.github/workflows/golang.yml

name: Go CI

on:
  push:
  pull_request:
    types: [ opened, reopened ]
  workflow_dispatch:

permissions:
  contents: write
  packages: write

jobs:
  build:
    runs-on: ubuntu-22.04

    name: Continuous Integration

    steps:
      - name: Check out code
        uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5.0.1
        with:
          go-version-file: go.mod
          check-latest: true

      - name: Get dependencies
        run: go mod download

      - name: Lint
        run: |
          result=$(make lint)
          echo $result
          [ -n "$(echo "$result" | grep 'diff -u')" ] && exit 1 || exit 0

      - name: Build
        run: make build

      - name: Test
        run: make test

      - name: Coverage
        run: make coverage-out

      - name: Upload Code Coverage
        uses: codecov/codecov-action@v4.4.1
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: ./coverage.out
          flags: unittests
          name: codecov-umbrella
          fail_ci_if_error: true
          verbose: true

  release:
    name: release
    needs: [build]
    runs-on: ubuntu-22.04

    outputs:
      container_digest: ${{ steps.container_info.outputs.container_digest }}
      container_tags: ${{ steps.container_info.outputs.container_tags }}
      container_repos: ${{ steps.container_info.outputs.container_repos }}

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Go
        uses: actions/setup-go@v5.0.1
        with:
          go-version-file: go.mod
          check-latest: true

      - name: Install cosign
        uses: sigstore/cosign-installer@v3.5.0
        with:
          cosign-release: 'v2.2.4'

      - name: Login to container registries
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io

      - name: Set release variables
        id: release-vars
        run: |
          make release-vars > /tmp/spiffe-vault-release-vars.env
          source /tmp/spiffe-vault-release-vars.env
          if [[ -n "$LDFLAGS" ]]; then
            echo "ldflags=$LDFLAGS" >> $GITHUB_OUTPUT
          fi
          if [[ -n "$GIT_HASH" ]]; then
            echo "git_hash=$GIT_HASH" >> $GITHUB_OUTPUT
          fi
          rm -f /tmp/spiffe-vault-release-vars.env

      - name: Install signing key
        run: |
          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key

      - name: Buildx builder
        run: make container-builder

      - name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }}
        uses: goreleaser/goreleaser-action@v5
        with:
          version: latest
          args: release --clean ${{ (!startsWith(github.ref, 'refs/tags/') && '--snapshot') || '' }}
        env:
          LDFLAGS: ${{ steps.release-vars.outputs.ldflags }}
          GIT_HASH: ${{ steps.release-vars.outputs.git_hash }}
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

      - name: Get container info
        id: container_info
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          export CONTAINER_DIGEST=$(make container-digest GITHUB_REF=${{ github.ref_name }})
          echo "container_digest=$CONTAINER_DIGEST" >> $GITHUB_OUTPUT
          echo "container_tags=$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" | paste -s -d ',' -)" >> $GITHUB_OUTPUT
          echo "container_repos=$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)" >> $GITHUB_OUTPUT

      - name: Logout from container registries
        if: ${{ always() }}
        run: |
          docker logout ghcr.io

      - name: Cleanup signing keys
        if: ${{ always() }}
        run: rm -f cosign.key

  provenance:
    name: Generate provenance
    runs-on: ubuntu-22.04
    needs: [release]
    if: startsWith(github.ref, 'refs/tags/')

    steps:
      - name: Generate provenance for release
        uses: philips-labs/slsa-provenance-action@v0.9.0
        with:
          command: generate
          subcommand: github-release
          arguments: --artifact-path release-assets --output-path provenance.att --tag-name ${{ github.ref_name }}
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

      - name: Install cosign
        uses: sigstore/cosign-installer@v3.5.0
        with:
          cosign-release: 'v2.2.4'

      - name: Sign provenance
        run: |
          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
          cosign sign-blob --key cosign.key --output-signature "${SIGNATURE}" provenance.att
          cat "${SIGNATURE}"

          curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}")
          curl_args+=(-H "Accept: application/vnd.github.v3+json")
          release_id="$(curl "${curl_args[@]}" "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases?per_page=10" | jq "map(select(.name == \"${GITHUB_REF_NAME}\"))" | jq -r '.[0].id')"

          echo "Upload ${SIGNATURE} to release with id ${release_id}…"
          curl_args+=(-H "Content-Type: $(file -b --mime-type "${SIGNATURE}")")
          curl "${curl_args[@]}" \
            --data-binary @"${SIGNATURE}" \
            "https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}"
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
          SIGNATURE: provenance.att.sig

  container-provenance:
    name: container-provenance
    needs: [release]
    if: startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-22.04

    strategy:
      matrix:
        repo: ${{ fromJSON(needs.release.outputs.container_repos) }}

    steps:
      - name: Install cosign
        uses: sigstore/cosign-installer@v3.5.0
        with:
          cosign-release: 'v2.2.4'

      - name: Generate provenance for ${{ matrix.repo }}
        uses: philips-labs/slsa-provenance-action@v0.9.0
        with:
          command: generate
          subcommand: container
          arguments: --repository ${{ matrix.repo }} --output-path provenance.att --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }}
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

      - name: Get slsa-provenance predicate
        run: |
          cat provenance.att | jq .predicate > provenance-predicate.att

      - name: Login to Container registries
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io

      - name: Attach provenance to image
        run: |
          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
          cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
        env:
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

      - name: Verify attestation
        run: |
          echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
          cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}

      - name: Logout from Container registries
        if: ${{ always() }}
        run: |
          docker logout ghcr.io
          rm -f cosign.key