.github/workflows/build.yaml

name: Build release

on:
  push:
    tags:
      - '[0-9]+.[0-9]+.[0-9]+\-[0-9]+'
      - '[0-9]+.[0-9]+.[0-9]+\-rc[0-9]+'

permissions:
  contents: read
  security-events: write

jobs:
  build:
    name: Build and push
    runs-on: self-hosted-amd64-1cpu
    outputs:
      release_type: ${{ steps.check_release.outputs.type }}
    env:
      CONTAINER_VERSION: ${{ github.ref_name }}
    steps:
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3.0.2

      - name: Import secrets
        uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
        id: secrets
        with:
          exportEnv: false
          url: ${{ secrets.VAULT_URL }}
          role: ${{ secrets.VAULT_ROLE }}
          method: kubernetes
          path: kubernetes-ci
          secrets: |
            kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
            kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;

      - name: Login
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
        with:
          username: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
          password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}

      - name: Check release type
        id: check_release
        run: |
          TYPE="production"
          if [[ ${CONTAINER_VERSION} =~ "rc" ]]; then
            TYPE="release-candidate"
          fi
          echo "Release type: ${TYPE}"
          echo "type=${TYPE}" >> $GITHUB_OUTPUT

      - name: Build and push
        run: make BUILDX_ARGS=--push build

      - name: Push latest
        if: steps.check_release.outputs.type == 'production'
        run: make push-latest

  sign:
    name: Sign images
    runs-on: self-hosted-amd64-1cpu
    needs:
      - build
    if: needs.build.outputs.release_type == 'production'
    steps:
      - name: Import secrets
        uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
        id: secrets
        with:
          exportEnv: false
          url: ${{ secrets.VAULT_URL }}
          role: ${{ secrets.VAULT_ROLE }}
          method: kubernetes
          path: kubernetes-ci
          secrets: |
            kv-gitlab-ci/data/node/build/cosign password | COSIGN_PASSWORD ;
            kv-gitlab-ci/data/node/build/cosign private_key | COSIGN_PRIVATE_KEY ;
            kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
            kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;

      - name: Docker login
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
        with:
          username: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
          password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}

      - name: Sign image
        id: sign
        env:
          IMAGE_NAME: docker.io/wallarm/node:${{ github.ref_name }}
          COSIGN_PRIVATE_KEY: ${{ steps.secrets.outputs.COSIGN_PRIVATE_KEY }}
          COSIGN_PASSWORD: ${{ steps.secrets.outputs.COSIGN_PASSWORD }}
        run: |
          docker pull -q ${IMAGE_NAME}
          
          IMAGE_TAG=$(echo ${IMAGE_NAME} | awk -F':' '{print $2}')
          IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMAGE_NAME})
          IMAGE_URI=$(echo $IMAGE_DIGEST | sed -e 's/\@sha256:/:sha256-/')
          SBOM_SPDX="node_${IMAGE_TAG}_spdx.json"
          
          syft -o spdx-json ${IMAGE_NAME} > ${SBOM_SPDX}
          cosign attach sbom --sbom ${SBOM_SPDX} ${IMAGE_DIGEST}
          cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${IMAGE_URI}.sbom"
          cosign sign --recursive --yes --key env://COSIGN_PRIVATE_KEY ${IMAGE_DIGEST}
          
          echo "sbom=${SBOM_SPDX}" >> $GITHUB_OUTPUT
          
      - name: Upload SBOM
        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a
        with:
          retention-days: 30
          name: ${{ steps.sign.outputs.sbom }}
          path: ${{ steps.sign.outputs.sbom }}

  update_version:
    name: Update package version
    if: needs.build.outputs.release_type == 'production'
    runs-on: self-hosted-amd64-1cpu
    needs: build
    steps:
      - name: Import secrets
        uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
        id: secrets
        with:
          exportEnv: true
          url: ${{ secrets.VAULT_URL }}
          role: ${{ secrets.VAULT_ROLE }}
          method: kubernetes
          path: kubernetes-ci
          secrets: |
            kv-gitlab-ci/data/github/shared/versions-repo-creds token_secret | GITLAB_TOKEN ;
            kv-gitlab-ci/data/github/shared/versions-repo-creds token_secret | GITLAB_TOKEN_NAME ;
            kv-gitlab-ci/data/github/shared/versions-repo-creds host | GITLAB_HOST ;
            kv-gitlab-ci/data/github/shared/versions-repo-creds repo | GITLAB_REPO ;

      - name: Update package version
        env:
          COMPONENT_NAME: wallarm-nginx-docker
          COMPONENT_VERSION: ${{ github.ref_name }}
        run: |
          PR_BRANCH="update/${COMPONENT_NAME}/${COMPONENT_VERSION}"
          COMMIT_MESSAGE="Bump ${COMPONENT_NAME} version to ${COMPONENT_VERSION}"
          GITLAB_REPO_URL="https://${GITLAB_TOKEN_NAME}:${GITLAB_TOKEN}@${GITLAB_HOST}/${GITLAB_REPO}"

          git clone ${GITLAB_REPO_URL}
          cd packages_versions
          git checkout -b ${PR_BRANCH}
          git config --local user.name 'project_808_bot'
          git config --local user.email 'project808_bot@noreply.${GITLAB_HOST}'

          cd packages_versions
          cat latest.json | jq -r '.body."'"$COMPONENT_NAME"'" += ["'"$COMPONENT_VERSION"'"]' > latest.new.json
          mv latest.new.json latest.json
          git add latest.json
          git commit -m "${COMMIT_MESSAGE}"
          git push ${GITLAB_REPO_URL} ${PR_BRANCH}

          glab auth login --hostname ${GITLAB_HOST} --token ${GITLAB_TOKEN}

          echo "Creating merge request ..."
          glab mr create \
            --fill \
            --yes \
            --label ${COMPONENT_NAME} \
            --source-branch ${PR_BRANCH} \
            --repo https://${GITLAB_HOST}/${GITLAB_REPO}

          echo "Approving merge request ..."
          glab mr approve \
            ${PR_BRANCH} \
            --repo https://${GITLAB_HOST}/${GITLAB_REPO}

          # Sometimes merging is failed without delay
          echo "Sleep ..."
          sleep 20

          echo "Merging ..."
          glab mr merge \
            ${PR_BRANCH} \
            --yes \
            --remove-source-branch \
            --when-pipeline-succeeds=false \
            --repo https://${GITLAB_HOST}/${GITLAB_REPO}

  scan:
    name: Vulnerability scanner
    runs-on: self-hosted-amd64-1cpu
    needs: build
    steps:
      - name: Import secrets
        uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
        id: secrets
        with:
          exportEnv: false
          url: ${{ secrets.VAULT_URL }}
          role: ${{ secrets.VAULT_ROLE }}
          method: kubernetes
          path: kubernetes-ci
          secrets: |
            kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
            kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;

      - name: Docker Scout
        uses: docker/scout-action@v1
        with:
          command: cves
          image: docker.io/wallarm/node:${{ github.ref_name }}
          to: docker.io/wallarm/node:latest
          only-severities: critical,high
          sarif-file: sarif.output.json
          dockerhub-user: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
          dockerhub-password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}


      - name: Upload scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: needs.build.outputs.release_type == 'production'
        with:
          sarif_file: sarif.output.json
          token: ${{ github.token }}