spiff-arena/.github/workflows/build_docker_images.yml

name: Build Docker Images
# we want to be able to sort by tag name to find the newest and trace back to source control
# on every commit to main:
#   frontend:main-20230223164322-b8becd1-45
#   frontend:main-latest
# we settled on:
#   main-2023-02-24_16-16-40
# because the labels on the docker image itself have the git sha and everything else :)
# on every tag:
#   frontend:latest
#
# Example docker image labels:
#     "Labels": {
#       "description": "Software development platform for building, running, and monitoring executable diagrams",
#       "org.opencontainers.image.created": "2023-02-24T16:43:00.844Z",
#       "org.opencontainers.image.description": "",
#       "org.opencontainers.image.licenses": "LGPL-2.1",
#       "org.opencontainers.image.revision": "54064a050fbf9f366648f0f2e2c60ce244fcc421",
#       "org.opencontainers.image.source": "https://github.com/sartography/spiff-arena",
#       "org.opencontainers.image.title": "spiff-arena",
#       "org.opencontainers.image.url": "https://github.com/sartography/spiff-arena",
#       "org.opencontainers.image.version": "main-latest",
#       "source": "https://github.com/sartography/spiff-arena"
#   }
#
# Git tags for an image:
#   curl -H "Authorization: Bearer $(echo -n $TOKEN | base64 -w0)" https://ghcr.io/v2/sartography/spiffworkflow-backend/tags/list | jq -r '.tags | sort_by(.)'

on:
  push:
    branches:
      - main
      - keycloak-realm-with-groups
    tags: [v*]

jobs:
  create_docker_images:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - image_name: sartography/spiffworkflow-frontend
            context: spiffworkflow-frontend
            description: "Frontend component of SpiffWorkflow, a software development platform for building, running, and monitoring executable diagrams"
          - image_name: sartography/spiffworkflow-backend
            context: spiffworkflow-backend
            description: "Backend component of SpiffWorkflow, a software development platform for building, running, and monitoring executable diagrams"
          - image_name: sartography/connector-proxy-demo
            context: connector-proxy-demo
            description: "Connector proxy component of SpiffWorkflow, providing integration capabilities for external services"

    env:
      REGISTRY: ghcr.io
      IMAGE_NAME: ${{ matrix.image_name }}
      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
    permissions:
      contents: read
      packages: write
      security-events: write # Required for uploading Trivy scan results to GitHub Security
    steps:
      - name: Check out the repository
        uses: actions/checkout@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Log in to the Container registry
        uses: docker/login-action@v3.3.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Get current date
        id: date
        run: echo "date=$(date -u +'%Y-%m-%d_%H-%M-%S')" >> "$GITHUB_OUTPUT"
      - name: Get short commit sha
        id: commit_sha
        run: echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v5.6.1
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          labels: |
            org.opencontainers.image.description=${{ matrix.description }}
            org.opencontainers.image.version=${{ env.BRANCH_NAME }}-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }}
          tags: |
            type=ref,event=branch,branch=main,suffix=-latest
            type=ref,event=branch,suffix=-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }}
            type=ref,event=tag,enable=true,format={{version}}
            type=ref,event=tag,enable=true,format=latest

      - name: Write app version info
        working-directory: ${{ matrix.context }}
        run: echo "$DOCKER_METADATA_OUTPUT_JSON" | jq '.labels' > version_info.json
      - name: Generate full image tag
        id: full_tag
        run: echo "full_tag=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH_NAME }}-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }}" >> "$GITHUB_OUTPUT"
      - name: Build Docker image
        uses: docker/build-push-action@v6.10.0
        with:
          context: ${{ matrix.context }}
          push: false  # Don't push yet
          load: true   # Load image to local Docker daemon
          tags: ${{ steps.full_tag.outputs.full_tag }}
          labels: ${{ steps.meta.outputs.labels }}
          # While we ultimately push multi-arch images (amd64/arm64) to registries, we don't want to do that before we scan for vulns.
          # The Action can only load a single arch image into the local dockerd at a time, so we only build and test one arch here. 
          # It's pretty likely that any vuln in amd64 is also in arm64, and vice-versa, so the trade-off seems reasonable.
          platforms: linux/amd64 
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.19.0
        with:
          image-ref: '${{ steps.full_tag.outputs.full_tag }}'
          scan-type: 'image'
          hide-progress: false
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
          exit-code: 1  # Fail the workflow if critical or high vulnerabilities are found
          timeout: 15m0s
          ignore-unfixed: true
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: always()  # Run even if the Trivy scan fails
        with:
          sarif_file: 'trivy-results.sarif'

      - name: Push Docker image
        uses: docker/build-push-action@v6.10.0
        with:
          context: ${{ matrix.context }}
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          platforms: linux/amd64,linux/arm64
          cache-from: type=gha
          cache-to: type=gha,mode=max
      - name: Adding markdown
        run: echo 'TAGS ${{ steps.meta.outputs.tags }}' >> "$GITHUB_STEP_SUMMARY"

  quickstart-guide-test:
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/v')
    needs: [create_docker_images]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup Apps
        run: ./bin/run_arena_with_docker_compose
      - name: wait_for_backend
        working-directory: ./spiffworkflow-backend
        run: ./bin/wait_for_backend_to_be_up 5 8000
      - name: wait_for_frontend
        working-directory: ./spiffworkflow-frontend
        run: ./bin/wait_for_frontend_to_be_up 5 8001
      - name: wait_for_connector
        working-directory: ./connector-proxy-demo
        run: ./bin/wait_for_connector_to_be_up 5 8004
      - name: Cypress run
        uses: cypress-io/github-action@v6
        with:
          working-directory: ./spiffworkflow-frontend
          browser: chromium
          # just run one test to make sure we didn't completely break it
          spec: cypress/e2e/process_groups.cy.js
        env:
          # pass GitHub token to allow accurately detecting a build vs a re-run build
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CYPRESS_SPIFFWORKFLOW_FRONTEND_AUTH_WITH_KEYCLOAK: "false"
          CYPRESS_SPIFFWORKFLOW_FRONTEND_USERNAME: "admin"
          CYPRESS_SPIFFWORKFLOW_FRONTEND_PASSWORD: "admin"
          SPIFFWORKFLOW_FRONTEND_PORT: 8001