name: Build CLI
description: |
  Runs cmake and cli make target in build folder. Optionally, Sigstore tools
  are used to sign CLI when inputs are provided. A draft release is published
  when run on v* tag.
inputs:
  targetOS:
    description: "Build CLI for this OS. [linux, darwin]"
    required: true
    default: "linux"
  targetArch:
    description: "Build CLI for this architecture. [amd64, arm64]"
    required: true
    default: "amd64"
  enterpriseCLI:
    description: "Build CLI with enterprise flag."
    required: false
    default: "false"
  cosignPublicKey:
    description: "Cosign public key"
    required: false
    default: ""
  cosignPrivateKey:
    description: "Cosign private key"
    required: false
    default: ""
  cosignPassword:
    description: "Password for Cosign private key"
    required: false
    default: ""
runs:
  using: "composite"
  steps:
    # https://github.blog/2022-04-12-git-security-vulnerability-announced/
    - name: Mark repository safe
      run: |
        git config --global --add safe.directory /__w/constellation/constellation
      shell: bash

    - name: Build CLI
      run: |
        echo "::group::Build CLI"
        mkdir -p build
        cd build
        if [ ${{ inputs.enterpriseCLI }} == 'true' ]
        then
          cmake -DCLI_BUILD_TAGS:STRING=enterprise ..
        else
          cmake ..
        fi
        GOOS=${{ inputs.targetOS }} GOARCH=${{ inputs.targetArch }} make cli
        cp constellation constellation-${{ inputs.targetOS }}-${{ inputs.targetArch }}
        echo "$(pwd)" >> $GITHUB_PATH
        export PATH="$PATH:$(pwd)"
        echo "::endgroup::"
      shell: bash

    # TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial
    # once it has the functionality
    - name: Install Cosign
      uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
      if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }}

    - name: Install Rekor
      run: |
        HOSTOS="$(go env GOOS)"
        HOSTARCH="$(go env GOARCH)"
        curl -sLO https://github.com/sigstore/rekor/releases/download/v0.12.0/rekor-cli-${HOSTOS}-${HOSTARCH}
        sudo install rekor-cli-${HOSTOS}-${HOSTARCH} /usr/local/bin/rekor-cli
        rm rekor-cli-${HOSTOS}-${HOSTARCH}
      shell: bash
      working-directory: build
      if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }}

    - name: Sign CLI
      run: |
        SIGN_TARGET=constellation-${{ inputs.targetOS }}-${{ inputs.targetArch }}
        echo "$COSIGN_PUBLIC_KEY" > cosign.pub
        # Enabling experimental mode also publishes signature to Rekor
        COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY ${SIGN_TARGET} > ${SIGN_TARGET}.sig
        # Verify - As documentation & check
        # Local Signature (input: artifact, key, signature)
        cosign verify-blob --key cosign.pub --signature ${SIGN_TARGET}.sig ${SIGN_TARGET}
        # Transparency Log Signature (input: artifact, key)
        uuid=$(rekor-cli search --artifact ${SIGN_TARGET} | tail -n 1)
        sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content)
        cosign verify-blob --key cosign.pub --signature <(echo $sig) ${SIGN_TARGET}
      shell: bash
      working-directory: build
      env:
        COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
        COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
        COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
      if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }}