.github/workflows/image-build.yaml

name: Image build

env:
  ONLINE_REGISTER: ghcr.io
  ONLINE_REGISTER_USER: ${{ github.actor }}
  BUILD_PLATFORM: linux/amd64,linux/arm64
  ONLINE_REGISTER_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

on:
  push:
    branch:
      - main
  workflow_call:
    inputs:
      ref:
        required: true
        type: string
      tag:
        required: false
        type: string
      push:
        required: false
        type: boolean
  workflow_dispatch:
    inputs:
      image_tag:
        description: 'image tag'
        required: true
        default: v0.2.0

permissions: write-all

jobs:
  build-image:
    name: Image build
    runs-on: ubuntu-latest
    steps:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2.10.0

      - name: Get Image Push
        id: tag
        run: |
          if ${{ inputs.ref != '' }} ; then
            echo "call by workflow_call"
            echo "tag=${{ inputs.ref }}" >> $GITHUB_OUTPUT
            dispatch=$(egrep "^v" <<< "${{ inputs.ref  }}") ||  echo "call by run e2e"
            if [ -n "${dispatch}" ] ; then
              echo "tag=main" >> $GITHUB_OUTPUT
            fi
            echo ::set-output name=version::${{ inputs.ref }}
            echo ::set-output name=push::${{ inputs.push }}
          elif ${{ inputs.image_tag != '' }} ; then
            echo "call by workflow_dispatch"
            echo ${{ inputs.image_tag }}
            echo "version=${{ inputs.image_tag }}" >> $GITHUB_OUTPUT
            echo "tag=${{ inputs.image_tag }}" >> $GITHUB_OUTPUT
            echo "push=true" >>  $GITHUB_OUTPUT
          elif ${{ github.event_name == 'push' }} ; then
            echo "trigger by push"
            echo ::set-output name=tag::${{ github.sha }}
            echo ::set-output name=version::"latest"
            echo ::set-output name=push::true
          elif ${{ github.event_name == 'pull_request_target' }} ; then
            echo "trigger by pull_request_target"
            echo ::set-output name=tag::${{ github.event.pull_request.head.sha }}
            echo ::set-output name=version::latest
            echo ::set-output name=push::false
          else
            echo "unexpected event: ${{ github.event_name }}"
            exit 1
          fi

      - name: Check out code into the Go module directory
        uses: actions/checkout@v4
        with:
          persist-credentials: false
          ref: ${{ steps.tag.outputs.tag }}

      - name: Getting Build Arg
        id: arg
        continue-on-error: false
        run: |
          GIT_COMMIT_VERSION=$( git show -s --format='format:%H')
          GIT_COMMIT_TIME=$( git show -s --format='format:%aI')
          echo ::set-output name=commitver::${GIT_COMMIT_VERSION}
          echo ::set-output name=committime::${GIT_COMMIT_TIME}

      - name: Login to online register
        uses: docker/login-action@v3.0.0
        if: ${{ steps.tag.outputs.push == 'true' }}
        with:
          username: ${{ env.ONLINE_REGISTER_USER }}
          password: ${{ env.ONLINE_REGISTER_PASSWORD }}
          registry: ${{ env.ONLINE_REGISTER }}

      - name: Build container image and push
        if: ${{ steps.tag.outputs.push == 'true' }}
        uses: docker/build-push-action@v4.2.1
        with:
          context: ./
          push: true
          tags: ghcr.io/${{ github.repository }}/meta-plugins:${{ steps.tag.outputs.version }}
          file: ./images/Dockerfile
          github-token: ${{ secrets.WELAN_PAT }}
          platforms: ${{ env.BUILD_PLATFORM }}
          build-args: |
            GIT_COMMIT_VERSION=${{ steps.arg.outputs.commitver }}
            GIT_COMMIT_TIME=${{ steps.arg.outputs.committime }}
            VERSION=${{ steps.tag.outputs.tag }}

      - name: Build ci container image for e2e-test
        if: ${{ steps.tag.outputs.push != 'true' }}
        uses: docker/build-push-action@v4.2.1
        with:
          context: ./
          push: false
          tags: ghcr.io/${{ github.repository }}/meta-plugins-ci:${{ steps.tag.outputs.version }}
          file: ./images/Dockerfile
          github-token: ${{ secrets.GITHUB_TOKEN }}
          platforms: linux/amd64
          outputs: type=docker
          build-args: |
            GIT_COMMIT_VERSION=${{ steps.arg.outputs.commitver }}
            GIT_COMMIT_TIME=${{ steps.arg.outputs.committime }}
            VERSION=${{ steps.tag.outputs.tag }}

      - name: Scan Image
        if: ${{ steps.tag.outputs.push != 'true' }}
        run: |
          docker images
          docker save -o /tmp/ci-images.tar ghcr.io/${{ github.repository }}/meta-plugins-ci:${{ steps.tag.outputs.version }}
          make lint_image_trivy -e IMAGE_NAME=ghcr.io/${{ github.repository }}/meta-plugins-ci:${{ steps.tag.outputs.version }}

      - name: Upload artifact e2e image tar
        if: ${{ steps.tag.outputs.push != 'true' }}
        uses: actions/upload-artifact@v3.1.3
        with:
          name: image-e2e-tar
          path: /tmp/ci-images.tar
          retention-days: 1