name: Build and Upload OS image

on:
  workflow_dispatch:
    inputs:
      imageVersion:
        description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
        required: false
      isRelease:
        description: 'Is this a release? (sets "ref" to special value "-")'
        type: boolean
        required: false
        default: false
      stream:
        description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images, 'console' for images with serial console access and 'debug' for debug builds)"
        type: choice
        required: true
        options:
          - "debug"
          - "console"
          - "nightly"
          - "stable"
      ref:
        type: string
        description: "Git ref to checkout"
        required: false
  workflow_call:
    inputs:
      imageVersion:
        description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
        required: false
        type: string
      isRelease:
        description: 'Is this a release? (sets "ref" to special value "-")'
        type: boolean
        required: false
        default: false
      stream:
        description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)"
        type: string
        required: true
      ref:
        type: string
        description: "Git ref to checkout"
        required: false

jobs:
  build-settings:
    name: "Determine build settings"
    runs-on: ubuntu-22.04
    outputs:
      ref: ${{ steps.ref.outputs.ref }}
      stream: ${{ steps.stream.outputs.stream }}
      imageType: ${{ steps.image-type.outputs.imageType }}
      imageVersion: ${{ steps.image-version.outputs.imageVersion }}
      imageName: ${{ steps.image-version.outputs.imageName }}
      imageNameShort: ${{ steps.image-version.outputs.imageNameShort }}
      imageApiBasePath: ${{ steps.image-version.outputs.imageApiBasePath }}
      cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }}
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          ref: ${{ inputs.ref || github.head_ref }}

      - name: Determine version
        id: version
        uses: ./.github/actions/pseudo_version

      - name: Determine ref
        id: ref
        run: |
          if [[ "${{ inputs.isRelease }}" = "true" ]]; then
            echo "ref=-" | tee -a "$GITHUB_OUTPUT"
          else
            echo "ref=${{ steps.version.outputs.branchName }}" | tee -a "$GITHUB_OUTPUT"
          fi

      - name: Determine and validate stream
        id: stream
        run: |
          if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ inputs.stream }}" == "nightly" ]]; then
            echo "Nightly builds are not allowed for releases"
            exit 1
          fi
          if [[ "${{ inputs.isRelease }}" != "true" ]] && [[ "${{ inputs.stream }}" == "stable" ]]; then
            echo "Stable builds are only allowed for releases"
            exit 1
          fi

          echo "stream=${{ inputs.stream }}" | tee -a "$GITHUB_OUTPUT"

      - name: Determine type of image build
        shell: bash
        id: image-type
        run: |
          case "${{ steps.stream.outputs.stream }}" in
            "debug")
              echo "imageType=debug" | tee -a "$GITHUB_OUTPUT"
              ;;
            "console")
              echo "imageType=console" | tee -a "$GITHUB_OUTPUT"
              ;;
            *)
              echo "imageType=default" | tee -a "$GITHUB_OUTPUT"
              ;;
          esac

      - name: Determine image version
        id: image-version
        shell: bash
        env:
          REF: ${{ steps.ref.outputs.ref }}
          STREAM: ${{ steps.stream.outputs.stream }}
          IMAGE_VERSION: ${{ inputs.imageVersion || steps.version.outputs.version }}
        run: |
          {
            echo "imageVersion=${IMAGE_VERSION}"
            echo "imageName=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}"
            echo "imageApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/image"
            echo "cliApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/cli"
          } | tee -a "$GITHUB_OUTPUT"

          if [[ "${REF}" = "-" ]] && [[ "${STREAM}" = "stable" ]]; then
            echo "imageNameShort=${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
          elif [[ "${REF}" = "-" ]]; then
            echo "imageNameShort=stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
          else
            echo "imageNameShort=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
          fi

  upload-os-image:
    name: "Build OS using mkosi and upload it to CSPs"
    needs: [build-settings]
    runs-on: ubuntu-latest-8-cores
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          ref: ${{ inputs.ref || github.head_ref }}

      - uses: ./.github/actions/setup_bazel_nix
        with:
          useCache: "false"

      - name: Login to AWS
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
          aws-region: eu-central-1

      - name: Login to Azure
        uses: ./.github/actions/login_azure
        with:
          azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}

      - name: Login to GCP
        uses: ./.github/actions/login_gcp
        with:
          service_account: "image-uploader@constellation-images.iam.gserviceaccount.com"

      - name: Login to OpenStack
        uses: ./.github/actions/login_openstack
        with:
          clouds_yaml: ${{ secrets.STACKIT_IMAGE_UPLOAD_CLOUDS_YAML }}

      - name: Build and upload
        id: build
        shell: bash
        working-directory: ${{ github.workspace }}/image
        env:
          TARGET: //image/system:upload_${{ needs.build-settings.outputs.stream }}
          REF: ${{ needs.build-settings.outputs.ref }}
          STREAM: ${{ needs.build-settings.outputs.stream }}
          SHORT_NAME: ${{ needs.build-settings.outputs.imageNameShort }}
          COSIGN_PUBLIC_KEY: ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
          COSIGN_PRIVATE_KEY: ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
          COSIGN_PASSWORD: ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
        run: |
          echo "::group::Build"
          echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
          COSIGN_PUBLIC_KEY_PATH="$(realpath ./cosign.pub)"
          export COSIGN_PUBLIC_KEY_PATH
          opts=(
            --ref "${REF}"
            --upload-measurements
          )
          if [[ "${STREAM}" = "debug" ]]; then
            opts+=(--fake-sign)
          fi
          bazel build //image/base:rpmdb
          bazel run "${TARGET}" -- "${opts[@]}"
          {
            echo "rpmdb=$(bazel cquery --output=files //image/base:rpmdb)"
          } | tee -a "$GITHUB_OUTPUT"
          echo -ne "Uploaded OS image:\n\n\`\`\`\n${SHORT_NAME}\n\`\`\`" | tee -a "$GITHUB_STEP_SUMMARY"
          echo "::endgroup::"

      - name: Upload SBOM to S3
        shell: bash
        env:
          RPMDB: ${{ steps.build.outputs.rpmdb }}
        run: |
          aws s3 cp \
            "${RPMDB}" \
            "s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \
            --no-progress

      - name: Create CLI compatibility information artifact
        shell: bash
        run: |
          bazel run //hack/cli-k8s-compatibility -- \
            --ref=${{  needs.build-settings.outputs.ref }} \
            --stream=${{  needs.build-settings.outputs.stream }} \
            --version=${{  needs.build-settings.outputs.imageVersion }}

  add-image-version-to-versionsapi:
    needs: [upload-os-image, build-settings]
    name: "Add image version to versionsapi"
    if: needs.build-settings.outputs.ref != '-'
    permissions:
      contents: read
      id-token: write
    uses: ./.github/workflows/versionsapi.yml
    with:
      command: add
      ref: ${{ needs.build-settings.outputs.ref }}
      stream: ${{ needs.build-settings.outputs.stream }}
      version: ${{ needs.build-settings.outputs.imageVersion }}
      kind: "image"
      add_latest: true

  add-cli-version-to-versionsapi:
    needs: [upload-os-image, build-settings, add-image-version-to-versionsapi]
    name: "Add CLI version to versionsapi"
    if: needs.build-settings.outputs.ref != '-'
    permissions:
      contents: read
      id-token: write
    uses: ./.github/workflows/versionsapi.yml
    with:
      command: add
      ref: ${{ needs.build-settings.outputs.ref }}
      stream: ${{ needs.build-settings.outputs.stream }}
      version: ${{ needs.build-settings.outputs.imageVersion }}
      kind: "cli"
      add_latest: true