.github/workflows/main.yaml

name: Build and Deploy Image

on:
  workflow_dispatch:
    inputs:
      service:
        description: 'Service to build and deploy'
        required: true
        default: ""
  push:
    branches:
      - inputs

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

env:
  GITHUB_IMAGE_REPO: ghcr.io/bcgov/dts-endorser-service/
  OPENSHIFT_IMAGE_REPO: image-registry.apps.silver.devops.gov.bc.ca/4a9599-tools/
  APP_NAMES: aries-endorser-agent,aries-endorser-db,aries-endorser-backup,aries-endorser-proxy,aries-endorser-api
  JSON_INPUT: ${{ github.event.inputs.service }}

jobs:
  build:
    if: (github.repository == 'bcgov/dts-endorser-service') || (github.event_name == 'workflow_dispatch' && github.event.inputs.service)
    name: Build Image
    permissions:
      packages: write
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - service: aries-endorser-agent
            GIT_REPO_URL: ${{ inputs.service.endoser-agent.git_repo_url || 'hyperledger/aries-endorser-service' }}
            GIT_REF:  ${{ inputs.service.endoser-agent.git_ref || '' }}
            DOCKER_FILE_PATH: ${{ inputs.service.endoser-agent.docker_file_path || 'Dockerfile.acapy' }} # The docker path, file, is the relative path to the docker file from the root of the repo.
            SOURCE_CONTEXT_DIR:  ${{ inputs.service.endoser-agent.source_context_dir || 'docker/acapy' }}    # The context dir, context, sets the context for the build. i.e. where the build will source files from 
            SOURCE_IMAGE_REGISTRY: ${{ inputs.service.endoser-agent.source_image_registry || '' }}
            SOURCE_IMAGE_NAME: ${{ inputs.service.endoser-agent.source_image_name || '' }}
            SOURCE_IMAGE_TAG: ${{ inputs.service.endoser-agent.source_image_tag || '' }} 
            REGISTRY_USERNAME_SECRET_NAME: ${{ inputs.service.endoser-agent.username_secret_name || '' }} 
            REGISTRY_PASSWORD_SECRET_NAME: ${{ inputs.service.endoser-agent.password_secret_name || '' }}
          - service: aries-endorser-db
            GIT_REPO_URL: ${{ inputs.service.endoser-db.git_repo_url || 'hyperledger/aries-endorser-db' }}
            GIT_REF: ${{ inputs.service.endoser-db.git_ref || '' }}
            SOURCE_CONTEXT_DIR: docker/wallet/config
            SOURCE_IMAGE_REGISTRY: "quay.io/"  
            SOURCE_IMAGE_NAME: "fedora/postgresql-13"
            SOURCE_IMAGE_TAG: "13"
          - service: aries-endorser-backup
            GIT_REPO_URL: BCDevOps/backup-container
            GIT_REF: 2.5.1
            DOCKER_FILE_PATH: Dockerfile  # The docker path, file, is the relative path to the docker file from the root of the repo.
            SOURCE_CONTEXT_DIR: docker    # The context dir, context, sets the context for the build. i.e. where the build will source files from
            SOURCE_IMAGE_REGISTRY: artifacts.developer.gov.bc.ca/docker-remote/
            SOURCE_IMAGE_NAME: centos/postgresql-13-centos7
            SOURCE_IMAGE_TAG: 20210722-70dc4d3
            REGISTRY_USERNAME_SECRET_NAME: ARTIFACTORY_USERNAME 
            REGISTRY_PASSWORD_SECRET_NAME: ARTIFACTORY_PASSWORD 
          - service: aries-endorser-proxy
            GIT_REF: ""
            DOCKER_FILE_PATH: Dockerfile  # The docker path, file, is the relative path to the docker file from the root of the repo.
            SOURCE_CONTEXT_DIR: proxy     # The context dir, context, sets the context for the build. i.e. where the build will source files from
            SOURCE_IMAGE_REGISTRY: "artifacts.developer.gov.bc.ca/docker-remote/"
            SOURCE_IMAGE_NAME: caddy
            SOURCE_IMAGE_TAG: latest
            REGISTRY_USERNAME_SECRET_NAME: ARTIFACTORY_USERNAME 
            REGISTRY_PASSWORD_SECRET_NAME: ARTIFACTORY_PASSWORD 
          - service: aries-endorser-api
            GIT_REPO_URL: hyperledger/aries-endorser-service
            GIT_REF: ""
            DOCKER_FILE_PATH: Dockerfile.endorser # The docker path, file, is the relative path to the docker file from the root of the repo.
            SOURCE_CONTEXT_DIR: endorser # The context dir, context, sets the context for the build. i.e. where the build will source files from
            SOURCE_IMAGE_REGISTRY: artifacts.developer.gov.bc.ca/docker-remote/
            SOURCE_IMAGE_NAME: python
            SOURCE_IMAGE_TAG: 3.10-slim-buster
            REGISTRY_USERNAME_SECRET_NAME: ARTIFACTORY_USERNAME 
            REGISTRY_PASSWORD_SECRET_NAME: ARTIFACTORY_PASSWORD 
    outputs:
      aries-endorser-agent_digest: ${{ steps.digest.outputs.aries-endorser-agent_digest }} 
      aries-endorser-backup_digest: ${{ steps.digest.outputs.aries-endorser-backup_digest }} 
      aries-endorser-api_digest: ${{ steps.digest.outputs.aries-endorser-api_digest }}
      aries-endorser-proxy_digest: ${{ steps.digest.outputs.aries-endorser-proxy_digest }}
      aries-endorser-db_digest: ${{ steps.digests.outputs.aries-endorser-db_digest }}  

    steps:
    - name: Checkout
      uses: actions/checkout@v4
      with: 
        repository: ${{ matrix.GIT_REPO_URL }}
        ref: ${{ matrix.GIT_REF }}
        
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3

    - name: Login to image registry
      if: matrix.REGISTRY_USERNAME_SECRET_NAME  != ''&& matrix.SOURCE_IMAGE_REGISTRY != ''
      uses: docker/login-action@v3
      with:
        registry: ${{ matrix.SOURCE_IMAGE_REGISTRY }}
        username: ${{ secrets[matrix.REGISTRY_USERNAME_SECRET_NAME]}}
        password: ${{ secrets[matrix.REGISTRY_PASSWORD_SECRET_NAME]}}
     
    - name: Create Dockerfile for ${{ matrix.service }}
      if: contains(fromJSON('["aries-endorser-proxy"]'), matrix.service)
      run: |
        BASE_IMAGE="${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }}"
        echo "$BASE_IMAGE"
        mkdir "${{ matrix.SOURCE_CONTEXT_DIR }}" && cd "${{ matrix.SOURCE_CONTEXT_DIR }}"
        echo "FROM ${BASE_IMAGE}" > Dockerfile
        echo "RUN chown 1001:root /usr/bin/caddy" >> Dockerfile

    - name: Prepare docker tags for image
      id: meta
      uses: docker/metadata-action@v5
      with:
        images: ${{ env.GITHUB_IMAGE_REPO }}${{ matrix.service }}
        flavor: |
          latest=true
        tags: |
          type=schedule
          type=ref,event=branch
          type=ref,event=pr
          type=semver,pattern={{version}}
          type=semver,pattern={{major}}.{{minor}}
          type=semver,pattern={{major}}
          type=sha,value=latest     
        labels: | 
          ca.bc.gov.digitaltrust.build.source-location=${{ github.repositoryUrl }}
          ca.bc.gov.digitaltrust.build.commit.id=${{ github.sha }}
          
    - name: Update Docker base image 
      if: matrix.SOURCE_IMAGE_REGISTRY  != '' && contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service)
      run: |  
        BASE_IMAGE="${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }}"
        sed -i -e "s;FROM .*;FROM ${BASE_IMAGE};g" "${{ matrix.SOURCE_CONTEXT_DIR }}/${{ matrix.DOCKER_FILE_PATH }}"

    - name: Extract Tags
      id: extract
      if: contains(fromJSON('["aries-endorser-db"]'), matrix.service)
      run: |
        tags=$(echo "${{ steps.meta.outputs.tags }}" | grep -oE ':([^[:space:]]+)' | sed '/label/d' | sed 's/://g' | tr '\n' ' ')
        single_tag=$(echo "$tags" | cut -d " " -f 1)
        remaining_tags=$(echo "$tags" | cut -d' ' -f2-)
        echo "tags=$tags" >> $GITHUB_OUTPUT
        echo "single_tag=$single_tag" >> $GITHUB_OUTPUT
        echo "remaining_tags=$remaining_tags" >> $GITHUB_OUTPUT

    - name: Pull database image
      if: contains(fromJSON('["aries-endorser-db"]'), matrix.service)
      run: |
        docker pull  ${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }}   
      # The docs for redhat-actions/s2i-build imply that the pull should not be needed, yet in practice the build fails if the pull is not done first to make the image local.

    - name: Build database image
      id: build_image
      if: contains(fromJSON('["aries-endorser-db"]'), matrix.service)
      uses: redhat-actions/s2i-build@v2
      with:
        path_context: ${{ matrix.SOURCE_CONTEXT_DIR}}
        builder_image: "${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }}"
        image: ${{ matrix.service }}
        tags: ${{ steps.extract.outputs.single_tag }}         
      # labels would have to be added to the image after the S2I build

    - name: Apply Labels and tags to Database Image
      id: apply_labels
      if: contains(fromJSON('["aries-endorser-db"]'), matrix.service)
      run: |
        echo "FROM ${{ steps.build_image.outputs.image }}:${{ steps.extract.outputs.single_tag }}" | docker build -t ${{ steps.build_image.outputs.image }}:${{ steps.extract.outputs.single_tag }}  --label ca.bc.gov.digitaltrust.build.source-location=${{ github.repositoryUrl }} --label ca.bc.gov.digitaltrust.build.commit.id=${{ github.sha }} -
          
    - name: Apply Tags to Docker Image
      run: |
        remaining_tags="${{ steps.extract.outputs.remaining_tags }}"
          image_name="${{ steps.build_image.outputs.image }}"
          IFS=' ' read -r -a tags_array <<< "$remaining_tags"   
          # Loop through the tags and apply each one to the Docker image
          for tag in "${tags_array[@]}"; do
            docker tag "$image_name:${{ steps.extract.outputs.single_tag }}" "$image_name:$tag"
          done        

    - name: Push database image
      id: push
      if: contains(fromJSON('["aries-endorser-db"]'), matrix.service)
      uses: redhat-actions/push-to-registry@v2
      with:
        tags: ${{ steps.build_image.outputs.tags }}
        image:  ${{ steps.build_image.outputs.image }}
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
        registry: ${{ env.GITHUB_IMAGE_REPO }}

    - name: Log in to the GHCR
      if: contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service)
      uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

    - name: Build and push Docker image
      id: docker_build
      if: contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service)
      uses: docker/build-push-action@v5
      with:
        context: ${{ matrix.SOURCE_CONTEXT_DIR }}
        file: ${{ matrix.SOURCE_CONTEXT_DIR }}/${{ matrix.DOCKER_FILE_PATH }}
        push: true
        tags: ${{ steps.meta.outputs.tags }}
        outputs: type=image,name=target
        labels: | 
          ca.bc.gov.digitaltrust.build.source-location=${{ github.repositoryUrl }}
          ca.bc.gov.digitaltrust.build.commit.id=${{ github.sha }}
        
    - name: Display ${{ matrix.service }} image results
      id: digests
      if: contains(fromJSON('["aries-endorser-db"]'), matrix.service)
      run:  |
        echo "registry_path=${{ steps.push.outputs.registry-paths }}"
        digest=${{ steps.push.outputs.digest }}
        echo "digest=${digest}"
        echo "${{ matrix.service }}_digest=${digest}" >> $GITHUB_OUTPUT
        
    - name: Display ${{ matrix.service}} image results
      id: digest
      if: contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service)
      run: |
        echo 'imageid=${{ steps.docker_build.outputs.imageid }}'
        digest=${{ steps.docker_build.outputs.digest }}
        echo "digest=${digest}"
        echo "${{ matrix.service }}_digest=${digest}" >> $GITHUB_OUTPUT
        cat $GITHUB_OUTPUT

  # deploy2dev:
  #   needs: build
  #   env:
  #     ENVIRONMENT: dev           
  #   permissions:
  #     packages: write
  #   runs-on: ubuntu-latest
  #   environment: dev
  #   strategy:
  #     # Serialize the deployments
  #     max-parallel: 1
  #     matrix:
  #       include:
  #         - service: aries-endorser-db
  #         - service: aries-endorser-agent
  #         - service: aries-endorser-backup
  #         - service: aries-endorser-proxy
  #         - service: aries-endorser-api
  
  #   steps:
  #     - name: Checkout
  #       uses: actions/checkout@v4
  
  #     - name: Deploy to ${{ env.ENVIRONMENT }}
  #       uses: ./.github/workflows/actions/deploy
  #       with:
  #         environment: ${{ env.ENVIRONMENT }}
  #         ghcr_token: ${{ secrets.GITHUB_TOKEN }}
  #         github_image_name: ${{ env.GITHUB_IMAGE_REPO }}${{ matrix.service }}
  #         image_digest: ${{ needs.build.outputs[format ('{0}_digest', matrix.service)] }}
  #         openshift_image_name: ${{ env.OPENSHIFT_IMAGE_REPO }}${{ matrix.service }}
  #         openshift_server_url: ${{ vars.OPENSHIFT_SERVER_URL }}
  #         namespace: ${{ vars.NAMESPACE }}
  #         deployment_configuration: ${{ matrix.service }}
  #         openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}
  #         rocketchat_webhook: ${{ secrets.ROCKETCHAT_WEBHOOK }}

  # deploy2test:
  #   needs: [build, deploy2dev]
  #   env:
  #     ENVIRONMENT: test
  #   permissions:
  #     packages: write
  #   runs-on: ubuntu-latest
  #   environment: test

  #   steps:
  #     - name: Checkout
  #       uses: actions/checkout@v3

  #     - name: deploy to ${{ env.ENVIRONMENT }}
  #       uses: ./.github/workflows/actions/deploy
  #       with:
  #         environment: ${{ env.ENVIRONMENT }}
  #         ghcr_token: ${{ secrets.GITHUB_TOKEN }}
  #         github_image_name: ${{ env.GITHUB_IMAGE_REPO }}${{ matrix.service }}
  #         image_digest: ${{ needs.build.outputs[format ('{0}_digest', matrix.service)] }}
  #         openshift_image_name: ${{ env.OPENSHIFT_IMAGE_REPO }}${{ matrix.service }}
  #         openshift_server_url: ${{ vars.OPENSHIFT_SERVER_URL }}
  #         namespace: ${{ vars.NAMESPACE }}
  #         deployment_configuration: ${{ matrix.service }}
  #         openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}
  #         rocketchat_webhook: ${{ secrets.ROCKETCHAT_WEBHOOK }}

  # # deploy2prod:
  # #   needs: [build, deploy2dev, deploy2test]
  # #   env:
  # #     ENVIRONMENT: prod
  # #   permissions:
  # #     packages: write
  # #   runs-on: ubuntu-latest
  # #   environment: prod

  # #   steps:
  # #     - name: Checkout
  # #       uses: actions/checkout@v3

  # #     - name: deploy to prod
  # #       uses: ./.github/workflows/actions/deploy
  # #       with:
  # #         environment: ${{ env.ENVIRONMENT }}
  # #         ghcr_token: ${{ secrets.GITHUB_TOKEN }}
  # #         github_image_name: ${{ env.GITHUB_IMAGE_REPO }}${{ env.APP_NAME }}
  # #         image_digest: ${{ needs.build.outputs.image_digest }}
  # #         openshift_image_name: ${{ env.OPENSHIFT_IMAGE_REPO }}${{ env.APP_NAME }}
  # #         openshift_server_url: ${{ vars.OPENSHIFT_SERVER_URL }}
  # #         namespace: ${{ vars.NAMESPACE }}
  # #         deployment_configuration: ${{ env.APP_NAME }}
  # #         openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}
  # #         rocketchat_webhook: ${{ secrets.ROCKETCHAT_WEBHOOK }}``