.github/workflows/ci.yaml

name: Continuous integration

on:
  push:
  pull_request:
    types: [ opened, reopened, synchronize ]
  workflow_dispatch:

jobs:
  build:
    name: Build
    runs-on: ubuntu-20.04

    permissions:
      contents: write # tests create releases
      packages: read

    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4.2.2
      - name: Set up Go
        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # ratchet:actions/setup-go@v5.1.0
        with:
          go-version-file: go.mod
          check-latest: true
          cache: true

      - name: Get dependencies
        run: make download

      - name: Lint
        run: |
          result="$(make  lint)"
          echo "$result"
          [ -n "$(echo "$result" | grep 'diff -u')" ] && exit 1 || exit 0

      - name: Build
        run: make build

      - name: Test
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: make test-race

      - name: Coverage
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: make coverage-out

      - name: Upload Code Coverage
        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # ratchet:codecov/codecov-action@v4.5.0
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: ./coverage.out
          flags: unittests
          name: codecov-umbrella
          fail_ci_if_error: true
          verbose: true

  release:
    name: release
    needs: [build]

    permissions:
      contents: write
      packages: write
      id-token: write

    outputs:
      container_digest: ${{ steps.container_info.outputs.container_digest }}
      container_tags: ${{ steps.container_info.outputs.container_tags }}
      container_repos: ${{ steps.container_info.outputs.container_repos }}

    runs-on: ubuntu-20.04

    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4.2.2
        with:
          fetch-depth: 0

      - name: Set up Go
        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # ratchet:actions/setup-go@v5.1.0
        with:
          go-version-file: ./go.mod
          check-latest: true
          cache: true

      - name: Install cosign
        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # ratchet:sigstore/cosign-installer@v3.5.0
        with:
          cosign-release: 'v2.2.4'

      - name: Install Syft
        uses: anchore/sbom-action/download-syft@fc46e51fd3cb168ffb36c6d1915723c47db58abb # ratchet:anchore/sbom-action/download-syft@v0.17.7
      - name: Login to Container registries
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin
          echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io

      - name: Set release variables
        id: release-vars
        run: |
          make release-vars > /tmp/spiffe-vault-release-vars.env
          source /tmp/spiffe-vault-release-vars.env
          if [[ -n "$LDFLAGS" ]]; then
            echo "LDFLAGS=$LDFLAGS" >> $GITHUB_OUTPUT
          fi
          if [[ -n "$GIT_HASH" ]]; then
            echo "GIT_HASH=$GIT_HASH" >> $GITHUB_OUTPUT
          fi
          rm -f /tmp/spiffe-vault-release-vars.env

      - name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }}
        uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # ratchet:goreleaser/goreleaser-action@v4
        with:
          version: latest
          args: release --clean ${{ (!startsWith(github.ref, 'refs/tags/') && '--snapshot') || '' }} ${{ ((startsWith(github.ref, 'refs/tags/') && endsWith(github.ref, '-draft')) && '-f .goreleaser.draft.yml') || '' }}
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }}
          GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }}
          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

      - name: Get container info
        id: container_info
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          export CONTAINER_DIGEST="$(make container-digest GITHUB_REF=${{ github.ref_name }})"
          echo "container_digest=$CONTAINER_DIGEST" >> $GITHUB_OUTPUT
          echo "container_tags=$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" | paste -s -d ',' -)" >> $GITHUB_OUTPUT
          echo "container_repos=$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)" >> $GITHUB_OUTPUT

      - name: Logout from Container registries
        if: ${{ always() }}
        run: |
          docker logout
          docker logout ghcr.io

  sbom:
    name: sbom
    needs: [release]
    if: startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-20.04
    env:
      TAGS: "${{ needs.release.outputs.container_tags }}"

    strategy:
      matrix:
        repo: ${{ fromJSON(needs.release.outputs.container_repos) }}

    steps:
      - name: Install cosign
        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # ratchet:sigstore/cosign-installer@v3.5.0
        with:
          cosign-release: 'v2.2.4'

      - name: Install Syft
        uses: anchore/sbom-action/download-syft@fc46e51fd3cb168ffb36c6d1915723c47db58abb # ratchet:anchore/sbom-action/download-syft@v0.17.7
      - name: Login to Container registries
        run: |
          echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin
          echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io

      - name: Attach SBOM
        env:
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
        run: |
          echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
          IFS=,
          for t in ${TAGS}; do
            cosign verify --key cosign.pub ${{ matrix.repo }}:${t}
            syft ${{ matrix.repo }}:${t} -o spdx-json > sbom-spdx.json
            cosign attest --predicate sbom-spdx.json --type spdx --yes --key env://COSIGN_PRIVATE_KEY ${{ matrix.repo }}:${t}
            cosign verify-attestation -o verified-sbom-spdx.json --key cosign.pub ${{ matrix.repo }}:${t}
          done

      - name: Clean up & Logout from Container registries
        if: ${{ always() }}
        run: |
          docker logout
          docker logout ghcr.io

  provenance:
    name: provenance
    needs: [release]
    if: startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-20.04

    steps:
      - name: Generate provenance for Release
        uses: philips-labs/slsa-provenance-action@6b2fd198d38ba72fb3cc08fbc52da2ebaef2efad # ratchet:philips-labs/slsa-provenance-action@v0.9.0
        with:
          command: generate
          subcommand: github-release
          arguments: --artifact-path release-assets --output-path provenance.att --tag-name ${{ github.ref_name }}
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

      - name: Install cosign
        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # ratchet:sigstore/cosign-installer@v3.5.0
        with:
          cosign-release: 'v2.2.4'

      - name: Sign provenance
        run: |
          cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY --output-signature "${SIGNATURE}" provenance.att
          cat "${SIGNATURE}"

          curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}")
          curl_args+=(-H "Accept: application/vnd.github.v3+json")
          release_id="$(curl "${curl_args[@]}" "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases?per_page=10" | jq "map(select(.name == \"${GITHUB_REF_NAME}\"))" | jq -r '.[0].id')"

          echo "Upload ${SIGNATURE} to release with id ${release_id}…"
          curl_args+=(-H "Content-Type: $(file -b --mime-type "${SIGNATURE}")")
          curl "${curl_args[@]}" \
            --data-binary @"${SIGNATURE}" \
            "https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}"
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
          SIGNATURE: provenance.att.sig

  container-provenance:
    name: container-provenance
    needs: [release]
    if: startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-20.04

    strategy:
      matrix:
        repo: ${{ fromJSON(needs.release.outputs.container_repos) }}

    steps:
      - name: Install cosign
        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # ratchet:sigstore/cosign-installer@v3.5.0
        with:
          cosign-release: 'v2.2.4'

      - name: Generate provenance for ${{ matrix.repo }}
        uses: philips-labs/slsa-provenance-action@6b2fd198d38ba72fb3cc08fbc52da2ebaef2efad # ratchet:philips-labs/slsa-provenance-action@v0.9.0
        with:
          command: generate
          subcommand: container
          arguments: --repository ${{ matrix.repo }} --output-path provenance.att --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }}
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

      - name: Get slsa-provenance predicate
        run: |
          cat provenance.att | jq .predicate > provenance-predicate.att

      - name: Login to Container registries
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin
          echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io

      - name: Attach provenance to image
        run: |
          cosign attest --predicate provenance-predicate.att --type slsaprovenance --yes --key env://COSIGN_PRIVATE_KEY ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
        env:
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}

      - name: Verify attestation
        run: |
          echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
          cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}

      - name: Logout from Container registries
        if: ${{ always() }}
        run: |
          docker logout
          docker logout ghcr.io