.github/workflows/build.yml

name: Build Caph Image
# yamllint disable rule:line-length
on: # yamllint disable-line rule:truthy
  push:
    branches:
      - main
  # If the cache was cleaned we should re-build the cache with the latest commit
  workflow_run:
    workflows:
      - "Caph Image Cache Cleaner"
    branches:
      - main
    types:
      - completed
env:
  IMAGE_NAME: caph-staging
  REGISTRY: ghcr.io/syself
  metadata_flavor: latest=true
  metadata_tags: type=sha,prefix=sha-,format=short
permissions:
  contents: read
  packages: write
  # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
  id-token: write
jobs:
  manager-image:
    name: Build and push manager image
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          fetch-depth: 0
      - uses: ./.github/actions/setup-go
      - name: Set up QEMU
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3

      - name: Generate metadata
        id: meta
        uses: ./.github/actions/metadata
        with:
          metadata_flavor: ${{ env.metadata_flavor }}
          metadata_tags: ${{ env.metadata_tags }}

      - name: Login to ghcr.io for CI
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Install Cosign
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

      - name: Install Bom
        shell: bash
        run: |
          curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.6.0/bom-amd64-linux -o bom
          sudo mv ./bom /usr/local/bin/bom
          sudo chmod +x /usr/local/bin/bom

      - name: Setup Env
        run: |
          DOCKER_BUILD_LDFLAGS="$(hack/version.sh)"
          echo 'DOCKER_BUILD_LDFLAGS<<EOF' >> $GITHUB_ENV
          echo $DOCKER_BUILD_LDFLAGS >> $GITHUB_ENV
          echo 'EOF' >> $GITHUB_ENV

      # Load Golang cache build from GitHub
      - name: Load Caph Golang cache build from GitHub
        uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
        id: cache
        with:
          path: /tmp/.cache/caph
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-caph-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-caph-
            ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-
            ${{ runner.os }}-go-

      - name: Create Caph cache directory
        if: ${{ steps.cache.outputs.cache-hit != 'true' }}
        shell: bash
        run: |
          mkdir -p /tmp/.cache/caph

      # Import GitHub's cache build to docker cache
      - name: Copy Caph Golang cache to docker cache
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        with:
          provenance: false
          context: /tmp/.cache/caph
          file: ./images/cache/Dockerfile
          push: false
          platforms: linux/amd64
          target: import-cache

      - name: Build and push manager image
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6
        id: docker_build_release
        with:
          provenance: false
          context: .
          file: ./images/caph/Dockerfile
          push: true
          build-args: |
            LDFLAGS=${{ env.DOCKER_BUILD_LDFLAGS }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          platforms: linux/amd64,linux/arm64

      - name: Sign Container Images
        run: |
          cosign sign --yes ghcr.io/syself/caph-staging@${{ steps.docker_build_release.outputs.digest }}

      - name: Generate SBOM
        shell: bash
        # To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed
        run: |
          bom generate --format=json -o sbom_caph_staging_${{ steps.meta.outputs.version }}-spdx.json \
          --image=ghcr.io/syself/caph-staging:${{ steps.meta.outputs.version }}

      - name: Attach SBOM to Container Images
        run: |
          cosign attest --yes --type=spdxjson --predicate sbom_caph_staging_${{ steps.meta.outputs.version }}-spdx.json ghcr.io/syself/caph-staging@${{ steps.docker_build_release.outputs.digest }}

      - name: Sign SBOM Images
        run: |
          docker_build_release_digest="${{ steps.docker_build_release.outputs.digest }}"
          image_name="ghcr.io/syself/caph-staging:${docker_build_release_digest/:/-}.sbom"
          docker_build_release_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
          cosign sign --yes "ghcr.io/syself/caph-staging@${docker_build_release_sbom_digest}"

      - name: Image Releases digests
        shell: bash
        run: |
          mkdir -p image-digest/
          echo "ghcr.io/syself/caph-staging:{{ steps.meta.outputs.tags }}@${{ steps.docker_build_release.outputs.digest }}" >> image-digest/caph.txt

      # Upload artifact digests
      - name: Upload artifact digests
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: image-digest caph
          path: image-digest
          retention-days: 90

      # Store docker's golang's cache build locally only on the main branch
      - name: Store Caph Golang cache build locally
        if: ${{ steps.cache.outputs.cache-hit != 'true' }}
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        with:
          provenance: false
          context: .
          file: ./images/cache/Dockerfile
          push: false
          outputs: type=local,dest=/tmp/docker-cache-caph
          platforms: linux/amd64
          target: export-cache

      # Store docker's golang's cache build locally only on the main branch
      - name: Store Caph Golang cache in GitHub cache path
        if: ${{ steps.cache.outputs.cache-hit != 'true' }}
        shell: bash
        run: |
          mkdir -p /tmp/.cache/caph/
          if [ -f /tmp/docker-cache-caph/tmp/go-build-cache.tar.gz ]; then
          cp /tmp/docker-cache-caph/tmp/go-build-cache.tar.gz /tmp/.cache/caph/
          fi
          if [ -f /tmp/docker-cache-caph/tmp/go-pkg-cache.tar.gz ]; then
          cp /tmp/docker-cache-caph/tmp/go-pkg-cache.tar.gz /tmp/.cache/caph/
          fi

      - name: Image Digests Output
        shell: bash
        run: |
          cd image-digest/
          find -type f | sort | xargs -d '\n' cat