release.yml

name: Release

on:
  push:
    # branches:
    #   - "latest"

jobs:
  docker-release:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          driver: docker-container

      - name: Install GitVersion
        uses: gittools/actions/gitversion/setup@v3.0.0
        with:
          versionSpec: "6.0.0"

      - name: Clear GitVersion Cache
        run: rm -rf .git/gitversion_cache

      - name: Determine Version
        id: gitversion
        uses: gittools/actions/gitversion/execute@v3.0.0
        with:
          useConfigFile: true
          configFilePath: ci/git-version.yml

      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: "usabilitydynamics"
          password: ${{ secrets.DOCKER_TOKEN }}

      - name: Build and Push Docker Image
        id: docker_push
        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: linux/amd64
          push: true
          tags: |
            usabilitydynamics/udx-worker:${{ steps.gitversion.outputs.semVer }}
            usabilitydynamics/udx-worker:latest

      - name: Retrieve Image Digest from Docker Hub
        id: retrieve_digest
        env:
          DOCKER_USERNAME: "usabilitydynamics"
          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
        run: |
          echo "Fetching OAuth2 token for Docker Hub using token as password"

          # Request an OAuth2 access token
          TOKEN=$(curl -s -X GET "https://auth.docker.io/token?service=registry.docker.io&scope=repository:usabilitydynamics/udx-worker:pull" \
            -u "${DOCKER_USERNAME}:${DOCKER_TOKEN}" | jq -r .token)

          if [ -z "${TOKEN}" ]; then
            echo "Failed to retrieve OAuth2 token. Check Docker credentials."
            exit 1
          fi

          echo "OAuth2 token retrieved successfully."

          # Fetch the digest using the token
          echo "Fetching digest for tag: ${{ steps.gitversion.outputs.semVer }}"
          RESPONSE_HEADERS=$(curl -sI -H "Authorization: Bearer ${TOKEN}" \
            -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
            "https://registry-1.docker.io/v2/usabilitydynamics/udx-worker/manifests/${{ steps.gitversion.outputs.semVer }}")

          # Debug headers
          echo "Response headers:"
          echo "${RESPONSE_HEADERS}"

          # Extract the Docker-Content-Digest
          DIGEST=$(echo "${RESPONSE_HEADERS}" | grep -i "Docker-Content-Digest" | awk '{print $2}' | tr -d '\r')

          if [ -z "${DIGEST}" ]; then
            echo "Failed to retrieve digest. Check if the tag exists or if authentication is correct."
            exit 1
          fi

          echo "IMAGE_DIGEST=usabilitydynamics/udx-worker@${DIGEST}" >> $GITHUB_ENV
          echo "Image Digest: ${DIGEST}"


      - name: Install Cosign
        uses: sigstore/cosign-installer@v3.7.0

      - name: Sign Docker Image with Cosign
        env:
          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
        run: |
          cosign sign -y \
            --key env://COSIGN_PRIVATE_KEY \
            "${IMAGE_DIGEST}"

      - name: Verify Cosign Signature
        env:
          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
        run: |
          cosign verify \
            --key env://COSIGN_PRIVATE_KEY \
            "${IMAGE_DIGEST}"

      - name: Install Trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | \
            sudo sh -s -- -b /usr/local/bin

      - name: Generate SBOM with Retry Logic
        id: generate-sbom
        run: |
          export TRIVY_DISABLE_VEX_NOTICE=true
          set +e
          max_retries=10
          attempt=1
          success=false
          while [ $attempt -le $max_retries ]; do
            echo "Generating SBOM, attempt $attempt..."
            output=$(trivy image --format spdx-json --output sbom.json usabilitydynamics/udx-worker:${{ steps.gitversion.outputs.semVer }} 2>&1)
            sbom_exit_code=$?
            if [ $sbom_exit_code -eq 0 ]; then
              echo "SBOM generation successful."
              success=true
              break
            else
              echo "Retrying in 120 seconds..."
              sleep 120
              attempt=$((attempt+1))
            fi
          done
          if [ "$success" = false ]; then
            exit 1
          fi

      - name: Upload SBOM Artifact
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: sbom.json

      - name: Sign SBOM with Cosign
        env:
          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
        run: |
          cosign attest \
            --key env://COSIGN_PRIVATE_KEY \
            --predicate sbom.json \
            --type https://spdx.dev/spdx-specification-2-2-pdf \
            "${IMAGE_DIGEST}"

      - name: Log out from Docker Hub
        run: docker logout

  # github-release:
  #   runs-on: ubuntu-latest
  #   needs: docker-release
  #   permissions:
  #     contents: write
  #   steps:
  #     - name: Checkout code
  #       uses: actions/checkout@v4
  #       with:
  #         fetch-depth: 0

  #     - name: Configure git for pushing
  #       run: |
  #         git config --global user.email "worker@udx.io"
  #         git config --global user.name "UDX Worker"

  #     - name: Create GitHub Tag
  #       env:
  #         GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
  #       run: |
  #         git tag ${{ needs.docker-release.outputs.semVer }}
  #         git push origin ${{ needs.docker-release.outputs.semVer }}

  #     - name: Download SBOM Artifact
  #       uses: actions/download-artifact@v4
  #       with:
  #         name: sbom

  #     - name: Create GitHub release
  #       uses: softprops/action-gh-release@v2
  #       with:
  #         tag_name: ${{ needs.docker-release.outputs.semVer }}
  #         body: |
  #           Release version ${{ needs.docker-release.outputs.semVer }}.
  #           [View on Docker Hub](https://hub.docker.com/r/usabilitydynamics/udx-worker/tags?page=1&ordering=last_updated).
  #           ${{ needs.docker-release.outputs.changelog }}
  #         draft: false
  #         prerelease: false
  #         files: sbom.json
  #       env:
  #         GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}