.github/workflows/nubis-build.yaml

name: build-arch
on:
  workflow_call:
    inputs:
      matrix:
        required: true
        type: string

      dockerfile:
        required: true
        type: string

      registry:
        required: true
        type: string

jobs:
  setup:
    runs-on: [ self-hosted, gcc, lite ]
    outputs:
      enable: ${{ steps.set-variable.outputs.enable }}
    steps:
      - uses: actions/checkout@v2
      - name: Set test variable
        id: set-variable
        run: |
          if [ ${{ github.ref }} != 'refs/heads/main' ]; then
            echo "will NOT build dockerfiles"
            #echo "::set-output name=enable::false"
          else
            echo "WILL build dockerfiles"
            #echo "::set-output name=enable::true"
          fi
          # Enable build
          echo "::set-output name=enable::true"
        shell: bash
      - name: Read exported variable
        run: |
          echo "OUTPUT: ${{ steps.set-variable.outputs.enable }}"


  build:
    runs-on: [ self-hosted, "${{ matrix.architecture }}", gcc, lite ]
    
    permissions:
      contents: read
      packages: write
      # This is used to complete the identity challenge
      # with sigstore/fulcio when running outside of PRs.
      id-token: write

    strategy:
      matrix: 
        architecture: ${{ fromJson(toJSON(fromJson(inputs.matrix).architecture)) }}
        #${{ fromJson(inputs.matrix) }}
      fail-fast: false

    outputs:
      image_name: ${{ steps.build.outputs.image_name }}

    needs: [setup]
    steps:
    - name: Build
      id: build
      run: |
          echo ${{ matrix.architecture }}
          GEN=$( echo "${{ inputs.dockerfile }}" | sed s/Dockerfile\.// )
          echo "image_name=gh-actions-runner-$GEN" >> "$GITHUB_OUTPUT"

    - name: Fix filename
      id: fix-filename
      run: |
         ARCH=$( echo "${{ matrix.architecture }}" )
         FILENAME=$( echo "${{ inputs.dockerfile }}" )   
         if [ $ARCH == "aarch64" ] && [ $FILENAME == "Dockerfile.jetson" ];
         then
             FILENAME=$( echo "jetson-aarch64-dockerfile" )   
             echo "dockerfilename=$FILENAME" >> "$GITHUB_OUTPUT"
         else
             echo "dockerfilename=$FILENAME" >> "$GITHUB_OUTPUT"
         fi

    - name: Checkout
      uses: actions/checkout@v3
    - name: Install cosign
      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
      uses: sigstore/cosign-installer@ca922a571676e06d3299cce5d520e178ba89a276
      with:
        cosign-release: 'v1.13.1'
    - name: Check install!
      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
      run: cosign version
    - name: Set up Docker Context for Buildx
      id: buildx-context
      run: |
          docker context create builders || true
    # Workaround: https://github.com/docker/build-push-action/issues/461
    - name: Setup Docker buildx
      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
      uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
      with:
        version: latest
        endpoint: builders
    # Login against a Docker registry except on PR
    # https://github.com/docker/login-action
    - name: Log into registry ${{ inputs.REGISTRY }}
      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
      uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
      with:
        registry: ${{ inputs.REGISTRY }}
        username: ${{ secrets.HARBOR_USER }}
        password: ${{ secrets.HARBOR_SECRET }}

    # Extract metadata (tags, labels) for Docker
    # https://github.com/docker/metadata-action
    - name: Extract Docker metadata
      id: meta
      uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
      with:
        images: ${{ inputs.registry }}/${{ steps.build.outputs.image_name }}
        tags: |
          type=sha,prefix=${{ matrix.architecture }}-

    # Build and push Docker image with Buildx (don't push on PR)
    # https://github.com/docker/build-push-action
    - name: Build and push ${{ steps.fix-filename.outputs.dockerfilename }}-${{ matrix.architecture }}
      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
      id: build-and-push
      uses: docker/build-push-action@master
      with:
        context: .
        push: ${{ github.event_name != 'pull_request' }}
        tags: ${{ steps.meta.outputs.tags }}
        labels: ${{ steps.meta.outputs.labels }}
        #cache-from: type=local,src=/tmp
        #cache-to: type=local,mode=max,dest=/tmp
        file: ${{ steps.fix-filename.outputs.dockerfilename }}
        provenance: false

    # Sign the resulting Docker image digest except on PRs.
    # This will only write to the public Rekor transparency log when the Docker
    # repository is public to avoid leaking data.  If you would like to publish
    # transparency data even for private images, pass --force to cosign below.
    # https://github.com/sigstore/cosign
    - name: Sign the published Docker image
      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
      env:
        COSIGN_EXPERIMENTAL: "true"
      # This step uses the identity token to provision an ephemeral certificate
      # against the sigstore community Fulcio instance.
      run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
    - name: Clean up Docker Context for Buildx
      id: buildx-context-cleanup
      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
      run: |
          docker context remove builders || true

  manifest:
    runs-on: [ self-hosted, gcc, lite ]
    needs: [setup, build]
    
    permissions:
      contents: read
      packages: write
      # This is used to complete the identity challenge
      # with sigstore/fulcio when running outside of PRs.
      id-token: write

    steps:
    - uses: actions/checkout@v3
    - uses: benjlevesque/short-sha@v2.2
      id: short-sha
      with:
        length: 7

    # Login against a Docker registry except on PR
    # https://github.com/docker/login-action
    - name: Log into registry ${{ inputs.REGISTRY }}
      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
      uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
      with:
        registry: ${{ inputs.REGISTRY }}
        username: ${{ secrets.HARBOR_USER }}
        password: ${{ secrets.HARBOR_SECRET }}

    - name: Set image name
      id: set-image-name
      run: |
          NAME=$( echo "${{ needs.build.outputs.image_name }}" )
          REGISTRY=$( echo "${{ inputs.REGISTRY }}" )
          #NAMESPACE="runners"
          #echo "image_name=$REGISTRY/$NAMESPACE/$NAME" >> "$GITHUB_OUTPUT"
          echo "image_name=$REGISTRY/$NAME" >> "$GITHUB_OUTPUT"

    - name: Create manifest for ${{ needs.build.outputs.image_name }}
      id: debug-echo
      run: |
          VAR1=$(echo ${{ toJSON(fromJson(inputs.matrix).architecture[0]) }}-$SHA )
          VAR2=$(echo ${{ toJSON(fromJson(inputs.matrix).architecture[1]) }}-$SHA )
          echo docker manifest rm ${{ steps.set-image-name.outputs.image_name }}:generic || true
          echo docker manifest create ${{ steps.set-image-name.outputs.image_name }}:generic \
              --amend ${{ steps.set-image-name.outputs.image_name }}:$(echo $VAR1) \
              --amend ${{ steps.set-image-name.outputs.image_name }}:$(echo $VAR2) 
          echo docker manifest push ${{ steps.set-image-name.outputs.image_name }}:generic
      env:
        SHA: ${{ steps.short-sha.outputs.sha }}

    - name: Create manifest for ${{ needs.build.outputs.image_name }}
      id: create-manifest
      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
      run: |
          VAR1=$(echo ${{ toJSON(fromJson(inputs.matrix).architecture[0]) }}-$SHA )
          VAR2=$(echo ${{ toJSON(fromJson(inputs.matrix).architecture[1]) }}-$SHA )
          docker manifest rm ${{ steps.set-image-name.outputs.image_name }}:generic || true
          docker manifest create ${{ steps.set-image-name.outputs.image_name }}:generic \
              --amend ${{ steps.set-image-name.outputs.image_name }}:$(echo $VAR1) \
              --amend ${{ steps.set-image-name.outputs.image_name }}:$(echo $VAR2) 
          docker manifest push ${{ steps.set-image-name.outputs.image_name }}:generic
      env:
        SHA: ${{ steps.short-sha.outputs.sha }}