zerotierbridge/.github/workflows/docker-build.yml

name: Publish Docker Image
permissions:
  actions: read
  checks: read
  contents: read
  deployments: read
  issues: read
  discussions: read
  packages: read
  pages: read
  pull-requests: read
  repository-projects: read
  security-events: read
  statuses: read

on:
  pull_request:
  push:
    branches:
      - main

env:
  REGISTRY_IMAGE: registry.dangerous.tech/dangeroustech/zerotierbridge

jobs:
  Docker_Build:
    name: Docker Build And Release
    runs-on: ubuntu-latest
    strategy:
      fail-fast: true
      matrix:
        arch: [amd64, arm64]
        version: [1.12.2]
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Registry
        id: login
        uses: docker/login-action@v3
        with:
          registry: registry.dangerous.tech
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}

      - name: Build
        id: docker_build
        uses: docker/build-push-action@v5
        with:
          context: .
          build-args: |
            ARCH=${{ matrix.arch }}
            VERSION=${{ matrix.version }}
          push: true
          platforms: linux/${{ matrix.arch }}
          # tags: registry.dangerous.tech/dangeroustech/zerotierbridge:latest
          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true

      - name: Export Digests
        run: |
          mkdir -p /tmp/digests
          digest="${{ steps.docker_build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"

      - name: Upload digest
        uses: actions/upload-artifact@v3
        with:
          name: digests
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1

  MergeRefs:
    name: Do The Horrible Merge Thing
    runs-on: ubuntu-latest
    needs:
      - Docker_Build
    steps:
      - name: Download digests
        uses: actions/download-artifact@v3
        with:
          name: digests
          path: /tmp/digests

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Registry
        id: login
        uses: docker/login-action@v3
        with:
          registry: registry.dangerous.tech
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_IMAGE }}
          tags: |
            # set latest tag for default branch
            # https://github.com/docker/metadata-action#latest-tag
            type=raw,value=latest,enable={{is_default_branch}}

      - name: Create manifest list and push
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}

      - name: Generate SBOM
        uses: anchore/sbom-action@v0
        id: sbom
        with:
          image: registry.dangerous.tech/dangeroustech/zerotierbridge:latest
          registry-username: ${{ secrets.REGISTRY_USERNAME }}
          registry-password: ${{ secrets.REGISTRY_PASSWORD }}
          format: spdx-json
          output-file: ./sbom.spdx.json

      - name: Scan SBOM
        uses: anchore/scan-action@v3
        id: scan
        with:
          sbom: sbom.spdx.json
          severity-cutoff: medium
          fail-build: false
          only-fixed: true
          by-cve: true

      - name: upload Anchore scan SARIF report
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

      - name: Changelog
        uses: TriPSs/conventional-changelog-action@v3
        id: changelog
        if: ${{ github.event_name != 'pull_request' }}
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          git-message: "chore 🤖: Release {version}"
          output-file: CHANGELOG.md
          tag-prefix: v
          fallback-version: 1.0.0
          release-count: 0 # preserve all versions in changelog
          skip-on-empty: false # otherwise we don't publish fixes

      - name: Create Release
        uses: softprops/action-gh-release@v1
        id: release
        if: ${{ steps.changelog.outputs.skipped == 'false' }}
        env:
          GITHUB_TOKEN: ${{ secrets.github_token }}
        with:
          tag_name: ${{ steps.changelog.outputs.tag }}
          name: ${{ steps.changelog.outputs.tag }}
          body: ${{ steps.changelog.outputs.clean_changelog }}
          files: |
            sbom.spdx.json