constellation/.github/workflows/azure-snp-reporter.yml

name: Fetch, validate and report SNP report data.
on:
  workflow_dispatch:
  schedule:
    - cron: "0 14 * * 0"

jobs:
  build-snp-reporter:
    name: "Build SNP-reporter container"
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0

      - name: Set up Go
        uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
        with:
          go-version: 1.19.2

      - name: Build and upload azure SNP reporter container image
        id: build-and-upload
        uses: ./.github/actions/build_micro_service
        with:
          name: azure-snp-reporter
          dockerfile: ./hack/azure-snp-report-verify/Dockerfile
          githubToken: ${{ secrets.GITHUB_TOKEN }}

  fetch-snp-report:
    needs: build-snp-reporter
    name: "Fetch SNP report"
    runs-on: [self-hosted, azure-cvm]
    env:
      SHELL: /bin/bash
    steps:
      - name: Checkout
        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0

      - name: Fetch SNP report
        uses: ./.github/actions/azure_snp_reporter
        with:
          outputPath: ${{ github.workspace }}/maa-report.jwt

      - name: Upload report JWT
        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
        with:
          name: maa-report.jwt
          path: "${{ github.workspace }}/maa-report.jwt"

  validate-snp-report:
    needs: fetch-snp-report
    name: "Validate SNP report"
    runs-on: ubuntu-latest
    env:
      SHELL: /bin/bash
    steps:
      - name: Checkout
        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
        with:
          submodules: recursive
          token: ${{ secrets.CI_GITHUB_REPOSITORY }}

      - name: Set up Go
        uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
        with:
          go-version: 1.19.2

      - name: Download report JWT
        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v3.0.0
        with:
          name: "maa-report.jwt"
          path: "."

      - name: Verify report
        shell: bash
        run: go run ./hack/azure-snp-report-verify/verify.go $(cat ./maa-report.jwt)