zerobyte/.github/workflows/release.yml

name: Release Workflow

on:
  push:
    tags:
      - "v*.*.*"
      - "v*.*.*-beta.*"
      - "v*.*.*-alpha.*"

permissions:
  contents: write
  packages: write
  security-events: write

jobs:
  determine-release-type:
    runs-on: ubuntu-latest
    outputs:
      release_type: ${{ steps.set-type.outputs.release_type }}
      tagname: ${{ github.ref_name }}
    steps:
      - name: Set release type
        id: set-type
        run: |
          TAG=${GITHUB_REF#refs/tags/}
          if [[ $TAG == *-alpha* ]]; then
            echo "release_type=alpha" >> $GITHUB_OUTPUT
          elif [[ $TAG == *-beta* ]]; then
            echo "release_type=beta" >> $GITHUB_OUTPUT
          else
            echo "release_type=release" >> $GITHUB_OUTPUT
          fi

  checks:
    uses: ./.github/workflows/checks.yml

  e2e-tests:
    uses: ./.github/workflows/e2e.yml

  build-images:
    timeout-minutes: 15
    needs: [determine-release-type, checks, e2e-tests]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
          ref: ${{ github.ref }}

      - name: Log in to Docker Hub
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
        with:
          driver: cloud
          endpoint: "meienberger/runtipi-builder"
          install: true

      - name: Login to GitHub Container Registry
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build docker image
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: .
          target: production
          platforms: linux/amd64
          push: false
          load: true
          tags: local/zerobyte:ci
          build-args: |
            APP_VERSION=${{ needs.determine-release-type.outputs.tagname }}

      - name: Scan new image for vulnerabilities
        if: needs.determine-release-type.outputs.release_type == 'release'
        uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7
        id: scan
        with:
          image: local/zerobyte:ci
          fail-build: false
          only-fixed: true
          severity-cutoff: critical

      - name: upload Anchore scan report
        if: needs.determine-release-type.outputs.release_type == 'release'
        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/zerobyte
          tags: |
            type=semver,pattern={{version}},prefix=v
            type=semver,pattern={{major}},prefix=v,enable=${{ needs.determine-release-type.outputs.release_type == 'release' }}
            type=semver,pattern={{major}}.{{minor}},prefix=v,enable=${{ needs.determine-release-type.outputs.release_type == 'release' }}
            type=semver,pattern={{major}}.{{minor}}.{{patch}},prefix=v,enable=${{ needs.determine-release-type.outputs.release_type == 'release' }}
          flavor: |
            latest=${{ needs.determine-release-type.outputs.release_type == 'release' }}

      - name: Push images to GitHub Container Registry
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: .
          target: production
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          build-args: |
            APP_VERSION=${{ needs.determine-release-type.outputs.tagname }}

  publish-release:
    runs-on: ubuntu-latest
    needs: [build-images, determine-release-type]
    if: needs.determine-release-type.outputs.release_type == 'release'
    outputs:
      id: ${{ steps.create_release.outputs.id }}
    steps:
      - name: Create GitHub release
        id: create_release
        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          body: |
            **${{ needs.determine-release-type.outputs.tagname }}**
          tag_name: ${{ needs.determine-release-type.outputs.tagname }}
          name: ${{ needs.determine-release-type.outputs.tagname }}
          draft: false
          prerelease: true
          files: cli/runtipi-cli-*