name: Build CLI
description: |
  Runs cmake and cli make target in build folder. Optionally, Sigstore tools
  are used to sign CLI when inputs are provided. A draft release is published
  when run on v* tag.
inputs:
  cosignPublicKey:
    description: 'Cosign public key'
    required: false
    default: ''
  cosignPrivateKey:
    description: 'Cosign private key'
    required: false
    default: ''
  cosignPassword:
    description: 'Password for Cosign private key'
    required: false
    default: ''
runs:
  using: "composite"
  steps:
    - name: Install build dependencies
      run: |
        sudo apt-get update
        sudo apt-get install \
          build-essential cmake \
          -y
      shell: bash

    # TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial
    # once it has the functionality
    - name: Install Cosign
      uses: sigstore/cosign-installer@main
    - name: Install Rekor
      run: |
        curl -LO https://github.com/sigstore/rekor/releases/download/v0.9.0/rekor-cli-linux-amd64
        sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli
      shell: bash

    # https://github.blog/2022-04-12-git-security-vulnerability-announced/
    - name: Mark repository safe
      run: |
        git config --global --add safe.directory /__w/constellation/constellation
      shell: bash

    - name: Install Go
      uses: actions/setup-go@v3
      with:
        go-version: "1.18"
    - name: Build hack/pcr-reader
      run: |
        go build .
        echo "$(pwd)" >> $GITHUB_PATH
        export PATH="$PATH:$(pwd)"
      working-directory: hack/pcr-reader
      shell: bash

    - name: Build CLI
      run: |
        GIT_TAG=$(git describe --tags --always --dirty --abbrev=0)
        mkdir build
        cd build
        cmake -DCLI_VERSION:STRING=${GIT_TAG} ..
        make -j`nproc` cli
        echo "$(pwd)" >> $GITHUB_PATH
        export PATH="$PATH:$(pwd)"
      shell: bash

    - name: Sign CLI
      run: |
        set -e
        set -o pipefail
        echo "$COSIGN_PUBLIC_KEY" > cosign.pub
        # Enabling experimental mode also publishes signature to Rekor
        COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation > constellation.sig
        # Verify - As documentation & check
        # Local Signature (input: artifact, key, signature)
        cosign verify-blob --key cosign.pub --signature constellation.sig constellation
        # Transparency Log Signature (input: artifact, key)
        uuid=$(rekor-cli search --artifact constellation | tail -n 1)
        sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content)
        cosign verify-blob --key cosign.pub --signature <(echo $sig) constellation
      shell: bash
      working-directory: build
      env:
        COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
        COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
        COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
      if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }}

    - name: Release CLI
      # GitHub endorsed release project. See: https://github.com/actions/create-release
      uses: softprops/action-gh-release@v1
      if: startsWith(github.ref, 'refs/tags/v')
      with:
        draft: true
        files: |
          build/constellation
          build/constellation.sig
          build/cosign.pub