at_server.yaml

name: at_server
# Runs the workflow on the below events:
# 1. on pull request raised to trunk branch.
# 2. on push event to trunk branch.
# 3. on tagging a release
on:
  push:
    tags:
      - 'v*.*.*'
      - 'c*.*.*'
    branches:
      - trunk
  pull_request:
    branches:
      - trunk

env:
  proot-working-directory: ./packages/at_persistence_root_server
  root-working-directory: ./packages/at_root_server
  psecondary-working-directory: ./packages/at_persistence_secondary_server
  secondary-working-directory: ./packages/at_secondary_server
  ftest-working-directory: ./tests/at_functional_test
  e2etest-working-directory: ./tests/at_end2end_test
  install-pkam-working-directory: ./tools/build_virtual_environment/install_PKAM_Keys

permissions:  # added using https://github.com/step-security/secure-workflows
  contents: read

jobs:
  unit_tests:
    runs-on: ubuntu-latest
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    permissions:
      contents: write  # IMPORTANT: mandatory for making GitHub Releases
      id-token: write  # IMPORTANT: mandatory for sigstore
      attestations: write
    strategy:
      fail-fast: false
      matrix:
        dart-channel: [stable,beta]

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - uses: dart-lang/setup-dart@0a8a0fc875eb934c15d08629302413c671d3f672 # v1.6.5
        with:
          sdk: ${{ matrix.dart-channel}}

      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
        with:
          go-version: 'stable'
          cache-dependency-path: tools/osv-scanner/go.sum

      # Runs dart lint rules and unit tests on at_persistence_root_server
      - name: Install dependencies in at_persistence_root_server
        working-directory: ${{ env.proot-working-directory }}
        run: dart pub get

      - name: Run dart analyzer in at_persistence_root_server
        working-directory: ${{ env.proot-working-directory }}
        run: dart analyze

      - name: Run tests in at_persistence_root_server
        working-directory: ${{ env.proot-working-directory }}
        run: dart test --concurrency=1

      # Runs dart lint rules and unit tests on at_root_server
      - name: Install dependencies in at_root_server
        working-directory: ${{ env.root-working-directory }}
        run: dart pub get

      - name: Run dart analyzer in at_root_server
        working-directory: ${{ env.root-working-directory }}
        run: dart analyze

      - name: Run tests in at_root_server
        working-directory: ${{ env.root-working-directory }}
        run: dart test --concurrency=1

      - name: Install dependencies in at_persistence_secondary_server
        working-directory: ${{ env.psecondary-working-directory }}
        run: dart pub get

      - name: Run dart analyzer in at_persistence_secondary_server
        working-directory: ${{ env.psecondary-working-directory }}
        run: dart analyze

      - name: Run tests in at_persistence_secondary_server
        working-directory: ${{ env.psecondary-working-directory }}
        run: dart test --concurrency=1

      # Runs dart lint rules and unit tests on at_secondary_server
      - name: Install dependencies in at_secondary_server
        working-directory: ${{ env.secondary-working-directory }}
        run: dart pub get

      - name: Run dart analyzer in at_secondary_server
        working-directory: ${{ env.secondary-working-directory }}
        run: dart analyze

      - name: Run tests in at_secondary_server, with coverage
        working-directory: ${{ env.secondary-working-directory }}
        run: dart test --concurrency=1 --coverage="coverage"

      # Runs osv-scanner to find any vulnerable Dart dependencies
      # It needs to look at pubspec.lock files, which is why it's
      # placed here, as the `dart pub get` above will create them
      - name: Run osv-scanner
        run: |
          go install github.com/google/osv-scanner/cmd/osv-scanner@6316373e47d7e3e4b4fd3630c4bbc10987738de6 # v1.4.3
          osv-scanner --lockfile=${{ env.proot-working-directory }}/pubspec.lock
          osv-scanner --lockfile=${{ env.root-working-directory }}/pubspec.lock
          osv-scanner --lockfile=${{ env.psecondary-working-directory }}/pubspec.lock
          osv-scanner --lockfile=${{ env.secondary-working-directory }}/pubspec.lock

      # Generating SBOMs also needs pubspec.lock
      # Only run on stable channel
      - if: ${{ matrix.dart-channel == 'stable' && github.event_name == 'push' }}
        name: Create sbom folder
        run: mkdir sboms        
      - if: ${{ matrix.dart-channel == 'stable' && github.event_name == 'push' }}
        name: Generate atDirectory SBOM
        uses: sbomify/github-action@a04e82ca42a0d9e6bdb57a2cb1a8978e96b4f45c # v0.3.0
        env:
          TOKEN: ${{ secrets.SBOMIFY_TOKEN }}
          COMPONENT_ID: '3hQHrn8mwK'
          LOCK_FILE: ${{ env.root-working-directory }}/pubspec.lock
          SBOM_VERSION: ${{github.ref_name}}
          OUTPUT_FILE: 'sboms/atdirectory-gha${{github.run_number}}-sbom.cdx.json'
          AUGMENT: true
          ENRICH: true
          UPLOAD: true
      - if: ${{ matrix.dart-channel == 'stable' && github.event_name == 'push' }}
        name: Generate atServer SBOM
        uses: sbomify/github-action@a04e82ca42a0d9e6bdb57a2cb1a8978e96b4f45c # v0.3.0
        env:
          TOKEN: ${{ secrets.SBOMIFY_TOKEN }}
          COMPONENT_ID: 'wF66pn8rHZ'
          LOCK_FILE: ${{ env.secondary-working-directory }}/pubspec.lock
          SBOM_VERSION: ${{github.ref_name}}
          OUTPUT_FILE: 'sboms/atserver-gha${{github.run_number}}-sbom.cdx.json'
          AUGMENT: true
          ENRICH: true
          UPLOAD: true
      - if: ${{ matrix.dart-channel == 'stable' && startsWith(github.ref, 'refs/tags/') }}
        name: Rename SBOMs to use release tag
        run: |
          cd sboms
          mv atdirectory-gha${{github.run_number}}-sbom.cdx.json \
            atdirectory-${{github.ref_name}}-sbom.cdx.json
          mv atserver-gha${{github.run_number}}-sbom.cdx.json \
            atserver-${{github.ref_name}}-sbom.cdx.json
      - if: ${{ matrix.dart-channel == 'stable' && github.event_name == 'push' }}
        name: Generate SHA256 checksums
        working-directory: sboms
        run: sha256sum * > checksums.txt
      - if: ${{ matrix.dart-channel == 'stable' && github.event_name == 'push' }}
        name: Upload SBOMs
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: SBOMs
          path: sboms/**
      - if: ${{ matrix.dart-channel == 'stable' && startsWith(github.ref, 'refs/tags/') }}
        name: Upload artifacts to GitHub Release
        env:
          GITHUB_TOKEN: ${{ github.token }}
        # Upload to GitHub Release using the `gh` CLI.
        # `dist/` contains the built packages, and the
        # sigstore-produced signatures and certificates.
        run: >-
          gh release upload
          '${{ github.ref_name }}' sboms/**
          --repo '${{ github.repository }}'
      - if: ${{ matrix.dart-channel == 'stable' && startsWith(github.ref, 'refs/tags/') }}
        id: hash
        name: Pass artifact hashes for SLSA provenance
        working-directory: sboms
        run: |
          echo "hashes=$(cat checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT"
      - if: ${{ matrix.dart-channel == 'stable' && startsWith(github.ref, 'refs/tags/') }}
        uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
        with:
          subject-path: 'sboms/**'

#     Commenting out for now, need to investigate and fix but there are hotter fires burning right now
#      - name: Convert coverage to LCOV format
#        working-directory: ${{ env.secondary-working-directory }}
#        run: dart pub run coverage:format_coverage --lcov --in=coverage --out=coverage.lcov --packages=.packages --report-on=lib
#
#      - name: Upload coverage to Codecov
#        uses: codecov/codecov-action@v3.1.0
#        with:
#          token: ${{secrets.CODECOV_TOKEN_AT_SERVER}}
#          file: ${{ env.secondary-working-directory }}/coverage.lcov

  sbom_provenance:
    if: ${{ startsWith(github.ref, 'refs/tags/') }}
    needs: [unit_tests]
    permissions:
      actions: read # Needed for detection of GitHub Actions environment.
      id-token: write # Needed for provenance signing and ID
      contents: write # Needed for release uploads
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 # 5a775b367a56d5bd118a224a811bba288150a563
    with:
      base64-subjects: "${{ needs.unit_tests.outputs.hashes }}"
      upload-assets: true

  # Runs functional tests on at_secondary.
  # If tests are successful, uploads root server and secondary server binaries for subsequent jobs
  functional_tests:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        dart-channel: [stable,beta]

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - uses: dart-lang/setup-dart@0a8a0fc875eb934c15d08629302413c671d3f672 # v1.6.5
        with:
          sdk: ${{ matrix.dart-channel}}

      - name: Install dependencies
        working-directory: ${{ env.ftest-working-directory }}
        run: dart pub get

      - name: Run dart analyzer
        working-directory: ${{ env.ftest-working-directory }}
        run: dart analyze

      - name: Add entry to hosts file
        run: echo "127.0.0.1    vip.ve.atsign.zone" | sudo tee -a /etc/hosts

      - name: Generate secondary server binary
        working-directory: ${{ env.secondary-working-directory }}
        run: dart pub get && dart compile exe bin/main.dart -o secondary

      - name: copy secondary to tools/build_virtual_environment/ve
        run: |
          cp packages/at_secondary_server/secondary tools/build_virtual_environment/ve/contents/atsign/secondary/
          cp packages/at_secondary_server/pubspec.yaml tools/build_virtual_environment/ve/contents/atsign/secondary/
          chmod 755 tools/build_virtual_environment/ve/contents/atsign/secondary/secondary
          ls -laR tools/build_virtual_environment/ve/*

      - name: Build docker image
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        with:
          file: tools/build_virtual_environment/ve/Dockerfile
          context: tools/build_virtual_environment/ve
          tags: at_virtual_env:trunk

      - name: Run docker container
        # -d: run container in detached mode. --rm: remove container on stop -p: bind ports to host
        run: docker run -d --rm --name at_virtual_env_cont -e testingMode="true" -p 6379:6379 -p 25000-25019:25000-25019 -p 64:64 at_virtual_env:trunk

      - name: Check docker readiness to load PKAM keys
        working-directory: ${{ env.ftest-working-directory }}
        run: dart run test/check_docker_readiness.dart

      - name: Check root server readiness to load PKAM keys
        working-directory: ${{ env.ftest-working-directory }}
        run: dart run test/check_root_server_readiness.dart

      # Set PKAM keys to the atsign's
      - name: Load PKAM Keys
        working-directory: ${{ env.install-pkam-working-directory }}
        run: |
          dart pub get
          dart bin/install_PKAM_Keys.dart


      # could save around 4s here using a compiled binary
      - name: Check test environment readiness
        working-directory: ${{ env.ftest-working-directory }}
        run: dart run test/check_test_env.dart

      - name: Run tests
        working-directory: ${{ env.ftest-working-directory }}
        run: dart run test --concurrency=1

      # On push event, upload secondary server binary
      - name: upload secondary server
        if: ${{ github.event_name == 'push' && matrix.dart-channel == 'stable' }}
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: secondary-server
          path: packages/at_secondary_server/secondary

      - name: Stop docker container
        run: docker container stop at_virtual_env_cont

      # Remove image created for at_virtual_env:trunk for running functional tests in pipeline.
      - name: Remove docker image
        run: docker rmi at_virtual_env:trunk


  end2end_test_prep:
    # Don't run on PRs from a fork or Dependabot as the secrets aren't available
    if: ${{ github.event.pull_request.head.repo.fork == false && github.actor != 'dependabot[bot]'}}
    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Place run number into version within pubspec.yaml
        working-directory: ${{ env.secondary-working-directory }}
        run: |
          sed -i "0,/version/ s/version\:.*/&+gha${{ github.run_number }}/" pubspec.yaml
          grep version pubspec.yaml | head -1

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

      - name: Login to DockerHub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      # Builds and pushes the secondary server image to docker hub.
      - name: Build and push secondary image for x64
        id: docker_build_secondary
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        with:
          push: true
          provenance: false
          file: tools/build_secondary/Dockerfile
          context: .
          tags: |
            atsigncompany/secondary:dess_cicd
            atsigncompany/secondary:cicd-${{ env.BRANCH }}-gha${{ github.run_number }}
          platforms: |
            linux/amd64

      # Logs into CICD VMs and runs script to update to just pushed image
      - name: update image on cicd VMs
        uses: appleboy/ssh-action@7eaf76671a0d7eec5d98ee897acda4f968735a17 # v1.2.0
        with:
          host: "cicd1.atsign.wtf,cicd2.atsign.wtf"
          username: ubuntu
          key: ${{ secrets.CICD_SSH_KEY }}
          script: |
            scriptURL="https://raw.githubusercontent.com/atsign-foundation/at_server/trunk/tools/${HOSTNAME}/update_image.sh"
            echo "$scriptURL"
            wget -q -O update_image.sh "$scriptURL"
            ./update_image.sh

# The job runs end-to-end tests between the @cicd1[trunk] and @cicd2[trunk] secondaries
  end2end_test_12:
    needs: [ end2end_test_prep ]
    concurrency: cicd12
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: dart-lang/setup-dart@0a8a0fc875eb934c15d08629302413c671d3f672 # v 1.6.5
        with:
          sdk: stable

      - name: Install dependencies
        working-directory: ${{ env.e2etest-working-directory }}
        run: dart pub get

      # Create demo_data.dart from CICD_DATA_DART secret
      - name: Get CICD keys into place
        run: echo "${{secrets.CICD_DATA_DART}}" > tests/at_end2end_test/test/at_demo_data.dart

      # Put config file in place
      - name: Config for @cicd1/2
        run:  mv tests/at_end2end_test/config/config12.yaml tests/at_end2end_test/config/config.yaml

      # Run end-to-end test
      - name: end-to-end test
        working-directory: ${{ env.e2etest-working-directory }}
        run: dart test --concurrency=1

# The job runs end-to-end tests between the @cicd3[trunk] and @cicd4[prod] secondaries
  end2end_test_34:
    needs: [ end2end_test_prep ]
    concurrency: cicd34
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: dart-lang/setup-dart@0a8a0fc875eb934c15d08629302413c671d3f672 # v1.6.5
        with:
          sdk: stable

      - name: Install dependencies
        working-directory: ${{ env.e2etest-working-directory }}
        run: dart pub get

      # Create demo_data.dart from CICD_DATA_DART secret
      - name: Get CICD keys into place
        run: echo "${{secrets.CICD_DATA_DART}}" > tests/at_end2end_test/test/at_demo_data.dart

      # Put config file in place
      - name: Config for @cicd3/4
        run:  mv tests/at_end2end_test/config/config34.yaml tests/at_end2end_test/config/config.yaml

      # Run end-to-end test
      - name: end-to-end test
        working-directory: ${{ env.e2etest-working-directory }}
        run: dart test --concurrency=1

# The job runs end-to-end tests between the @cicd5[prod] and @cicd6[trunk] secondaries
  end2end_test_56:
    needs: [ end2end_test_prep ]
    concurrency: cicd56
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: dart-lang/setup-dart@0a8a0fc875eb934c15d08629302413c671d3f672 # v1.6.5
        with:
          sdk: stable

      - name: Install dependencies
        working-directory: ${{ env.e2etest-working-directory }}
        run: dart pub get

      # Create demo_data.dart from CICD_DATA_DART secret
      - name: Get CICD keys into place
        run: echo "${{secrets.CICD_DATA_DART}}" > tests/at_end2end_test/test/at_demo_data.dart

      # Put config file in place
      - name: Config for @cicd5/6
        run:  mv tests/at_end2end_test/config/config56.yaml tests/at_end2end_test/config/config.yaml

      # Run end-to-end test
      - name: end-to-end test
        working-directory: ${{ env.e2etest-working-directory }}
        run: dart test --concurrency=1

# The job runs end-to-end tests between the staging run time secondaries
  end2end_test_staging:
    needs: [ end2end_test_prep ]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout at_server repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Create atSigns
        id: atsign_names
        run: |
          AT_SIGN_1_RESP=$(curl -s --location --request POST 'https://my.atsign.wtf/api/app/v3/get-atsign/' --header 'Authorization: ${{secrets.NODE_API_CREATE}}' --header 'Content-Type: application/json' -w '%{http_code}' -o at_sign_1_resp.json)
          AT_SIGN_2_RESP=$(curl -s --location --request POST 'https://my.atsign.wtf/api/app/v3/get-atsign/' --header 'Authorization: ${{secrets.NODE_API_CREATE}}' --header 'Content-Type: application/json' -w '%{http_code}' -o at_sign_2_resp.json)
          if [ $AT_SIGN_1_RESP -eq 200 ] && [ $AT_SIGN_2_RESP -eq 200 ]; then
            AT_SIGN_1=$(cat at_sign_1_resp.json |  jq -r '.value.atSign')
            AT_SIGN_1_KEY=$(cat at_sign_1_resp.json |  jq -r '.value.ActivationKey')
            AT_SIGN_2=$(cat at_sign_2_resp.json |  jq -r '.value.atSign')
            AT_SIGN_2_KEY=$(cat at_sign_2_resp.json |  jq -r '.value.ActivationKey')    
            echo "AT_SIGN_1: $AT_SIGN_1"
            echo "AT_SIGN_1_KEY: $AT_SIGN_1_KEY"
            echo "AT_SIGN_2: $AT_SIGN_2" 
            echo "AT_SIGN_2_KEY: $AT_SIGN_2_KEY"
            echo "AT_SIGN_1=$(echo $AT_SIGN_1)" >> $GITHUB_OUTPUT
            echo "AT_SIGN_1_KEY=$(echo $AT_SIGN_1_KEY)" >> $GITHUB_OUTPUT
            echo "AT_SIGN_2=$(echo $AT_SIGN_2)" >> $GITHUB_OUTPUT  
            echo "AT_SIGN_2_KEY=$(echo $AT_SIGN_2_KEY)" >> $GITHUB_OUTPUT                  
          else
            echo "Error fetching atsign name"
            exit 1
          fi

      - name: Install Dart
        uses: dart-lang/setup-dart@0a8a0fc875eb934c15d08629302413c671d3f672 # v1.6.5
        with:
          sdk: stable

      - name: Install dependencies
        working-directory: ${{ env.e2etest-working-directory }}
        run: dart pub get

      - name: Cloning at_libraries
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: atsign-foundation/at_libraries
          path: at_libraries
          ref: trunk

      - name: Cloning at_tools
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: atsign-foundation/at_tools
          path: at_tools
          ref: trunk

      - name: Fetch Cram Keys
        id: cram_keys
        env:
          AT_SIGN_1: ${{ steps.atsign_names.outputs.AT_SIGN_1 }}   
          AT_SIGN_2: ${{ steps.atsign_names.outputs.AT_SIGN_2 }} 
          AT_SIGN_1_KEY: ${{ steps.atsign_names.outputs.AT_SIGN_1_KEY }} 
          AT_SIGN_2_KEY: ${{ steps.atsign_names.outputs.AT_SIGN_2_KEY }} 
        run: |     
          for try in {1..5}; do
            CRAM_1_RESP=$(curl -s --location --request POST 'https://my.atsign.wtf/api/app/v3/activate-atsign' --header 'Authorization: ${{secrets.NODE_API_CREATE}}' --header 'Content-Type: application/json' --data-raw "{\"atSign\":\"$AT_SIGN_1\",\"ActivationKey\":\"$AT_SIGN_1_KEY\"}"  -w '%{http_code}' -o cram_1_resp.json)
            CRAM_2_RESP=$(curl -s --location --request POST 'https://my.atsign.wtf/api/app/v3/activate-atsign' --header 'Authorization: ${{secrets.NODE_API_CREATE}}' --header 'Content-Type: application/json' --data-raw "{\"atSign\":\"$AT_SIGN_2\",\"ActivationKey\":\"$AT_SIGN_2_KEY\"}"  -w '%{http_code}' -o cram_2_resp.json)
            if [ $CRAM_1_RESP -eq 200 ] && [ $CRAM_2_RESP -eq 200 ]; then
              CRAM_KEY_1=$(cat cram_1_resp.json | jq -r '.cramkey' | sed 's/^[ \t]*//;s/[ \t]*$//' | cut -d':' -f2)
              CRAM_KEY_2=$(cat cram_2_resp.json | jq -r '.cramkey' | sed 's/^[ \t]*//;s/[ \t]*$//' | cut -d':' -f2)
              echo "CRAM_KEY_1: $CRAM_KEY_1"
              echo "CRAM_KEY_2: $CRAM_KEY_2"
              echo "CRAM_KEY_1=$(echo $CRAM_KEY_1)" >> $GITHUB_OUTPUT
              echo "CRAM_KEY_2=$(echo $CRAM_KEY_2)" >> $GITHUB_OUTPUT
              break
            else
              echo "Error fetching Cram Keys on attempt ${try}"
              if [ $try -eq 5 ]; then
                echo "Tried 5 times. Quitting."
                exit 1
              fi
            fi
            sleep 20
          done  

      - name: Fetch atSign Hostname
        id: atsign_hosts
        env:
          AT_SIGN_1: ${{ steps.atsign_names.outputs.AT_SIGN_1 }}   
          AT_SIGN_2: ${{ steps.atsign_names.outputs.AT_SIGN_2 }}
        run: |  
          for try in {1..5}; do
            AT_SIGN_1_HOST_RESP=$(./tools/scripts/staging_root_lookup.sh $AT_SIGN_1)
            AT_SIGN_2_HOST_RESP=$(./tools/scripts/staging_root_lookup.sh $AT_SIGN_2)
            if [ ! -z "$AT_SIGN_1_HOST_RESP" ] && [ ! -z "$AT_SIGN_2_HOST_RESP" ]; then
              AT_SIGN_1_HOST=$(echo $AT_SIGN_1_HOST_RESP | cut -d':' -f1)
              AT_SIGN_1_PORT=$(echo $AT_SIGN_1_HOST_RESP | cut -d':' -f2 | sed 's/\s*$//')
              AT_SIGN_2_HOST=$(echo $AT_SIGN_2_HOST_RESP | cut -d':' -f1)
              AT_SIGN_2_PORT=$(echo $AT_SIGN_2_HOST_RESP | cut -d':' -f2 | sed 's/\s*$//')
              echo "AT_SIGN_1_HOST: $AT_SIGN_1_HOST"
              echo "AT_SIGN_1_PORT: $AT_SIGN_1_PORT"
              echo "AT_SIGN_2_HOST: $AT_SIGN_2_HOST"
              echo "AT_SIGN_2_PORT: $AT_SIGN_2_PORT"
              echo "AT_SIGN_1_HOST=$(echo $AT_SIGN_1_HOST)" >> $GITHUB_OUTPUT
              echo "AT_SIGN_1_PORT=$(echo $AT_SIGN_1_PORT)" >> $GITHUB_OUTPUT   
              echo "AT_SIGN_2_HOST=$(echo $AT_SIGN_2_HOST)" >> $GITHUB_OUTPUT
              echo "AT_SIGN_2_PORT=$(echo $AT_SIGN_2_PORT)" >> $GITHUB_OUTPUT
              break                                        
            else
              echo "Error fetching atSigns Hostname and Port on attempt ${try}"
              if [ $try -eq 5 ]; then
                echo "Tried 5 times. Quitting."
                exit 1
              fi
            fi
            sleep 20
          done
      
      - name: Check Connection 
        env:   
          AT_SIGN_1: ${{ steps.atsign_names.outputs.AT_SIGN_1 }}   
          AT_SIGN_2: ${{ steps.atsign_names.outputs.AT_SIGN_2 }} 
          AT_SIGN_1_HOST: ${{ steps.atsign_hosts.outputs.AT_SIGN_1_HOST }} 
          AT_SIGN_1_PORT: ${{ steps.atsign_hosts.outputs.AT_SIGN_1_PORT }}
          AT_SIGN_2_HOST: ${{ steps.atsign_hosts.outputs.AT_SIGN_2_HOST }} 
          AT_SIGN_2_PORT: ${{ steps.atsign_hosts.outputs.AT_SIGN_2_PORT }}
        run: |      
          for try in {1..5}; do
            HOST_1_STATUS=$(./tools/scripts/staging_atsign_info.sh $AT_SIGN_1_HOST:$AT_SIGN_1_PORT)
            HOST_2_STATUS=$(./tools/scripts/staging_atsign_info.sh $AT_SIGN_2_HOST:$AT_SIGN_2_PORT)
            echo "atSign1 status : $HOST_1_STATUS" 
            echo "atsign2 status : $HOST_2_STATUS"
            if [ ! -z "$HOST_1_STATUS" ] && [ ! -z "$HOST_2_STATUS" ]; then
              sed -i "s/ATSIGN_1_NAME/@$AT_SIGN_1/g" tests/at_end2end_test/config/config-e2e_test_runtime.yaml
              sed -i "s/ATSIGN_1_PORT/$AT_SIGN_1_PORT/g" tests/at_end2end_test/config/config-e2e_test_runtime.yaml
              sed -i "s/ATSIGN_1_HOST/$AT_SIGN_1_HOST/g" tests/at_end2end_test/config/config-e2e_test_runtime.yaml
              sed -i "s/ATSIGN_2_NAME/@$AT_SIGN_2/g" tests/at_end2end_test/config/config-e2e_test_runtime.yaml
              sed -i "s/ATSIGN_2_PORT/$AT_SIGN_2_PORT/g" tests/at_end2end_test/config/config-e2e_test_runtime.yaml
              sed -i "s/ATSIGN_2_HOST/$AT_SIGN_2_HOST/g" tests/at_end2end_test/config/config-e2e_test_runtime.yaml  
              mv tests/at_end2end_test/config/config-e2e_test_runtime.yaml tests/at_end2end_test/config/config.yaml                       
              cat tests/at_end2end_test/config/config.yaml 
              echo "Connection successfull"
              break
            else
              echo "Connection error on attempt ${try}"
              if [ $try -eq 5 ]; then
                echo "Tried 5 times. Quitting."
                exit 1
              fi
            fi
            sleep $((try * 20))
          done
  
      - name: Activating atsign    
        env:
          AT_SIGN_1: ${{ steps.atsign_names.outputs.AT_SIGN_1 }}   
          AT_SIGN_2: ${{ steps.atsign_names.outputs.AT_SIGN_2 }}         
          CRAM_KEY_1: ${{ steps.cram_keys.outputs.CRAM_KEY_1 }} 
          CRAM_KEY_2: ${{ steps.cram_keys.outputs.CRAM_KEY_2 }} 
        run: |
          mkdir -p /home/runner/.atsign/keys
          ls -lrth at_libraries
          cd at_libraries/packages/at_onboarding_cli/
          dart pub get
          dart run bin/activate_cli.dart -a @$AT_SIGN_1 -c $CRAM_KEY_1 -r root.atsign.wtf
          dart run bin/activate_cli.dart -a @$AT_SIGN_2 -c $CRAM_KEY_2 -r root.atsign.wtf

      - name: Generate the at_demo_data.dart    
        run: |
          cd at_tools/packages/at_dump_atKeys/
          dart pub get
          dart bin/generate_at_demo_data.dart -d /home/runner/.atsign/keys/ -p pkam   
          cp at_demo_data.dart ../../../${{ env.e2etest-working-directory }}/test

      - name: End-to-end test
        working-directory: ${{ env.e2etest-working-directory }}
        run: dart test --concurrency=1               
        
      - name: Delete atSigns
        if: always() # Always try to clear up atSigns even if an earlier step has failed.
        env:
          AT_SIGN_1: ${{ steps.atsign_names.outputs.AT_SIGN_1 }}   
          AT_SIGN_2: ${{ steps.atsign_names.outputs.AT_SIGN_2 }} 
        run: |
          delete_atSign() {
            curl -s --location --request POST 'https://infrastructure-api-b.dev.atsign.cloud/api/infrastructure/delete' \
            --header 'Authorization: ${{secrets.NODE_API_DELETE}}' \
            --header 'Content-Type: application/json' \
            --data-raw '{
                "atsign" : "'$1'"
            }'
          }
          delete_atSign "$AT_SIGN_1"
          delete_atSign "$AT_SIGN_2"

      - name: Check that atSigns have been deleted
        env:
          AT_SIGN_1: ${{ steps.atsign_names.outputs.AT_SIGN_1 }}   
          AT_SIGN_2: ${{ steps.atsign_names.outputs.AT_SIGN_2 }} 
        # TODO if this step fails then it should do a gChat notification rather than exit 1
        # TODO this only checks that entry has been removed from root
        run: |  
          sleep 20
          AT_SIGN_1_HOST_RESP=$((echo $AT_SIGN_1; sleep 1) | openssl s_client -connect root.atsign.wtf:64 2>/dev/null | grep --color=none "^@.*:" | cut -d'@' -f2)
          AT_SIGN_2_HOST_RESP=$((echo $AT_SIGN_2; sleep 1) | openssl s_client -connect root.atsign.wtf:64 2>/dev/null | grep --color=none "^@.*:" | cut -d'@' -f2)
          if [ -z "$AT_SIGN_1_HOST_RESP" ] && [ -z "$AT_SIGN_2_HOST_RESP" ]; then
            echo "atSigns deleted successfully"
          else
            echo "atSigns still exist"
            exit 1
          fi          

  # This job runs on trigger event 'push' to trunk branch.
  # The job builds the staging version of at_virtual_env and pushes the image to docker hub.
  push_staging_virtual_env_images:
    # Runs only after functional tests are completed.
    needs: [ unit_tests, functional_tests, end2end_test_12, end2end_test_34, end2end_test_56, end2end_test_staging ]
    if: ${{ github.repository == 'atsign-foundation/at_server' && github.event_name == 'push' && contains(github.ref, 'trunk') }}
    environment: staging
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Place run number into version within pubspec.yaml
        working-directory: ${{ env.secondary-working-directory }}
        run: |
          sed -i "0,/version/ s/version\:.*/&+gha${{ github.run_number }}/" pubspec.yaml
          grep version pubspec.yaml | head -1

      # Extract branch for docker tag
      - name: Get branch name
        run: echo "BRANCH=${GITHUB_REF##*/}" >> $GITHUB_ENV

      - name: Set up QEMU
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

      - name: Login to DockerHub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      # Builds and pushes the at_virtual_env to docker hub.
      - name: Build and push
        id: docker_build
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        with:
          file: tools/build_virtual_environment/ve/Dockerfile.vip
          context: .
          push: true
          provenance: false
          tags: |
            atsigncompany/virtualenv:dev_env
            atsigncompany/virtualenv:${{ env.BRANCH }}-gha${{ github.run_number }}
          platforms: |
            linux/amd64
            linux/arm64/v8

      - name: Image digest of at_virtual_env
        run: echo ${{ steps.docker_build_trunk.outputs.digest }}

  # This job run's on trigger event 'push' to trunk branch.
  # The job builds the staging version of secondary server image and pushes to docker hub.
  # The job runs on completion of 'run_end2end_tests' job.
  push_staging_secondary_image:
    # Runs only after full test suite has completed.
    needs: [ unit_tests, functional_tests, end2end_test_12, end2end_test_34, end2end_test_56, end2end_test_staging ]
    if: ${{ github.repository == 'atsign-foundation/at_server' && github.event_name == 'push' && contains(github.ref, 'trunk') }}
    environment: staging
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Place run number into version within pubspec.yaml
        working-directory: ${{ env.secondary-working-directory }}
        run: |
          sed -i "0,/version/ s/version\:.*/&+gha${{ github.run_number }}/" pubspec.yaml
          grep version pubspec.yaml | head -1

      # Extract branch for docker tag
      - name: Get branch name
        run: echo "BRANCH=${GITHUB_REF##*/}" >> $GITHUB_ENV

      - name: Set up QEMU
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

      - name: Login to DockerHub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      # Builds and pushes the secondary server image to docker hub.
      - name: Build and push secondary image for amd64 and arm64
        id: docker_build_secondary
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        with:
          push: true
          provenance: false
          file: tools/build_secondary/Dockerfile
          context: .
          tags: |
            atsigncompany/secondary:dev_env
            atsigncompany/secondary:dess_wtf
            atsigncompany/secondary:dev_env-${{ env.BRANCH }}-gha${{ github.run_number }}
          platforms: |
            linux/amd64
            linux/arm64/v8

      - name: Image digest of secondary server
        run: echo ${{ steps.docker_build_secondary.outputs.digest }}

  # This job run's on trigger event 'push' to trunk branch.
  # The job builds the staging version of observable secondary server image and pushes to docker hub.
  # The job runs on completion of 'run_end2end_tests' job.
  push_staging_observable_secondary_image:
    # Runs only after full test suite has completed.
    needs: [ unit_tests, functional_tests, end2end_test_12, end2end_test_34, end2end_test_56, end2end_test_staging ]
    if: ${{ github.repository == 'atsign-foundation/at_server' && github.event_name == 'push' && contains(github.ref, 'trunk') }}
    environment: staging
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Place run number into version within pubspec.yaml
        working-directory: ${{ env.secondary-working-directory }}
        run: |
          sed -i "0,/version/ s/version\:.*/&+gha${{ github.run_number }}/" pubspec.yaml
          grep version pubspec.yaml | head -1

      # Extract branch for docker tag
      - name: Get branch name
        run: echo "BRANCH=${GITHUB_REF##*/}" >> $GITHUB_ENV

      - name: Set up QEMU
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

      - name: Login to DockerHub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      # Builds and pushes the secondary server image to docker hub.
      - name: Build and push secondary image for amd64 and arm64
        id: docker_build_observable_secondary
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        with:
          push: true
          provenance: false
          file: tools/build_secondary/Dockerfile.observe
          context: .
          tags: |
            atsigncompany/secondary:dev_obs
            atsigncompany/secondary:dev_obs-${{ env.BRANCH }}-gha${{ github.run_number }}
          platforms: |
            linux/amd64
            linux/arm64/v8

      - name: Image digest of secondary server
        run: echo ${{ steps.docker_build_observable_secondary.outputs.digest }}

  # The below jobs run's on completion of 'run_end2end_tests' job.
  # This job run's on trigger event 'push' and when a canary release is tagged.
  # The job builds the canary version of secondary server docker image and pushes to docker hub.
  push_canary_secondary_image:
    # Runs only after all tests are completed.
    needs: [ unit_tests, functional_tests, end2end_test_12, end2end_test_34, end2end_test_56 ]
    if: ${{ github.repository == 'atsign-foundation/at_server' && github.event_name == 'push' && contains(github.ref, 'refs/tags/c') }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    outputs:
      digest: ${{ steps.docker_build_secondary.outputs.digest }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      # Extract version for docker tag
      - name: Get version
        run: echo "VERSION=${GITHUB_REF##*/}" >> $GITHUB_ENV

      - name: Place canary version into pubspec.yaml
        working-directory: ${{ env.secondary-working-directory }}
        run: |
          sed -i "0,/version/ s/version\:.*/&+${GITHUB_REF#refs/tags/}/" pubspec.yaml
          grep version pubspec.yaml | head -1

      - name: Set up QEMU
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

      - name: Login to DockerHub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      # Builds and pushes the secondary server image to docker hub.
      - name: Build and push secondary image for amd64 and arm64
        id: docker_build_secondary
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        with:
          push: true
          provenance: false
          file: tools/build_secondary/Dockerfile
          context: .
          tags: |
            atsigncompany/secondary:canary
            atsigncompany/secondary:canary-${{ env.VERSION }}
          platforms: |
            linux/amd64
            linux/arm64/v8
            linux/arm/v7

  provenance_canary_secondary_image:
    needs: [push_canary_secondary_image]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
    if: startsWith(github.ref, 'refs/tags/')
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: "atsigncompany/secondary"
      digest: ${{ needs.push_canary_secondary_image.outputs.digest }}
    secrets:
      registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
      registry-password: ${{ secrets.DOCKERHUB_TOKEN }}

  push_canary_virtualenv_image:
    needs: [ unit_tests, functional_tests, end2end_test_12, end2end_test_34, end2end_test_56 ]
    if: ${{ github.repository == 'atsign-foundation/at_server' && github.event_name == 'push' && contains(github.ref, 'refs/tags/c') }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    outputs:
      digest: ${{ steps.docker_build.outputs.digest }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Get version
        run: echo "VERSION=${GITHUB_REF##*/}" >> $GITHUB_ENV

      - name: Place canary version into pubspec.yaml
        working-directory: ${{ env.secondary-working-directory }}
        run: |
          sed -i "0,/version/ s/version\:.*/&+${GITHUB_REF#refs/tags/}/" pubspec.yaml
          grep version pubspec.yaml | head -1

      - name: Set up QEMU
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

      - name: Login to DockerHub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build and push
        id: docker_build
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        with:
          file: tools/build_virtual_environment/ve/Dockerfile.vip
          context: .
          push: true
          provenance: false
          tags: |
            atsigncompany/virtualenv:canary
            atsigncompany/virtualenv:canary-${{ env.VERSION }}
          platforms: |
            linux/amd64
            linux/arm64/v8

      - name: Image digest
        run: echo ${{ steps.docker_build.outputs.digest }}

  provenance_canary_virtualenv_image:
    needs: [push_canary_virtualenv_image]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
    if: startsWith(github.ref, 'refs/tags/')
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: "atsigncompany/virtualenv"
      digest: ${{ needs.push_canary_virtualenv_image.outputs.digest }}
    secrets:
      registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
      registry-password: ${{ secrets.DOCKERHUB_TOKEN }}

  # The below jobs run's on completion of 'run_end2end_tests' job.
  # This job run's on trigger event 'push' and when a release is tagged.
  # The job builds the production version of secondary server docker image and pushes to docker hub.
  push_prod_secondary_image:
    # Runs only after all tests are completed.
    needs: [ unit_tests, functional_tests, end2end_test_12, end2end_test_34, end2end_test_56 ]
    if: ${{ github.repository == 'atsign-foundation/at_server' && github.event_name == 'push' && contains(github.ref, 'refs/tags/v') }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    outputs:
      digest: ${{ steps.docker_build_secondary.outputs.digest }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      # Extract version for docker tag
      - name: Get version
        run: echo "VERSION=${GITHUB_REF##*/}" >> $GITHUB_ENV

      - name: Set up QEMU
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

      - name: Login to DockerHub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      # Builds and pushes the secondary server image to docker hub.
      - name: Build and push secondary image for amd64 and arm64
        id: docker_build_secondary
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        with:
          push: true
          provenance: false
          file: tools/build_secondary/Dockerfile
          context: .
          tags: |
            atsigncompany/secondary:prod
            atsigncompany/secondary:prod-${{ env.VERSION }}
            atsigncompany/secondary:dess
          platforms: |
            linux/amd64
            linux/arm64/v8
            linux/arm/v7

  provenance_prod_secondary_image:
    needs: [push_prod_secondary_image]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
    if: startsWith(github.ref, 'refs/tags/')
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: "atsigncompany/secondary"
      digest: ${{ needs.push_prod_secondary_image.outputs.digest }}
    secrets:
      registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
      registry-password: ${{ secrets.DOCKERHUB_TOKEN }}

  push_prod_virtualenv_image:
    needs: [ unit_tests, functional_tests, end2end_test_12, end2end_test_34, end2end_test_56 ]
    if: ${{ github.repository == 'atsign-foundation/at_server' && github.event_name == 'push' && contains(github.ref, 'refs/tags/v') }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    outputs:
      digest: ${{ steps.docker_build.outputs.digest }}
    steps:
      - name: Set up QEMU
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

      - name: Login to DockerHub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build and push
        id: docker_build
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        with:
          file: tools/build_virtual_environment/ve/Dockerfile.vip
          context: .
          push: true
          provenance: false
          tags: |
            atsigncompany/virtualenv:vip
            atsigncompany/virtualenv:at_server-gha${{ github.run_number }}
          platforms: |
            linux/amd64
            linux/arm64/v8

      - name: Image digest
        run: echo ${{ steps.docker_build.outputs.digest }}

      - name: Google Chat Notification
        uses: Co-qn/google-chat-notification@3691ccf4763537d6e544bc6cdcccc1965799d056 # v1
        with:
          name: New Docker image for atsigncompany/virtualenv:vip
          url: ${{ secrets.GOOGLE_CHAT_WEBHOOK }}
          status: ${{ job.status }}

  provenance_prod_virtualenv_image:
    needs: [push_prod_virtualenv_image]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
    if: startsWith(github.ref, 'refs/tags/')
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: "atsigncompany/virtualenv"
      digest: ${{ needs.push_prod_virtualenv_image.outputs.digest }}
    secrets:
      registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
      registry-password: ${{ secrets.DOCKERHUB_TOKEN }}