name: Continuous Delivery

on:
  push:
    branches:
      - main
  workflow_dispatch:

env:
  IMAGE_STAGING: cloudnative-pg/postgresql-testing
  IMAGE_RELEASE: cloudnative-pg/postgresql

jobs:
  generate-jobs:
    name: Generate Jobs
    runs-on: ubuntu-22.04
    outputs:
      strategy: ${{ steps.generate-jobs.outputs.strategy }}
    steps:
      - name: Checkout Code
        uses: actions/checkout@v3
      - name: Generate Jobs
        id: generate-jobs
        shell: bash
        run: |
          bash .github/generate-strategy.sh

  build:
    needs: generate-jobs
    strategy: ${{ fromJson(needs.generate-jobs.outputs.strategy) }}
    name: ${{ matrix.name }}
    runs-on: ubuntu-22.04
    permissions:
      contents: read
      packages: write
    steps:
    - name: Checkout Code
      uses: actions/checkout@v3

    - name: Set up QEMU
      uses: docker/setup-qemu-action@v2
      with:
        image: tonistiigi/binfmt:qemu-v6.1.0
        platforms: ${{ matrix.platforms }}

    - name: Docker meta
      env:
        TAGS: ${{ toJson(matrix.tags) }}
      run: |
        RESULT=""
        for tag in $(jq -r '.[]' <<< "${TAGS}")
        do
          RESULT="${RESULT},ghcr.io/${IMAGE_STAGING}:${tag}"
          # If we are running the pipeline in the main branch images are pushed in both -testing and PROD repo
          if [ "${GITHUB_REF#refs/heads/}" == main ]
          then
            RESULT="${RESULT},ghcr.io/${IMAGE_RELEASE}:${tag}"
          fi
        done
        echo "TAGS=${RESULT%,}" >> $GITHUB_ENV

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v2

    - name: Log in to the GitHub Container registry
      uses: docker/login-action@v2
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

    - name: Build and load
      uses: docker/build-push-action@v4
      with:
        context: ${{ matrix.dir }}
        file: ${{ matrix.file }}
        push: false
        load: true
        tags: ${{ env.TAGS }}

    - name: Dockle scan
      uses: erzz/dockle-action@v1
      with:
        image: "ghcr.io/${{ env.IMAGE_STAGING }}:${{ matrix.tags[0] }}"
        exit-code: '1'
        failure-threshold: WARN
        accept-keywords: key
        accept-filenames: usr/share/cmake/Templates/Windows/Windows_TemporaryKey.pfx,etc/trusted-key.key,usr/share/doc/perl-IO-Socket-SSL/certs/server_enc.p12,usr/share/doc/perl-IO-Socket-SSL/certs/server.p12,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.8/site-packages/azure/core/settings.py,usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,usr/local/lib/python3.7/dist-packages/azure/core/settings.py,etc/ssl/private/ssl-cert-snakeoil.key,usr/lib/python3.9/site-packages/azure/core/settings.py

    - name: Build and push
      uses: docker/build-push-action@v4
      with:
        context: ${{ matrix.dir }}
        file: ${{ matrix.file }}
        platforms: ${{ matrix.platforms }}
        push: true
        tags: ${{ env.TAGS }}