.github/workflows/release.yml

on:
  release:
    types: [published]

env:
  GITHUB_ACTION_TAG: ${{ github.ref_name }}  

jobs:
  build-amd64-digest:
    permissions:
      contents: read
      id-token: write
    runs-on: runs-on,runner=4cpu-linux-x64,run-id=${{ github.run_id }}
    steps:
    - name: Check out code
      uses: actions/checkout@v4

    - name: Set the ENV values
      id: get-Envs
      run: |
        echo "$(make -s log | grep BUILDDIR)" >> "$GITHUB_ENV"
        echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
        echo "$(make -s log | grep ARCH)" >> "$GITHUB_ENV"
        echo "$(make -s log | grep REGISTRY_IMAGE)" >> "$GITHUB_ENV"

    - name: Docker meta
      id: meta-amd64
      uses: docker/metadata-action@v5
      with:
        images: ${{ env.REGISTRY_IMAGE }}

    - name: "Read secrets"
      uses: rancher-eio/read-vault-secrets@main
      with:
        secrets: |
          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ;
          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD

    - name: Build and push container image
      id: build-amd64
      uses: rancher/ecm-distro-tools/actions/publish-image@master
      env: 
        META_LABELS: ${{ steps.meta-amd64.outputs.labels }}
      with:
        image: hardened-calico
        tag: ${{ github.event.release.tag_name }}
        platforms: linux/amd64

        public-repo: rancher
        public-username: ${{ env.DOCKER_USERNAME }}
        public-password: ${{ env.DOCKER_PASSWORD }}

        prime-repo: rancher
        prime-registry: ${{ env.PRIME_REGISTRY }}
        prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
        prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}

    - name: Upload metadata files
      uses: actions/upload-artifact@v4
      with:
        name: metadata-amd64
        path: ${{ env.BUILDDIR}}
        if-no-files-found: error
        retention-days: 1


  build-arm64-digest:
    permissions:
      contents: read
      id-token: write
    runs-on: runs-on,runner=4cpu-linux-arm64,run-id=${{ github.run_id }}
    steps:
    - name: Check out code
      uses: actions/checkout@v4

    - name: Set the ENV values
      id: get-Envs
      run: |
        echo "$(make -s log | grep BUILDDIR)" >> "$GITHUB_ENV"
        echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
        echo "$(make -s log | grep ARCH)" >> "$GITHUB_ENV"
        echo "$(make -s log | grep REGISTRY_IMAGE)" >> "$GITHUB_ENV"

    - name: Docker meta
      id: meta-arm64
      uses: docker/metadata-action@v5
      with:
        images: ${{ env.REGISTRY_IMAGE }}

    - name: "Read secrets"
      uses: rancher-eio/read-vault-secrets@main
      with:
        secrets: |
          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ;
          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD

    - name: Build and push container image
      id: build-arm64
      uses: rancher/ecm-distro-tools/actions/publish-image@master
      env: 
        META_LABELS: ${{ steps.meta-arm64.outputs.labels }}
      with:
        image: hardened-calico
        tag: ${{ github.event.release.tag_name }}
        platforms: linux/arm64

        public-repo: rancher
        public-username: ${{ env.DOCKER_USERNAME }}
        public-password: ${{ env.DOCKER_PASSWORD }}

        prime-repo: rancher
        prime-registry: ${{ env.PRIME_REGISTRY }}
        prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
        prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}

    - name: Upload metadata files
      uses: actions/upload-artifact@v4
      with:
        name: metadata-arm64
        path: ${{ env.BUILDDIR}}
        if-no-files-found: error
        retention-days: 1

  merge:
    permissions:
      contents: read
      id-token: write
    runs-on: ubuntu-latest
    needs:
      - build-amd64-digest
      - build-arm64-digest
    steps:
      - name: Check out code
        uses: actions/checkout@v4

      - name: Set the ENV values
        id: get-Envs
        run: |
          echo "$(make -s log | grep BUILDDIR)" >> "$GITHUB_ENV"
          echo "$(make -s log | grep REGISTRY_IMAGE)" >> "$GITHUB_ENV"

      - name: Download metadata dir
        uses: actions/download-artifact@v4
        with:
          path: ${{ env.BUILDDIR }}
          merge-multiple: true

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_IMAGE }}
      
      - name: "Read secrets"
        uses: rancher-eio/read-vault-secrets@main
        with:
          secrets: |
            secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
            secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ;
            secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
            secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
            secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD

      - name: Create manifest list and push
        id: push-manifest
        uses: rancher/ecm-distro-tools/actions/publish-image@master
        env: 
          MULTI_ARCH: "amd64 arm64"
          DOCKER_METADATA_OUTPUT_JSON: ${{ steps.meta.outputs.json }}
          REGISTRY_IMAGE: ${{ env.REGISTRY_IMAGE }}
        with:
          make-target: manifest-push
          image: hardened-calico
          tag: ${{ github.event.release.tag_name }}

          public-repo: rancher
          public-username: ${{ env.DOCKER_USERNAME }}
          public-password: ${{ env.DOCKER_PASSWORD }}

          prime-repo: rancher
          prime-registry: ${{ env.PRIME_REGISTRY }}
          prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
          prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}

      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}