.github/workflows/build-publish.yml

name: build-publish-scan
on:
    push:
        branches:

permissions:
  actions: read # for detecting the Github Actions environment.
  id-token: write # for creating OIDC tokens for signing.
  packages: write # for uploading attestation.
  contents: read
jobs:
    build-publish-python:
        runs-on: ubuntu-latest              
        env:
          # DOCKER_REPO: 'codeninjas-proj-docker-local'
          DOCKER_REPO: 'optum-app1-sunil-docker-local'
          IMAGE_NAME: 'my-very-cool-image:${{ github.run_number }}'
          JF_URL: https://${{ vars.JF_URL }}/
          DOCKER_CLI_EXPERIMENTAL: enabled
        steps:
            # Use the specific setup-cli branch
            - name: Setup JFrog CLI
              uses: jfrog/setup-jfrog-cli@v4
              id: setup-cli
              env:
                JF_URL: https://${{ vars.JF_URL }}/
                JF_PROJECT: ${{ vars.JF_PROJECT }}
              with:
                  oidc-provider-name: github-bidirect 
                  oidc-audience: github-jfrog-aud

            - name: Checkout the repository
              uses: actions/checkout@v4

            - name: Cache Primes
              id: cache-primes
              uses: actions/cache@v4
              with:
                path: /usr/lib/python3/dist-packages
                key: python_requirements1

            - name: configure jfrog environment
              run: |
                # Use a curated repository for python dependencies resolution
                jf pip-config --repo-resolve=optum-app1-sunil-py-virtual   

            - name: configure environment
              run: |    
                pip install --upgrade pip     
                python3 -m pip install --upgrade pip setuptools wheel sigstore
                wheel -h
                pip show setuptools
                echo $VIRTUAL_ENV

            - name: build project
              run: |                                   
                jf pip install -r requirements.txt  --module=jfrog-python-example                
                python setup.py sdist bdist_wheel
                cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT

            - name: publish python package
              run: |
                jf rt u dist/ optum-app1-sunil-py-virtual/example-projects/ --module=jfrog-python-example

      
            - name: Set up QEMU
              uses: docker/setup-qemu-action@v3                 

            - name: Authenticate Docker
              uses: docker/login-action@v3
              with:
                registry: ${{ vars.JF_URL }}
                username: ${{ steps.setup-cli.outputs.oidc-user }}
                password: ${{ steps.setup-cli.outputs.oidc-token }}

            - name: Setup buildx instance
              uses: docker/setup-buildx-action@v3
              with:
                use: true
                platforms: linux/amd64,linux/arm64
                install: true

            - name: docker build through 
              run: |  
                docker buildx ls
                jf docker --version
                jf docker build --tag ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }} --platform linux/amd64,linux/arm64 --metadata-file  metadata.json --push .
                
            - name: docker scan
              run: |  
                 jf docker pull ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}
                 jf docker scan ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}   
            #- name: docker build
            #  run: |  
            #    jf docker build --tag ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}-amd64 --platform  linux/amd64 --load .
            #    #docker images
            #    jf docker scan ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}-amd64                
            #    jf docker push ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}-amd64
                
            #    jf docker build --tag ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}-arm64 --platform  linux/arm64 --load .
            #    #docker images
            #    jf docker scan ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}-arm64                
            #    jf docker push ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}-arm64
                
            #    #echo "docker images scanned, now lets push a fat manifest and the images"
            #    #docker manifest create  ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }} ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}-amd64 ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}-arm64                
            #    #echo "docker manifest created"
            #    #docker manifest push ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}
            #    #echo "docker manifest pushed"
            #    #docker image save -o myimage.tar localhost:5000/myimage:latest
                

            - name: add docker package to build
              run: |  
                 echo "----------------"
                 cat metadata.json
                 echo "----------------"
                 digest=$(cat metadata.json | jq '.["containerimage.digest"]')
                 echo "digest=$digest"
                 echo "${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}@$digest" > metadata.json
                 jf rt build-docker-create ${{ env.DOCKER_REPO }} --image-file metadata.json 

            - name: publish build info
              run: |
                jf rt build-collect-env 
                jf rt build-add-dependencies .
                jf rt build-add-git
                jf rt build-publish

            - name: build scan
              run: |            
                jf build-scan build-publish-scan