.github/workflows/master.yaml

name: Google Artifact Registry images -> Chart -> Rollout | GitHub Release
on:
  pull_request:
  push:
    branches:
      - master
    paths-ignore:
      - '.github/workflows/codeql-analysis.yml'
      - '.github/workflows/test-*.yaml'
      - 'actions/testoidc/*'
      - 'deploy/testdata/*'
      - '*.md'
env:
  GOOGLE_REGISTRY: "europe-north1-docker.pkg.dev"

jobs:
  build_and_push:
    name: Build, push and sign images
    runs-on: ubuntu-22.04
    permissions:
      contents: "read"
      id-token: "write"
    strategy:
      matrix:
        component:
          - hookd
          - deploy
          - deployd
          - canary-deployer
          - deploy-action
        include:
          - component: hookd
            chart: true
          - component: deployd
            chart: true
    steps:
      - uses: actions/checkout@v4 # ratchet:exclude
      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # ratchet:azure/setup-helm@v3
        if: matrix.chart
        with:
          version: "v3.11.1"
      - name: "Build and push image"
        uses: nais/platform-build-push-sign@main # ratchet:exclude
        id: build_push_sign
        with:
          dockerfile: Dockerfile.${{ matrix.component }}
          name: ${{ matrix.component }}
          google_service_account: gh-deploy
          workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
          push: ${{ github.actor != 'dependabot[bot]' && github.ref == 'refs/heads/master' }}

      - name: "Package chart"
        if: matrix.chart
        id: package_chart
        env:
          CHART_PATH: ./charts/${{ matrix.component }}
        run: |
          base_version="$(yq '.version' < "${{ env.CHART_PATH }}/Chart.yaml")"
          chart_version="${base_version}-${{ steps.build_push_sign.outputs.version }}"

          yq eval \
            '.version="'"$chart_version"'"' \
            "${{ env.CHART_PATH }}/Chart.yaml" --inplace
          yq eval \
            '.image.tag="${{ steps.build_push_sign.outputs.version }}"' \
            "${{ env.CHART_PATH }}/values.yaml" --inplace

          # helm dependency update "${{ env.CHART_PATH }}"
          helm package "${{ env.CHART_PATH }}" --destination .

          name=$(yq '.name' < "${{ env.CHART_PATH }}/Chart.yaml")
          echo "${{ matrix.component }}_name=$name" >> $GITHUB_OUTPUT
          echo "${{ matrix.component }}_version=$chart_version" >> $GITHUB_OUTPUT
          echo "archive=$name-$chart_version.tgz" >> $GITHUB_OUTPUT

      - name: "Authenticate to Google Cloud"
        if: matrix.chart && github.ref == 'refs/heads/master'
        id: "auth"
        uses: "google-github-actions/auth@v1" # ratchet:exclude
        with:
          workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
          service_account: "gh-deploy@nais-io.iam.gserviceaccount.com"
          token_format: "access_token"

      - name: "Log in to Google Artifact Registry"
        if: matrix.chart && github.ref == 'refs/heads/master'
        run: |-
          echo '${{ steps.auth.outputs.access_token }}' | docker login -u oauth2accesstoken --password-stdin https://${{ env.GOOGLE_REGISTRY }}

      - name: "Push Chart"
        if: matrix.chart && github.ref == 'refs/heads/master'
        run: |-
          chart="${{ steps.package_chart.outputs.archive }}"
          echo "Pushing: $chart"
          helm push "$chart" oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature
    outputs:
      hookd_chart_name: ${{ steps.package_chart.outputs.hookd_name }}
      hookd_chart_version: ${{ steps.package_chart.outputs.hookd_version }}
      deployd_chart_name: ${{ steps.package_chart.outputs.deployd_name }}
      deployd_chart_version: ${{ steps.package_chart.outputs.deployd_version }}

  rollout:
    runs-on: fasit-deploy
    if: github.ref == 'refs/heads/master'
    permissions:
      id-token: write
    needs:
      - build_and_push
    steps:
      - name: "Rollout hookd"
        uses: nais/fasit-deploy@v2 # ratchet:exclude
        with:
          chart: oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature/${{ needs.build_and_push.outputs.hookd_chart_name }}
          version: ${{ needs.build_and_push.outputs.hookd_chart_version }}

      - name: "Rollout deployd"
        uses: nais/fasit-deploy@v2 # ratchet:exclude
        with:
          chart: oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature/${{ needs.build_and_push.outputs.deployd_chart_name }}
          version: ${{ needs.build_and_push.outputs.deployd_chart_version }}

  release:
    name: Release GitHub Action / binaries
    if: github.ref == 'refs/heads/master'
    needs:
      - build_and_push
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4 # ratchet:exclude

      - uses: actions/setup-go@v5
        with:
          go-version: 'stable'

      - name: Force create tag
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          git remote set-url origin "https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
          git tag -f $(cat actions/deploy/version)
          git push -f --tags

      - name: Create deploy binaries
        run: |
          make deploy-release-linux
          make deploy-release-darwin
          make deploy-release-windows

      - name: Delete release if exists
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          latest=$(curl https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest)
          tag=$(echo $latest | jq .tag_name | xargs) # xargs strips quotes
          if grep -q "$tag" actions/deploy/version; then
            release_id=$(echo $latest | jq .id)
            curl -X DELETE https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@api.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}
          fi

      - name: Create Release
        id: create_release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          release=$(curl -X POST \
            -d '{"tag_name": "'"$(cat actions/deploy/version)"'"}' \
            -H "Content-Type: application/json" \
            https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@api.github.com/repos/${GITHUB_REPOSITORY}/releases)
          echo "release_id=$(echo $release | jq .id)" >> ${GITHUB_OUTPUT}

      - name: Upload Linux Asset
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          BINARY: deploy-linux
        run: |
          curl -X POST \
          -H 'Content-Type: application/x-executable' \
          --data-binary @${BINARY} \
          https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${{ steps.create_release.outputs.release_id }}/assets?name=${BINARY}

      - name: Upload Darwin Asset
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          BINARY: deploy-darwin
        run: |
          curl -X POST \
          -H 'Content-Type: application/x-executable' \
          --data-binary @${BINARY} \
          https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${{ steps.create_release.outputs.release_id }}/assets?name=${BINARY}

      - name: Upload Windows Asset
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          BINARY: deploy-windows
        run: |
          curl -X POST \
          -H 'Content-Type: application/x-executable' \
          --data-binary @${BINARY} \
          https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${{ steps.create_release.outputs.release_id }}/assets?name=${BINARY}