.github/workflows/docker-image.yml

name: Build and Publish Docker Images

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  workflow_dispatch:

env:
  #DOCKERHUB_ORG: orangecloudfoundry
  DOCKERHUB_ORG: elpaasoci
  BASE_IMAGES: cf-cli curl-ssl git-ssh k8s-tools terraform bosh-cli-v2 spruce
  IMAGES_WITH_DEPENDENCIES: awscli bosh-cli-v2-cf-cli

jobs:
  build_and_publish:
    name: build, test and publish
    runs-on: ubuntu-latest
    permissions:
      packages: write
    steps:
    - uses: actions/checkout@v4
    - uses: ruby/setup-ruby@v1
      with:      
        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
    -
      name: Login to DockerHub
      uses: docker/login-action@v3
      with:
        username: ${{ secrets.DOCKERHUB_USERNAME }}
        password: ${{ secrets.DOCKERHUB_PASSWORD }}
    -
      name: Login to GitHub Container Registry
      uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ github.repository_owner }}
        password: ${{ secrets.GITHUB_TOKEN }}
        
    - 
      name: build docker images
      run: | # shellcheck disable=SC2086
        for image in $BASE_IMAGES;do
          echo "Processing $image"
          bundle exec rake build:$image
        done
      
    -
      name: test docker images
      run: | # shellcheck disable=SC2086
        for image in $BASE_IMAGES;do
          echo "Processing $image"
          bundle exec rake spec:$image
        done
    -
      name: publish curl-ssl image
      uses: docker/build-push-action@v6.7.0
      with:
        context: ${{env.IMAGE}}
        push: true
        tags: |
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:latest
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:${{github.sha}}
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:latest
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:${{github.sha}}
      env:
        IMAGE: curl-ssl
    -
      name: publish git-ssh image
      uses: docker/build-push-action@v6.7.0
      with:
        context: ${{env.IMAGE}}
        push: true
        tags: |
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:latest
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:${{github.sha}}
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:latest
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:${{github.sha}}
      env:
        IMAGE: git-ssh
    -
      name: publish cf-cli image
      uses: docker/build-push-action@v6.7.0
      with:
        context: ${{env.IMAGE}}
        push: true
        tags: |
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:latest
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:${{github.sha}}
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:latest
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:${{github.sha}}
      env:
        IMAGE: cf-cli
    -
      name: publish k8s-tools image
      uses: docker/build-push-action@v6.7.0
      with:
        context: ${{env.IMAGE}}
        push: true
        tags: |
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:latest
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:${{github.sha}}
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:latest
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:${{github.sha}}
      env:
        IMAGE: k8s-tools
    -
      name: publish bosh-cli-v2 image
      uses: docker/build-push-action@v6.7.0
      with:
        context: ${{env.IMAGE}}
        push: true
        tags: |
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:latest
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:${{github.sha}}
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:latest
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:${{github.sha}}
      env:
        IMAGE: bosh-cli-v2
    -
      name: publish terraform image
      uses: docker/build-push-action@v6.7.0
      with:
        context: ${{env.IMAGE}}
        push: true
        tags: |
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:latest
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:${{github.sha}}
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:latest
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:${{github.sha}}
      env:
        IMAGE: terraform
    -
      name: publish spruce image
      uses: docker/build-push-action@v6.7.0
      with:
        context: ${{env.IMAGE}}
        push: true
        tags: |
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:latest
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:${{github.sha}}
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:latest
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:${{github.sha}}
      env:
        IMAGE: spruce
    -
      name: build docker images with dependencies
      run: | # shellcheck disable=SC2086
        for image in $IMAGES_WITH_DEPENDENCIES;do
          echo "Processing $image"
          bundle exec rake build:$image
        done

    -
      name: test docker images with dependencies
      run: |# shellcheck disable=SC2086
        for image in $IMAGES_WITH_DEPENDENCIES;do
          echo "Processing $image"
          bundle exec rake spec:$image
        done
    -
      name: publish awscli image
      uses: docker/build-push-action@v6.7.0
      with:
        context: ${{env.IMAGE}}
        push: true
        tags: |
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:latest
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:${{github.sha}}
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:latest
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:${{github.sha}}
      env:
        IMAGE: awscli
    -
      name: publish bosh-cli-v2-cf-cli image
      uses: docker/build-push-action@v6.7.0
      with:
        context: ${{env.IMAGE}}
        push: true
        tags: |
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:latest
          ${{env.DOCKERHUB_ORG}}/${{env.IMAGE}}:${{github.sha}}
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:latest
          ghcr.io/${{ github.repository }}/${{env.IMAGE}}:${{github.sha}}
      env:
        IMAGE: bosh-cli-v2-cf-cli


  check_published_images:
    name: check published images
    runs-on: ubuntu-latest
    needs: [ build_and_publish ]
    steps:
      - # Currently we cannot use `docker manifest` without authentication, it results in "unauthorized: access token has insufficient scopes"
        # Also, to save network bandwidth and reduce build time we avoid using `docker pull`
        name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
      -
        name: check docker public images
        run: | # shellcheck disable=SC2086
          for image in $BASE_IMAGES $IMAGES_WITH_DEPENDENCIES;do
            echo "Processing $image: checking manifest for $DOCKERHUB_ORG/$image:$GITHUB_SHA"
            docker manifest inspect $DOCKERHUB_ORG/$image:$GITHUB_SHA
          done

  push_for_renovate:
    name: Publish commit for renovate
    runs-on: ubuntu-latest
    needs: [ check_published_images ]
    steps:
      - uses: actions/checkout@v4
        with:
          ref: main
        if: ${{ github.ref_name == 'main' }}

      -
        name: push
        uses: github-actions-x/commit@v2.9
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          push-branch: 'main-validated'
          force-push: true
        if: ${{ github.ref_name == 'main' }}