name: Make updated OS images available on release

on:
  release:
    types: [published]
  workflow_dispatch:
    inputs:
      tag:
        description: "Semantic version tag of the release (vX.Y.Z)."
        required: true
      latest:
        description: "Whether to update the latest tag."
        type: boolean
        default: false

jobs:
  complete-release-branch-transaction:
    runs-on: ubuntu-24.04
    permissions:
      id-token: write
      contents: write
    env:
      FULL_VERSION: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
    outputs:
      RELEASE_BRANCH: ${{ env.RELEASE_BRANCH }}
      WORKING_BRANCH: ${{ env.WORKING_BRANCH }}
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0 # fetch all history

      - name: Determine branch names
        run: |
          RELEASE_BRANCH="release/${FULL_VERSION%.*}"
          WORKING_BRANCH="tmp/${FULL_VERSION}"
          echo "RELEASE_BRANCH=${RELEASE_BRANCH}" | tee -a "$GITHUB_ENV"
          echo "WORKING_BRANCH=${WORKING_BRANCH}" | tee -a "$GITHUB_ENV"

      - name: Create or update release branch
        run: |
          git fetch
          git checkout "${WORKING_BRANCH}" # ensure branch exists locally
          git push origin "${WORKING_BRANCH}":"${RELEASE_BRANCH}"

  update:
    runs-on: ubuntu-24.04
    outputs:
      latest: ${{ steps.input-passthrough.outputs.latest }}${{ steps.check-last-release.outputs.latest }}
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Override latest
        if: github.event.inputs.latest == 'true'
        id: input-passthrough
        run: echo "latest=true" | tee -a "$GITHUB_OUTPUT"

      - name: Check if should mark latest
        if: github.event.inputs.latest != 'true'
        id: check-last-release
        env:
          REPO: edgelesssys/constellation
          GH_TOKEN: ${{ github.token }}
        run: |
          latest_release_tag=$(
            gh api \
              -H "Accept: application/vnd.github+json" \
              "/repos/${REPO}/releases/latest" \
            | jq -r '.tag_name'
          )

          current_tag=${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
          echo "Latest release tag: ${latest_release_tag}"
          echo "Current tag: ${current_tag}"

          if [[ "${latest_release_tag}" == "${current_tag}" ]]; then
            echo "latest=true" | tee -a "$GITHUB_OUTPUT"
          else
            echo "latest=false" | tee -a "$GITHUB_OUTPUT"
          fi

  add-image-version-to-versionsapi:
    needs: [update]
    name: "Add image version to versionsapi"
    permissions:
      contents: read
      id-token: write
    uses: ./.github/workflows/versionsapi.yml
    with:
      command: add
      add_release: true
      stream: stable
      version: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
      kind: image
      add_latest: ${{ needs.update.outputs.latest == 'true' }}

  add-cli-version-to-versionsapi:
    needs: [update, add-image-version-to-versionsapi] # run workflow calls after each other
    name: "Add CLI version to versionsapi"
    permissions:
      contents: read
      id-token: write
    uses: ./.github/workflows/versionsapi.yml
    with:
      command: add
      add_release: true
      stream: stable
      version: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
      kind: cli
      add_latest: ${{ needs.update.outputs.latest == 'true' }}

  remove-temporary-branch:
    needs:
      [
        complete-release-branch-transaction,
        add-image-version-to-versionsapi,
        add-cli-version-to-versionsapi,
      ]
    runs-on: ubuntu-24.04
    permissions:
      id-token: write
      contents: write
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Remove temporary branch
        run: git push origin --delete "${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}"

  mirror-gcp-mpi:
    name: "Mirror GCP Marketplace Image"
    needs: [add-image-version-to-versionsapi]
    runs-on: ubuntu-24.04
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - uses: ./.github/actions/setup_bazel_nix

      - name: Login to AWS
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
          aws-region: eu-central-1

      - name: Fetch latest release version
        id: fetch-version
        uses: ./.github/actions/versionsapi
        with:
          command: latest
          stream: stable
          ref: "-"

      - name: Fetch GCP image reference
        id: fetch-reference
        shell: bash
        run: |
          aws s3 cp s3://cdn-constellation-backend/constellation/v2/ref/-/stream/stable/${{ steps.fetch-version.outputs.output }}/image/info.json .
          FULL_REF=$(yq e -r -oy '.list.[] | select(.attestationVariant == "gcp-sev-snp") | .reference' info.json)
          IMAGE_NAME=$(echo "${FULL_REF}" | cut -d / -f 5)
          echo "reference=$IMAGE_NAME" | tee -a "$GITHUB_OUTPUT"

      - name: Login to GCP
        uses: ./.github/actions/login_gcp
        with:
          service_account: "mp-image-uploader@edgeless-systems-public.iam.gserviceaccount.com"

      - name: Mirror
        shell: bash
        run: |
          gcloud --project=edgeless-systems-public compute images create ${{ steps.fetch-reference.outputs.reference }} \
            --source-image=${{ steps.fetch-reference.outputs.reference }} \
            --source-image-project=constellation-images \
            --licenses=projects/edgeless-systems-public/global/licenses/cloud-marketplace-c3d24830a0502e29-df1ebeb69c0ba664