release.yml

name: Maven Release

# Deploy the webrepl when a new tag is pushed
on:
  push:
    tags: [ 'webrepl-*' ]
  pull_request:
    branches:
      - webrepl

jobs:
  release:
    name: Maven PR Builder (JDK ${{ matrix.java }})
    runs-on: ubuntu-latest

    env:
      ARTIFACT_NAME: "jsh4jpv3"

    strategy:
      matrix:
        java: [ "21" ]
        maven: [ "3.8.2" ]
        jdk: [ "temurin" ]
        cosign: [ "v2.4.1" ]

    steps:
      - name: Check out source code
        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2

      - name: Set up QEMU
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
        with:
          platforms: all

      #- name: Set up Docker Buildx
      #  uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

      - name: Set up Docker
        uses: crazy-max/ghaction-setup-docker@26145a578dce008fee793528d031cd72c57d51af # v3.4.0
        with:
          daemon-config: |
            {
              "debug": true,
              "features": {
                "containerd-snapshotter": true
              }
            }

      - name: Login to Docker repository
        uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # v2.0.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Install JDK ${{ matrix.java }}
        uses: actions/setup-java@860f60056505705214d223b91ed7a30f173f6142 # v3.3.0
        with:
          cache: maven
          distribution: ${{ matrix.jdk }}
          java-version: ${{ matrix.java }}

      - name: Set release version
        shell: bash
        run: |
          GITHUB_REF="${{ github.ref }}" &&
          TAG_NAME="${GITHUB_REF#refs/tags/}" &&
          if [[ $TAG_NAME == "refs/pull/"* ]]; then
            echo "RELEASE_VERSION=latest" >> $GITHUB_ENV
          else
            echo "RELEASE_VERSION=${PULL_NAME#webrepl-}" >> $GITHUB_ENV
          fi &&
          DOCKER_HOST=$(docker context inspect default --format '{{.Endpoints.docker.Host}}') &&
          echo "${DOCKER_HOST}" &&
          echo "$(ps aux | grep '[d]ockerd' | grep -o -- '--host=[^ ]*')"
          echo "DOCKER_HOST=${DOCKER_HOST}" >> $GITHUB_ENV

      - name: Set up Maven if needed
        if: ${{ env.ACT }}
        uses: stCarolas/setup-maven@07fbbe97d97ef44336b7382563d66743297e442f # v4.5
        with:
          maven-version: ${{ matrix.maven }}

      - name: Build with Maven
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          MAVEN_GPG_PASSPHRASE: ${{ secrets.BUILD_PASSPHRASE }}
          MAVEN_GPG_KEY: ${{ secrets.BUILD_KEY }}
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
          DOCKER_ACCOUNT: ${{ secrets.DOCKER_ACCOUNT }}
          DOCKER_BUILDKIT: 1
        run: |
          mvn -B -ntp deploy -Prelease -Drevision="${{ env.RELEASE_VERSION }}" -DskipNexusStagingDeployMojo="true" \
          -Ddocker.sbom=true -Ddocker.provenance=true

#      - name: Build and push Docker image with SBOM
#        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
#        with:
#          tags: ${{ secrets.DOCKER_ACCOUNT }}/${{ env.ARTIFACT_NAME }}:${{ env.RELEASE_VERSION }}
#          push: true
#          sbom: true 

#      - name: Install Syft and generate SBOM
#        run: |
#          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
#          syft ${{ secrets.DOCKER_ACCOUNT }}/${{ env.ARTIFACT_NAME }}:${{ env.RELEASE_VERSION }} -o json > sbom.json

#      - name: Install Cosign and prepare private key
#        env:
#          COSIGN_URL: "https://github.com/sigstore/cosign/releases/download"
#        run: |
#          curl -sSfL ${{ env.COSIGN_URL }}/${{ matrix.cosign }}/cosign-linux-amd64 -o /usr/local/bin/cosign
#          chmod +x /usr/local/bin/cosign
#          echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > $RUNNER_TEMP/cosign.key
#          chmod 600 $RUNNER_TEMP/cosign.key

#      - name: Sign Docker image with Cosign
#        env:
#          COSIGN_EXPERIMENTAL: "true"
#          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
#        run: |
#          cosign sign --yes --key $RUNNER_TEMP/cosign.key \
#            ${{ secrets.DOCKER_ACCOUNT }}/${{ env.ARTIFACT_NAME }}:${{ env.RELEASE_VERSION }}

#      - name: Attest Docker image with Cosign
#        env:
#          COSIGN_EXPERIMENTAL: "true"
#        run: |
#          cosign attest --verbose --yes --key $RUNNER_TEMP/cosign.key --predicate sbom.json --type spdx \
#            ${{ secrets.DOCKER_ACCOUNT }}/${{ env.ARTIFACT_NAME }}:${{ env.RELEASE_VERSION }}