name: build release, release image to DockerHub
on:
  release:
    types:
      - published

env:
  CONTAINER_RUN_OPTIONS: " "
  IMAGE_REPOSITORY: kubeedge

jobs:
  release-assests:
    name: release kubeedge components
    runs-on: ubuntu-22.04
    strategy:
      matrix:
        target: [kubeedge, edgesite, keadm]
        os: [linux]
        ARM_VERSION: [GOARM7, GOARM8, ""]
        include:
          - target: kubeedge
            os: windows
            ARM_VERSION: ""
          - target: keadm
            os: windows
            ARM_VERSION: ""
    outputs:
      hash-kubeedge-linux-amd64: ${{ steps.hash.outputs.hash-kubeedge-linux-amd64 }}
      hash-kubeedge-windows-amd64: ${{ steps.hash.outputs.hash-kubeedge-windows-amd64 }}
      hash-kubeedge-linux-arm64: ${{ steps.hash.outputs.hash-kubeedge-linux-arm64 }}
      hash-kubeedge-linux-arm:   ${{ steps.hash.outputs.hash-kubeedge-linux-arm }}
      hash-keadm-linux-amd64:    ${{ steps.hash.outputs.hash-keadm-linux-amd64 }}
      hash-keadm-linux-arm64:    ${{ steps.hash.outputs.hash-keadm-linux-arm64 }}
      hash-keadm-linux-arm:      ${{ steps.hash.outputs.hash-keadm-linux-arm }}
      hash-keadm-windows-amd64:  ${{ steps.hash.outputs.hash-keadm-windows-amd64 }}
      hash-edgesite-linux-amd64: ${{ steps.hash.outputs.hash-edgesite-linux-amd64 }}
      hash-edgesite-linux-arm64: ${{ steps.hash.outputs.hash-edgesite-linux-arm64 }}
      hash-edgesite-linux-arm:   ${{ steps.hash.outputs.hash-edgesite-linux-arm }}
    steps:
      - name: checkout code
        uses: actions/checkout@v3
        with:
          # fetch-depth:
          # 0 indicates all history for all branches and tags.
          # for `git describe --tags` in Makefile.
          fetch-depth: 0
      - name: Making and packaging
        run: |
          if [ "${{ matrix.os }}" == "linux" ]; then
            docker pull kubeedge/build-tools:1.20.10-ke1
            BUILD_CONTAINER=true
          else
            BUILD_CONTAINER=false
          fi
          make release WHAT=${{ matrix.target }} ARM_VERSION=${{ matrix.ARM_VERSION }} OS=${{ matrix.os }} BUILD_WITH_CONTAINER=$BUILD_CONTAINER
      - name: Generate arch
        run: |
          if [ "${{ matrix.ARM_VERSION }}" = "GOARM7" ]; then echo "output_arch=arm" >> $GITHUB_ENV; elif [ ${{ matrix.ARM_VERSION }} = "GOARM8" ]; then echo "output_arch=arm64" >> $GITHUB_ENV; else echo "output_arch=amd64" >> $GITHUB_ENV; fi
      - name: Generate hashes
        shell: bash
        id: hash
        run: |
          cp _output/release/${{ github.ref_name }}/${{ matrix.target }}-${{ github.ref_name }}-${{ matrix.os }}-${{ env.output_arch }}.tar.gz .
          echo "hash-${{ matrix.target }}-${{ matrix.os }}-${{ env.output_arch }}=$( \
                      sha256sum ${{ matrix.target }}-${{ github.ref_name }}-${{ matrix.os }}-${{ env.output_arch}}.tar.gz | base64 -w0 \
                    )" >> "$GITHUB_OUTPUT"
      - name: Uploading assets...
        if: ${{ !env.ACT }}
        uses: softprops/action-gh-release@v1
        with:
          files: |
            _output/release/${{ github.ref_name }}/${{ matrix.target }}-${{ github.ref_name }}-${{ matrix.os }}-${{ env.output_arch }}.tar.gz
            _output/release/${{ github.ref_name }}/checksum_${{ matrix.target }}-${{ github.ref_name }}-${{ matrix.os }}-${{ env.output_arch }}.tar.gz.txt

  combine_hashes:
    needs: [release-assests]
    runs-on: ubuntu-22.04
    outputs:
      hashes: ${{ steps.hashes.outputs.hashes }}
    env:
      HASHES: ${{ toJSON(needs.release-assests.outputs) }}
    steps:
      - id: hashes
        run: |
          echo "$HASHES" | jq -r '.[] | @base64d' | sed "/^$/d" > hashes.txt
          echo "hashes=$(cat hashes.txt | base64 -w0)" >> "$GITHUB_OUTPUT"

  # This step calls the generic workflow to generate provenance.
  provenance:
    needs: [combine_hashes]
    permissions:
      actions: read
      id-token: write
      contents: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
    with:
      base64-subjects: "${{ needs.combine_hashes.outputs.hashes }}"
      # Upload provenance to a new release
      upload-assets: true

  publish-image-to-dockerhub:
    name: publish to DockerHub
    strategy:
      matrix:
        target: [cloudcore, admission, edgesite-agent, edgesite-server, csidriver, iptables-manager, edgemark, installation-package, controller-manager, conformance, nodeconformance]
    outputs:
      hash-digest-cloudcore: ${{ steps.hash.outputs.hash-digest-cloudcore }}
      hash-digest-admission: ${{ steps.hash.outputs.hash-digest-admission }}
      hash-digest-edgesite-agent: ${{ steps.hash.outputs.hash-digest-edgesite-agent }}
      hash-digest-edgesite-server: ${{ steps.hash.outputs.hash-digest-edgesite-server }}
      hash-digest-csidriver: ${{ steps.hash.outputs.hash-digest-csidriver }}
      hash-digest-iptables-manager: ${{ steps.hash.outputs.hash-digest-iptables-manager }}
      hash-digest-edgemark: ${{ steps.hash.outputs.hash-digest-edgemark }}
      hash-digest-installation-package: ${{ steps.hash.outputs.hash-digest-installation-package }}
      hash-digest-controller-manager: ${{ steps.hash.outputs.hash-digest-controller-manager }}
      hash-digest-conformance: ${{ steps.hash.outputs.hash-digest-conformance }}
      hash-digest-nodeconformance: ${{ steps.hash.outputs.hash-digest-nodeconformance }}
    runs-on: ubuntu-22.04
    steps:
      - name: checkout code
        uses: actions/checkout@v3
        with:
          # fetch-depth:
          # 0 indicates all history for all branches and tags.
          # for `git describe --tags` in Makefile.
          fetch-depth: 0
      - name: install QEMU
        uses: docker/setup-qemu-action@v1
      - name: install Buildx
        uses: docker/setup-buildx-action@v1
      - name: login to DockerHub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USER_NAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: generate dockerfile path
        run: |
          echo "dockerfile_path=$(./hack/make-rules/imageprocess.sh dockerfile ${{ matrix.target }})" >> $GITHUB_ENV
      - name: build and publish images
        id: build
        uses: docker/build-push-action@v3
        with:
          context: .
          file: ${{ env.dockerfile_path }}
          platforms: linux/amd64,linux/arm64,linux/arm/v7
          push: true
          tags: |
            ${{ env.IMAGE_REPOSITORY }}/${{ matrix.target }}:${{ github.ref_name }}
      - name: generate digest
        id: hash
        run: |
          echo "hash-digest-${{ matrix.target }}=${{ steps.build.outputs.digest }}" >> $GITHUB_OUTPUT

  # This step calls the container workflow to generate provenance and push it to
  # the container registry.
  image-provenance:
    needs: [publish-image-to-dockerhub]
    strategy:
      matrix:
        target: [cloudcore, admission, edgesite-agent, edgesite-server, csidriver, iptables-manager, edgemark, installation-package, controller-manager, conformance, nodeconformance]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
    if: startsWith(github.ref, 'refs/tags/')
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
    with:
      image: kubeedge/${{ matrix.target }}
      registry-username: ${{ vars.DOCKERHUB_USER_NAME }}
      digest: ${{ needs.publish-image-to-dockerhub.outputs[format('hash-digest-{0}', matrix.target)] }}
    secrets:
      registry-password: ${{ secrets.DOCKERHUB_TOKEN }}