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          labels: |
            org.opencontainers.image.authors=${{ github.actor }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=sha
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
          flavor: |
            latest=false

      - name: Build and push to ${{ env.REGISTRY }} by digest
        id: build
        uses: docker/build-push-action@v5
        with:
          context: ./src/WHMapper/
          platforms: ${{ matrix.platform }}
          labels: ${{ steps.meta.outputs.labels }}
          outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
            
      - name: Export digest
        run: |
          mkdir -p /tmp/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"

      - name: Upload digest
        uses: actions/upload-artifact@v4
        with:
          name: digests-${{ env.PLATFORM_PAIR }}
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1

  merge_docker_image_docker_io:
    if: github.event_name != 'pull_request' #PUSH only on merging
    needs: [prepare_docker_image_docker_io]
    runs-on: ubuntu-latest
    steps:
      -
        name: Download digests
        uses: actions/download-artifact@v4
        with:
          path: /tmp/digests
          pattern: digests-*
          merge-multiple: true
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          labels: |
            org.opencontainers.image.authors=${{ github.actor }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=sha
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
          flavor: |
            latest=false
      
      - name: Authenticate to registry ${{ env.REGISTRY }}
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Create manifest list and push
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)          
      -
        name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}          

  release_docker_image_docker_hub:
    if: github.event_name != 'pull_request' #PUSH only on merging
    needs: [build_test_package,build_test_docker_image]
    permissions:
      id-token: write
      packages: write
      contents: read

    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          lfs: true
          # Disabling shallow clone is recommended for improving relevancy of reporting
          fetch-depth: 0
      
      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v3

      - name: Authenticate to registry ${{ env.REGISTRY_DOCKERHUB }}
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY_DOCKERHUB }}
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}    

      - name: Extract metadata (tags, labels) for ${{ env.REGISTRY_DOCKERHUB }}
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_DOCKERHUB }}/${{ env.IMAGE_NAME }}
          labels: |
            org.opencontainers.image.authors=${{ github.actor }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=sha
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
          flavor: |
            latest=false

      - name: Build and push to ${{ env.REGISTRY_DOCKERHUB }}
        uses: docker/build-push-action@v5
        with:
          context: ./src/WHMapper/
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          push: true
      
      