name: Release

on:
  push:
    tags: ['v*']

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  build-binary:
    name: Build Binary
    runs-on: self-hosted

    steps:
      - uses: actions/checkout@v4

      - name: Set up Rust
        run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH

      - name: Cache cargo
        uses: Swatinem/rust-cache@v2

      - name: Build release binary
        run: |
          cargo build --release --package nora-registry
          cp target/release/nora ./nora

      - name: Upload binary
        uses: actions/upload-artifact@v4
        with:
          name: nora-binary
          path: nora
          retention-days: 1

  build-docker:
    name: Build & Push (${{ matrix.name }})
    runs-on: self-hosted
    needs: build-binary
    permissions:
      contents: read
      packages: write
      security-events: write  # for uploading SARIF to GitHub Security tab

    strategy:
      fail-fast: false
      matrix:
        include:
          - name: alpine
            dockerfile: Dockerfile
            suffix: ""
          - name: astra
            dockerfile: Dockerfile.astra
            suffix: "-astra"
          - name: redos
            dockerfile: Dockerfile.redos
            suffix: "-redos"

    steps:
      - uses: actions/checkout@v4

      - name: Download binary
        uses: actions/download-artifact@v4
        with:
          name: nora-binary

      - name: Make binary executable
        run: chmod +x nora

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          flavor: |
            suffix=${{ matrix.suffix }},onlatest=true
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=raw,value=latest,enable=${{ matrix.suffix == '' }}
            type=raw,value=${{ matrix.name }},enable=${{ matrix.suffix != '' }}

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ${{ matrix.dockerfile }}
          platforms: linux/amd64
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha,scope=${{ matrix.name }}
          cache-to: type=gha,mode=max,scope=${{ matrix.name }}

      # ── CVE scan of the pushed image ────────────────────────────────────────
      - name: Trivy — image scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: image
          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}${{ matrix.suffix }}
          format: sarif
          output: trivy-image-${{ matrix.name }}.sarif
          severity: HIGH,CRITICAL
          exit-code: 0  # warn only; change to 1 to block on vulnerabilities
        env:
          TRIVY_USERNAME: ${{ github.actor }}
          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload Trivy image results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: trivy-image-${{ matrix.name }}.sarif
          category: trivy-image-${{ matrix.name }}

  release:
    name: GitHub Release
    runs-on: ubuntu-latest
    needs: build-docker
    permissions:
      contents: write
      packages: read  # to pull image for SBOM generation

    steps:
      - uses: actions/checkout@v4

      - name: Log in to Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      # ── SBOM — Software Bill of Materials ───────────────────────────────────
      - name: Generate SBOM (SPDX)
        uses: anchore/sbom-action@v0
        with:
          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
          format: spdx-json
          output-file: nora-${{ github.ref_name }}.sbom.spdx.json

      - name: Generate SBOM (CycloneDX)
        uses: anchore/sbom-action@v0
        with:
          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
          format: cyclonedx-json
          output-file: nora-${{ github.ref_name }}.sbom.cdx.json

      - name: Create Release
        uses: softprops/action-gh-release@v1
        with:
          generate_release_notes: true
          files: |
            nora-${{ github.ref_name }}.sbom.spdx.json
            nora-${{ github.ref_name }}.sbom.cdx.json
          body: |
            ## Docker

            **Alpine (standard):**
            ```bash
            docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}
            ```

            **Astra Linux SE:**
            ```bash
            docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}-astra
            ```

            **RED OS:**
            ```bash
            docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}-redos
            ```

            ## Changelog

            See [CHANGELOG.md](https://github.com/${{ github.repository }}/blob/main/CHANGELOG.md)