.github/workflows/push.yml

---
name: Build and push Docker Image

on:
  push:
    branches-ignore:
      - dependabot/**
  pull_request:
    types: [labeled]

permissions:
  contents: read

jobs:
  build_and_push:
    # this basically means do not execute it as dependabot unless it is labeled as ready-for-ci
    # because automated processes and pr from forks are dangerous, therefore those prs won't have access to secrets, labeling them acts like allow-listing them
    # more details here https://docs.github.com/en/rest/dependabot/secrets?apiVersion=2022-11-28
    # even when re-running an action manually the actor stays the same as of mid 2022, details here https://github.blog/changelog/2022-07-19-differentiating-triggering-actor-from-executing-actor/

    #https://github.com/actions/runner/issues/1173#issuecomment-1354501147 when false equals true, you have to come up with something ...
    if: |
      (github.actor == 'dependabot[bot]' &&
      contains(github.event.issue.labels.*.name, 'ready-for-ci') == 'true') ||
      github.actor != 'dependabot[bot]'
    runs-on: ubuntu-latest
    permissions:
      packages: write
    steps:
      - uses: actions/checkout@v4

      - name: Docker meta Service Name
        id: docker_meta_img
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository }}
          tags: |
            type=ref,event=branch,enable=false,priority=600
            type=sha,enable=true,priority=600,prefix=
      - name: Log into registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: test image exists
        run: |
          echo "IMAGE_EXISTS=$(docker manifest inspect ghcr.io/${{ github.repository }}:${{ github.sha }} > /dev/null && echo 1 || echo 0)" >> $GITHUB_ENV

      - name: Build and push ${{ github.repository }}
        if: ${{ env.IMAGE_EXISTS == 0 }}
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./Dockerfile
          platforms: linux/amd64
          push: true
          pull: true
          tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
          labels: ${{ steps.docker_meta_img.outputs.labels }}

  branch_meta:
    runs-on: ubuntu-latest
    outputs:
      branch: ${{ steps.extract_branch_meta.outputs.branch }}
      sha: ${{ steps.extract_branch_meta.outputs.sha }}
    steps:
      - name: Extract branch meta
        shell: bash
        id: extract_branch_meta
        env:
          PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
          BRANCH_REF_NAME: ${{ github.ref_name}}
          BRANCH_SHA: ${{ github.sha }}
        run: |
          if [ "${{ github.event_name }}" == 'pull_request' ]; then
            echo "branch=$PR_HEAD_REF" >> $GITHUB_OUTPUT
            echo "sha=$PR_HEAD_SHA" >> $GITHUB_OUTPUT
          else
            echo "branch=$BRANCH_REF_NAME" >> $GITHUB_OUTPUT
            echo "sha=$BRANCH_SHA" >> $GITHUB_OUTPUT
          fi

  deploy:
    needs:
      - build_and_push
      - branch_meta
    uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/deploy.yml@BC-6683-poc-board-collaboration-server
    with:
      branch: ${{ needs.branch_meta.outputs.branch }}
    secrets:
      token: ${{ secrets.GITHUB_TOKEN }}
      DEV_VAULT_BRB: ${{ secrets.DEV_VAULT_BRB }}
      DEV_VAULT_NBC: ${{ secrets.DEV_VAULT_NBC }}
      DEV_VAULT_THR: ${{ secrets.DEV_VAULT_THR }}
      DEV_VAULT_DBC: ${{ secrets.DEV_VAULT_DBC }}
      DEV_KUBE_CONFIG_BRB: ${{ secrets.DEV_KUBE_CONFIG_BRB }}
      DEV_KUBE_CONFIG_NBC: ${{ secrets.DEV_KUBE_CONFIG_NBC }}
      DEV_KUBE_CONFIG_THR: ${{ secrets.DEV_KUBE_CONFIG_THR }}
      DEV_KUBE_CONFIG_DBC: ${{ secrets.DEV_KUBE_CONFIG_DBC }}

  deploy-successful:
    needs:
      - deploy
    runs-on: ubuntu-latest
    steps:
      - run: echo "deploy was successful"

  trivy-vulnerability-scanning:
    needs:
      - build_and_push
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: run trivy vulnerability scanner
        uses: aquasecurity/trivy-action@1f6384b6ceecbbc6673526f865b818a2a06b07c9
        with:
          image-ref: 'ghcr.io/${{ github.repository }}:${{ github.sha }}'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
          exit-code: 1
          ignore-unfixed: true
      - name: upload trivy results
        if: ${{ always() }}
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'