.github/workflows/goreleaser-cd.yml

name: CD / CLI
on:
  push:
    tags:
      - 'v*.*.*'

jobs:
  # Build binaries with GoReleaser
  prepare:
    strategy:
      matrix:
        os: [ ubuntu-latest, macos-latest, windows-latest ]
        include:
          - os: ubuntu-latest
            goos: linux
          - os: macos-latest
            goos: darwin
          - os: windows-latest
            goos: windows
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v4.1.0
        with:
          go-version-file: go.mod
      - name: Setup Node
        uses: actions/setup-node@v3
        with:
          node-version: 16.18.1
      - name: Setup Cache
        uses: actions/cache@v3.2.3
        with:
          path: dist/${{ matrix.goos }}
          key: ${{ matrix.goos }}-${{ github.ref_name }}
          enableCrossOsArchive: true
      - name: Install Dependencies
        if: matrix.goos == 'linux'
        shell: bash
        run: |
          sudo apt update
          sudo apt install -y libwebkit2gtk-4.0-dev libgtk-3-dev
      - name: Build web
        shell: bash
        run: make build-web
      - name: Get Previous Tag
        id: prev
        uses: WyriHaximus/github-action-get-previous-tag@v1
        env:
          INPUT_PREFIX: v
      - name: GoReleaser (Build)
        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser-pro
          version: '~> v2'
          args: release --clean --split --timeout 90m
        env:
          CGO_LDFLAGS: "${{ matrix.goos == 'darwin' && '-framework UniformTypeIdentifiers' || '' }}"
          GOOS: ${{ matrix.GOOS }}
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLAB_CLIENT_SECRET: ${{ secrets.GITLAB_CLIENT_SECRET }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          GORELEASER_CURRENT_TAG: ${{ github.ref_name }}
          GORELEASER_PREVIOUS_TAG: ${{ steps.release.outputs.prev }}

  # Release binaries with GoReleaser
  release:
    runs-on: ubuntu-latest
    needs: prepare
    env:
      DOCKER_CLI_EXPERIMENTAL: "enabled"
    permissions:
      contents: write # needed to write releases
      id-token: write # needed for keyless signing
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: actions/setup-go@v4.1.0
        with:
          go-version-file: go.mod
      - name: Copy Cache From Previous Job
        shell: bash
        run: |
          echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
      - name: Restore Linux Cache
        uses: actions/cache@v3.2.3
        with:
          path: dist/linux
          key: linux-${{ github.ref_name }}
      - name: Restore Darwin Cache
        uses: actions/cache@v3.2.3
        with:
          path: dist/darwin
          key: darwin-${{ github.ref_name }}
      - name: Restore Windows Cache
        uses: actions/cache@v3.2.3
        with:
          path: dist/windows
          key: windows-${{ github.ref_name }}
          enableCrossOsArchive: true
      - name: Get Previous Tag
        id: prev
        uses: WyriHaximus/github-action-get-previous-tag@v1
        env:
          INPUT_PREFIX: v
      - name: Install Cosign
        uses: sigstore/cosign-installer@v3.6.0
      - name: GoReleaser (Release)
        uses: goreleaser/goreleaser-action@v6
        if: steps.cache.outputs.cache-hit != 'true' # do not run if cache hit
        with:
          distribution: goreleaser-pro
          version: '~> v2'
          args: continue --merge --timeout 90m
        env:
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
          GITLAB_CLIENT_SECRET: ${{ secrets.GITLAB_CLIENT_SECRET }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          GORELEASER_CURRENT_TAG: ${{ github.ref_name }}
          GORELEASER_PREVIOUS_TAG: ${{ steps.release.outputs.prev }}

  # Publish CLI / Cloud CLI container images
  publish:
    strategy:
      matrix:
        image: [ plural-cli, plural-cli-cloud ]
        include:
          - image: plural-cli
            dockerfile: ./Dockerfile
          - image: plural-cli-cloud
            dockerfile: ./dockerfiles/Dockerfile.cloud
    runs-on: ubuntu-latest
    needs: release
    permissions:
      contents: 'read'
      id-token: 'write'
      packages: 'write'
      security-events: write
      actions: read
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Setup kubectl
        uses: azure/setup-kubectl@v3
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v4
        with:
          # list of Docker images to use as base name for tags
          images: |
            ghcr.io/pluralsh/${{ matrix.image }}
          # generate Docker tags based on the following events/attributes
          tags: |
            type=semver,pattern={{version}}
      # - name: Login to plural registry
      #   uses: docker/login-action@v2
      #   with:
      #     registry: dkr.plural.sh
      #     username: mjg@plural.sh
      #     password: ${{ secrets.PLURAL_ACCESS_TOKEN }}
      - name: Login to GHCR
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Get current date
        id: date
        run: echo "date=$(date -u +'%Y-%m-%dT%H:%M:%S%z')" >> $GITHUB_OUTPUT
      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: "."
          file: "${{ matrix.dockerfile }}"
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          platforms: linux/amd64,linux/arm64
          build-args: |
            APP_VSN=${{ github.ref_name }}
            APP_COMMIT=${{ github.sha }}
            APP_DATE=${{ steps.date.outputs.date }}
      - name: Run Trivy vulnerability scanner on image
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'image'
          image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
          hide-progress: false
          format: 'sarif'
          output: 'trivy-results.sarif'
          scanners: 'vuln'
          timeout: 10m
          ignore-unfixed: true
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
  # packer:
  #   name: Build EKS AMI
  #   runs-on: ubuntu-latest
  #   needs: release
  #   permissions:
  #     contents: 'read'
  #     id-token: 'write'
  #   steps:
  #     - name: Checkout
  #       uses: actions/checkout@v3
  #     - name: Configure AWS Credentials
  #       uses: aws-actions/configure-aws-credentials@v4
  #       with:
  #         aws-region: us-east-2
  #         role-to-assume: arn:aws:iam::654897662046:role/github-actions/plural-cli-amis-packer
  #         role-session-name: CLIAmisPacker
  #     - name: Setup `packer`
  #       uses: hashicorp/setup-packer@main
  #       id: setup
  #       with:
  #         version: 1.9.2
  #     - name: Run `packer init`
  #       id: init
  #       run: "packer init ./packer/"
  #     - name: Run `packer validate`
  #       id: validate
  #       env:
  #         PKR_VAR_k8s_cli_version: ${{ github.ref_name}}
  #       run: "packer validate ./packer/"
  #     - name: Run `packer build`
  #       id: build
  #       # always is used here to ensure the builds can't get cancelled and leave dangling resources
  #       if: always()
  #       env:
  #         PKR_VAR_k8s_cli_version: ${{ github.ref_name}}
  #       run: "packer build ./packer/"