name: Fetch, validate and report SNP report data.
on:
  workflow_dispatch:
  schedule:
    - cron: "0 14 * * 0"

jobs:
  build-snp-reporter:
    name: "Build SNP-reporter container"
    runs-on: ubuntu-22.04
    permissions:
      packages: write
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Build and upload azure SNP reporter container image
        id: build-and-upload
        uses: ./.github/actions/build_micro_service
        with:
          name: azure-snp-reporter
          dockerfile: ./hack/azure-snp-report-verify/Dockerfile
          githubToken: ${{ secrets.GITHUB_TOKEN }}

  fetch-snp-report:
    needs: build-snp-reporter
    name: "Fetch SNP report"
    runs-on: [self-hosted, azure-cvm]
    env:
      SHELL: /bin/bash
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Fetch SNP report
        uses: ./.github/actions/azure_snp_reporter
        with:
          outputPath: ${{ github.workspace }}/maa-report.jwt

      - name: Upload report JWT
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: maa-report.jwt
          path: "${{ github.workspace }}/maa-report.jwt"

  validate-snp-report:
    needs: fetch-snp-report
    name: "Validate SNP report and update Attestation API"
    permissions:
      id-token: write
      contents: read
    runs-on: ubuntu-22.04
    env:
      SHELL: /bin/bash
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Set up Go
        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
          go-version: 1.20.5
          cache: false

      - name: Download report JWT
        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: "maa-report.jwt"
          path: "."

      - name: Verify report
        shell: bash
        run: go run ./hack/azure-snp-report-verify/verify.go --report "$(cat ./maa-report.jwt)" --export-path azure-snp-version.json

      - name: Login to AWS
        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
          aws-region: eu-central-1

      - name: Update Attestation API
        shell: bash
        env:
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
        run: |
          go run ./hack/configapi/main.go --version-file azure-snp-version.json