.github/workflows/release.yml

# Generated by: gromit policy
# Generated on: Wed Jul 26 08:25:03 UTC 2023

# Distribution channels covered by this workflow
# - Ubuntu and Debian
# - RHEL and AL
# - docker hub
# - devenv ECR
# - AWS mktplace (not active atm)
# - Cloudsmith

name: Release

on:
  pull_request:
  push:
    branches:
      - master
      - release-**
    tags:
      - 'v*'

env:
  SLACK_CLI_TOKEN: ${{ secrets.BENDER_TOKEN }}
  GOPRIVATE: github.com/TykTechnologies
  
jobs:
  goreleaser:
    name: '${{ matrix.golang_cross }}'
    runs-on: ubuntu-latest
    container: 'tykio/golang-cross:${{ matrix.golang_cross }}'
    strategy:
      fail-fast: false
      matrix:
        golang_cross: [ 1.19-bullseye ]
        include:
          - golang_cross: 1.19-bullseye
            goreleaser: 'ci/goreleaser/goreleaser.yml' 
            rpmvers: 'el/7 el/8 el/9 amazon/2 amazon/2023'
            debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy debian/jessie debian/buster debian/bullseye'
    outputs:
      tag: ${{ steps.targets.outputs.tag }}

    steps:
      - name: Fix private module deps
        env:
          TOKEN: '${{ secrets.ORG_GH_TOKEN }}'
        run: >
          git config --global url."https://${TOKEN}@github.com".insteadOf "https://github.com"

      - name: Checkout of tyk-pump
        uses: actions/checkout@v3
        with:
          fetch-depth: 1

      - name: "Add Git safe.directory"
        run: git config --global --add safe.directory $GITHUB_WORKSPACE

      - uses: docker/setup-qemu-action@v2

      - uses: docker/setup-buildx-action@v2

      - name: Login to DockerHub
        if: startsWith(github.ref, 'refs/tags')
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login to Cloudsmith
        if: startsWith(github.ref, 'refs/tags')
        uses: docker/login-action@v2
        with:
          registry: docker.tyk.io
          username: ${{ secrets.CLOUDSMITH_USERNAME }}
          password: ${{ secrets.CLOUDSMITH_API_KEY }}

      - name: Unlock agent and set tag
        id: targets
        shell: bash
        env:
          NFPM_STD_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }}
          GPG_FINGERPRINT: 12B5D62C28F57592D1575BD51ED14C59E37DAC20
          PKG_SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
        run: |
          ci/bin/unlock-agent.sh
          current_tag=${GITHUB_REF##*/}
          echo "tag=${current_tag}" >> $GITHUB_OUTPUT

      - name: Delete old release assets
        if: startsWith(github.ref, 'refs/tags')
        uses: mknejp/delete-release-assets@v1
        with:
          token: ${{ github.token }}
          tag: ${{ github.ref }}
          fail-if-no-assets: false
          fail-if-no-release: false
          assets: |
            *.deb
            *.rpm
            *.tar.gz
            *.txt.sig
            *.txt

      - uses: goreleaser/goreleaser-action@v4
        with:
          version: latest
          args: release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot' || '' }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CGO_ENABLED: 0
          NFPM_STD_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }}
          NFPM_PAYG_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }}
          GPG_FINGERPRINT: 12B5D62C28F57592D1575BD51ED14C59E37DAC20
          PKG_SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
          GOLANG_CROSS: ${{ matrix.golang_cross }}
          DEBVERS: ${{ matrix.debvers }}
          RPMVERS: ${{ matrix.rpmvers }}
          PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
      - uses: actions/upload-artifact@v3
        with:
          name: deb
          retention-days: 1
          path: |
            dist/*.deb
            !dist/*PAYG*.deb

      - uses: actions/upload-artifact@v3
        with:
          name: rpm
          retention-days: 1
          path: |
            dist/*.rpm
            !dist/*PAYG*.rpm
  ci:
    needs:
      - goreleaser
    runs-on: ubuntu-latest
    permissions:
      id-token: write   # This is required for requesting the JWT
      contents: read    # This is required for actions/checkout

    steps:
      - name: Shallow checkout of tyk-pump
        uses: actions/checkout@v3
        with:
          fetch-depth: 1

      - uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk
          role-session-name: cipush
          aws-region: eu-central-1

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      - uses: actions/download-artifact@v3
        with:
          name: deb

      - name: Docker metadata
        id: metadata
        uses: docker/metadata-action@v4
        with:
          images: ${{ steps.login-ecr.outputs.registry }}/tyk-pump
          flavor: |
            latest=false
            prefix=v
          tags: |
              type=semver,pattern=v{{version}}
              type=semver,pattern=v{{major}}.{{minor}}
              type=semver,pattern=v{{major}}
              type=ref,event=branch

      - uses: docker/setup-qemu-action@v2

      - uses: docker/setup-buildx-action@v2

      - name: CI build
        uses: docker/build-push-action@v4
        with:
          push: true
          context: "."
          file: ci/Dockerfile.std
          platforms: linux/amd64,linux/arm64
          tags: |
            ${{ steps.metadata.outputs.tags }}
            ${{ steps.login-ecr.outputs.registry }}/tyk-pump:${{ needs.goreleaser.outputs.tag }}
            ${{ steps.login-ecr.outputs.registry }}/tyk-pump:${{ github.sha }}

  sbom:
    needs: ci
    uses: TykTechnologies/github-actions/.github/workflows/sbom.yaml@main
    secrets:
      TF_API_TOKEN: ${{ secrets.TF_API_TOKEN }}
      DEPDASH_URL: ${{ secrets.DEPDASH_URL }}
      DEPDASH_KEY: ${{ secrets.DEPDASH_KEY }}
      ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }}


  upgrade-deb:
    if: startsWith(github.ref, 'refs/tags')
    services:
      httpbin.org:
        image: kennethreitz/httpbin
    runs-on: ubuntu-latest
    needs: goreleaser
    strategy:
      fail-fast: false
      matrix:
        arch:
          - amd64
          - arm64
        distro:
          - ubuntu:jammy
          - ubuntu:bionic
          - ubuntu:focal
          - debian:bullseye

    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 1

      - uses: actions/download-artifact@v3
        with:
          name: deb

      - uses: docker/setup-qemu-action@v2

      - uses: docker/setup-buildx-action@v2

      - name: generate dockerfile
        run: |
          echo 'FROM ${{ matrix.distro }}
          ARG TARGETARCH
          COPY tyk-pump*_${TARGETARCH}.deb /tyk-pump.deb
          RUN apt-get update && apt-get install -y curl
          RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-pump/script.deb.sh | bash && apt-get install -y tyk-pump=1.6.0
          RUN dpkg -i tyk-pump.deb
          ' > Dockerfile

      - name: install on ${{ matrix.distro }}
        uses: docker/build-push-action@v4
        with:
          context: "."
          platforms: linux/${{ matrix.arch }}
          file: Dockerfile
          push: false

  upgrade-rpm:
    if: startsWith(github.ref, 'refs/tags')
    services:
      httpbin.org:
        image: kennethreitz/httpbin
    needs: goreleaser
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        distro:
          - ubi9/ubi
          - ubi8/ubi

    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 1

      - uses: actions/download-artifact@v3
        with:
          name: rpm

      - uses: docker/setup-buildx-action@v2

      - name: generate dockerfile
        run: |
          echo 'FROM registry.access.redhat.com/${{ matrix.distro }}
          COPY tyk-pump*.x86_64.rpm /tyk-pump.rpm
          RUN yum install --allowerasing -y curl
          RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-pump/script.rpm.sh | bash && yum install -y tyk-pump-1.6.0-1
          RUN curl https://keyserver.tyk.io/tyk.io.rpm.signing.key.2020 -o tyk-pump.key && rpm --import tyk-pump.key
          RUN rpm --checksig tyk-pump.rpm
          RUN rpm -Uvh --force tyk-pump.rpm
          ' > Dockerfile

      - name: install on ${{ matrix.distro }}
        uses: docker/build-push-action@v4
        with:
          context: "."
          file: Dockerfile
          push: false

  smoke-tests:
    if: startsWith(github.ref, 'refs/tags')
    needs:
      - goreleaser
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 1

      - name: Run tests
        shell: bash
        env:
          GITHUB_TAG: ${{ github.ref }}
        run: |
          set -eaxo pipefail
          if [ ! -d smoke-tests ]; then
             echo "::warning No repo specific smoke tests defined"
          fi
          if [ ! -d ci/tests ]; then
             echo "::warning No ci tests defined"
             exit 0
          fi
          for d in ci/tests/*/
          do
              echo Attempting to test $d
              if [ -d $d ] && [ -e $d/test.sh ]; then
                  cd $d
                  ./test.sh ${{ needs.goreleaser.outputs.tag }}
                  cd -
              fi
          done
          for d in smoke-tests/*/
          do
              echo Attempting to test $d
              if [ -d $d ] && [ -e $d/test.sh ]; then
                  cd $d
                  ./test.sh ${{ needs.goreleaser.outputs.tag }}
                  cd -
              fi
          done