# SPDX-FileCopyrightText: © Vegard IT GmbH (https://vegardit.com)
# SPDX-FileContributor: Sebastian Thomschke
# SPDX-License-Identifier: Apache-2.0
# SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-openldap
#
# https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax
name: Build

on:  # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows
  schedule:
    # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#schedule
    - cron: '0 17 * * 3'
  push:
    branches-ignore:  # build all branches except:
    - 'dependabot/**'  # prevent GHA triggered twice (once for commit to the branch and once for opening/syncing the PR)
    tags-ignore:  # don't build tags
    - '**'
    paths-ignore:
    - '**/*.adoc'
    - '**/*.md'
    - '.editorconfig'
    - '.git*'
    - '.github/*.yml'
    - '.github/ISSUE_TEMPLATE/*'
    - '.github/workflows/stale.yml'
  pull_request:
    paths-ignore:
    - '**/*.adoc'
    - '**/*.md'
    - '.editorconfig'
    - '.git*'
    - '.github/ISSUE_TEMPLATE/*'
    - '.github/*.yml'
    - '.github/workflows/stale.yml'
  workflow_dispatch:
    # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#workflow_dispatch


defaults:
  run:
    shell: bash


env:
  DOCKER_REPO_NAME: openldap
  TRIVY_CACHE_DIR: ~/.trivy/cache


permissions:  # added using https://github.com/step-security/secure-repo
  contents: read


jobs:

  ###########################################################
  build:
  ###########################################################
    runs-on: ubuntu-latest  # https://github.com/actions/runner-images#available-images
    timeout-minutes: 30

    permissions:
      packages: write

    steps:
    - name: Harden the runner (Audit all outbound calls)
      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
      with:
        egress-policy: audit


    - name: "Show: GitHub context"
      env:
        GITHUB_CONTEXT: ${{ toJSON(github) }}
      run: echo $GITHUB_CONTEXT


    - name: "Show: environment variables"
      run: env | sort


    - name: Git Checkout
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2


    - name: Run the sh-checker
      uses: luizm/action-sh-checker@883217215b11c1fabbf00eb1a9a041f62d74c744 # master
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        SHFMT_OPTS: --simplify --keep-padding
      with:
         sh_checker_comment: true
         sh_checker_checkbashisms_enable: true
         sh_checker_shfmt_disable: true


    - name: Check Dockerfile
      uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
      with:
        dockerfile: image/Dockerfile


    - name: Cache trivy cache
      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
      with:
        path: ${{ env.TRIVY_CACHE_DIR }}
        # https://github.com/actions/cache/issues/342#issuecomment-673371329
        key: ${{ runner.os }}-trivy-${{ github.run_id }}
        restore-keys: |
          ${{ runner.os }}-trivy-


    - name: Configure fast APT repository mirror
      uses: vegardit/fast-apt-mirror.sh@29a5ef3401107220fc3c32a0c659b6a1211f9e0f # v1


    - name: Install dos2unix
      run: sudo apt-get install --no-install-recommends -y dos2unix


    - name: "Determine if docker images shall be published"
      id: docker_push_actions
      run: |
        # ACT -> https://nektosact.com/usage/index.html#skipping-steps
        set -x
        if [[ $GITHUB_REF_NAME == 'main' && $GITHUB_EVENT_NAME != 'pull_request' && -z "$ACT" ]]; then
          echo "DOCKER_PUSH_GHCR=true" >> "$GITHUB_ENV"
          echo "DOCKER_PUSH_GHCR=true" >> $GITHUB_OUTPUT
          if [[ -n "${{ secrets.DOCKER_HUB_USERNAME }}" ]]; then
            echo "DOCKER_PUSH=true" >> "$GITHUB_ENV"
          fi
        fi


    - name: Login to docker.io
      if: ${{ env.DOCKER_PUSH }}
      uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
      with:
        username: ${{ secrets.DOCKER_HUB_USERNAME }}
        password: ${{ secrets.DOCKER_HUB_TOKEN }}


    - name: Login to ghcr.io
      if: ${{ env.DOCKER_PUSH_GHCR }}
      uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}


    - name: Build docker image
      env:
        DOCKER_IMAGE_REPO: ${{ github.repository_owner }}/${{ env.DOCKER_REPO_NAME }}
        TRIVY_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: bash build-image.sh

    outputs:
      DOCKER_PUSH_GHCR: ${{ steps.docker_push_actions.outputs.DOCKER_PUSH_GHCR }}


  ###########################################################
  delete-untagged-images:
  ###########################################################
    runs-on: ubuntu-latest  # https://github.com/actions/runner-images#available-images
    timeout-minutes: 5
    needs: [build]
    if: ${{ needs.build.outputs.DOCKER_PUSH_GHCR }}

    concurrency:
      group: ${{ github.workflow }}
      cancel-in-progress: false

    permissions:
      packages: write

    steps:
    - name: Harden the runner (Audit all outbound calls)
      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
      with:
        egress-policy: audit

    - name: Delete untagged images
      uses: dataaxiom/ghcr-cleanup-action@cd0cdb900b5dbf3a6f2cc869f0dbb0b8211f50c4 # v1.0.16
      with:
        package: ${{ env.DOCKER_REPO_NAME }}
        delete-untagged: true
        delete-partial-images: true
        delete-ghost-images: true
        delete-orphaned-images: true
        validate: true