name: Constellation verify
description: "Verify a Constellation cluster."

inputs:
  osImage:
    description: "The OS image used in the cluster."
    required: true
  cloudProvider:
    description: "The cloud provider used in the cluster."
    required: true

runs:
  using: "composite"
  steps:
    - name: Clear current measurements
      shell: bash
      run: |
        if [[ $(yq '.version' constellation-conf.yaml) == "v2" ]]
        then
          yq -i 'del(.provider.${{ inputs.cloudProvider }}.measurements)' constellation-conf.yaml
        else
          yq -i 'del(.attestation.awsNitroTPM.measurements)' constellation-conf.yaml
          yq -i 'del(.attestation.azureSEVSNP.measurements)' constellation-conf.yaml
          yq -i 'del(.attestation.azureTrustedLaunch.measurements)' constellation-conf.yaml
          yq -i 'del(.attestation.gcpSEVES.measurements)' constellation-conf.yaml
          yq -i 'del(.attestation.qemuVTPM.measurements)' constellation-conf.yaml
        fi

    - name: Expand version path
      id: expand-version
      uses: ./.github/actions/shortname
      with:
        shortname: ${{ inputs.osImage }}

    - name: Get attestation variant
      id: get-variant
      shell: bash
      run: |
        # TODO(AB#3144): Refactor when API is update for attestation variants
        case ${{ inputs.cloudProvider }} in
          aws)
            echo ATTESTATION_VARIANT=awsNitroTPM >> $GITHUB_OUTPUT
            ;;
          azure)
            echo ATTESTATION_VARIANT=azureSEVSNP >> $GITHUB_OUTPUT
            ;;
          gcp)
            echo ATTESTATION_VARIANT=gcpSEVES >> $GITHUB_OUTPUT
            ;;
          qemu)
            echo ATTESTATION_VARIANT=qemuVTPM >> $GITHUB_OUTPUT
            ;;
        esac

    - name: Fetch & write measurements
      shell: bash
      run: |
        ref=${{ steps.expand-version.outputs.ref }}
        stream=${{ steps.expand-version.outputs.stream }}
        version=${{ steps.expand-version.outputs.version }}
        verPath="ref/${ref}/stream/${stream}/${version}"
        MEASUREMENTS=$(curl -fsSL https://cdn.confidential.cloud/constellation/v1/${verPath}/image/csp/${{ inputs.cloudProvider }}/measurements.json | jq '.measurements' -r)
        for key in $(echo $MEASUREMENTS | jq 'keys[]' -r); do
            echo Updating $key to $(echo $MEASUREMENTS | jq ".\"$key\"" -r)
            if [[ $(yq '.version' constellation-conf.yaml) == "v2" ]]
            then
              yq -i ".provider.${{ inputs.cloudProvider }}.measurements.[$key] = $(echo $MEASUREMENTS | jq ".\"$key\"")" constellation-conf.yaml
            else
              yq -i ".attestation.${{ steps.get-variant.outputs.ATTESTATION_VARIANT }}.measurements.[$key] = $(echo $MEASUREMENTS | jq ".\"$key\"")" constellation-conf.yaml
            fi
        done

        if [[ $(yq '.version' constellation-conf.yaml) == "v2" ]]
        then
          yq -i '.provider.${{ inputs.cloudProvider }}.measurements |= array_to_map' constellation-conf.yaml
        else
          yq -i '.attestation.${{ steps.get-variant.outputs.ATTESTATION_VARIANT }}.measurements |= array_to_map' constellation-conf.yaml
        fi
        cat constellation-conf.yaml

    - name: Constellation verify
      shell: bash
      run: constellation verify --cluster-id $(jq -r ".clusterID" constellation-id.json) --force