flowzone.yml

.flowzone:
  - &ifInternalPullRequest # check if the PR is from a fork by comparing the repository name
    if: github.event.pull_request.head.repo.full_name == github.repository

  - &ifExternalPullRequest # check if the PR is from a fork by comparing the repository name
    if: github.event.pull_request.head.repo.full_name != github.repository

  - &ifPrivateRepository
    if: github.event.repository.private

  - &checkGitHubAppPrivateKey
    name: Check for GitHub App private key
    id: gh_app_private_key
    shell: bash
    run: |
      if [ -n '${{ secrets.GH_APP_PRIVATE_KEY }}' ]
      then
          echo 'found=true' >> $GITHUB_OUTPUT
      else
          echo 'found=false' >> $GITHUB_OUTPUT
      fi

  - &getGitHubAppToken # https://github.com/marketplace/actions/github-app-token
    name: Generate GitHub App installation token
    uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
    if: steps.gh_app_private_key.outputs.found == 'true'
    id: gh_app_token
    with:
      app_id: ${{ inputs.app_id }}
      installation_id: ${{ inputs.installation_id }}
      private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      permissions: ${{ inputs.token_scope }}

  - &downloadSourceArtifact
    name: Download source artifact
    uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
    with:
      name: source-${{ github.event.pull_request.head.sha || github.event.head_commit.id }}
      path: ${{ runner.temp }}

  - &extractSourceArtifact
    name: Extract source artifact
    # tar: Cannot connect to D: resolve failed
    shell: pwsh
    working-directory: .
    run: tar -xf ${{ runner.temp }}/source.tgz

  - &getVersionTag
    name: Get version from tags
    id: version_tag
    run: |
      tag="$(git tag --points-at HEAD | tail -n1)"
      echo "tag=${tag}" >> $GITHUB_OUTPUT
      echo "semver=$(npx -q -y -- semver -c -l "${tag}")" >> $GITHUB_OUTPUT
      echo "describe=$(git describe --tags --always --dirty | cat)" >> $GITHUB_OUTPUT

  - &deployToBalenaAction
    uses: balena-io/deploy-to-balena-action@e7041b7ca6dd85f47a3eb5ce141178bf77d85920 # v0.27.0
    id: balena_deploy
    with:
      balena_token: ${{ secrets.BALENA_API_KEY || secrets.BALENA_API_KEY_PUSH }}
      environment: ${{ inputs.balena_environment }}
      fleet: ${{ matrix.slug }}
      source: ${{ inputs.working_directory }}
      registry_secrets: |
        {
          "ghcr.io": {
            "username": "${{ github.actor }}",
            "password": "${{ secrets.GITHUB_TOKEN }}"
          },
          "docker.io": {
            "username": "${{ secrets.DOCKERHUB_USER }}",
            "password": "${{ secrets.DOCKERHUB_TOKEN }}"
          }
        }

  - &getReleaseNotes
    name: Generate release notes
    id: release_notes
    run: |
      set -ea
      # prevent git from existing with 141
      set +o pipefail
      previous_tag="$(git --no-pager tag --list --sort=-version:refname "v*.*.*" --merged | head -n2 | tail -n1)"
      release_notes_file="$(mktemp)"
      git log ${previous_tag}..${{ github.event.pull_request.head.sha || github.event.head_commit.id }} --pretty=reference > "${release_notes_file}"
      echo "file=${release_notes_file}" >> $GITHUB_OUTPUT

  # FIXME: https://github.com/balena-io/deploy-to-balena-action/issues/194
  - &updateBalenaReleaseNotes
    name: Update balena release notes
    run: |
      set -ea
      release_notes="$(cat < '${{ steps.release_notes.outputs.file }}' | jq -R -s .)"
      app_id="$(curl --silent --retry 3 --fail \
        "https://api.${{ inputs.balena_environment }}/v6/application?\$filter=slug%20eq%20%27${{ matrix.slug }}%27&\$select=id" \
        -H 'Content-Type: application/json' \
        -H 'Authorization: Bearer ${{ secrets.BALENA_API_KEY || secrets.BALENA_API_KEY_PUSH }}' \
        | jq -r '.d[].id')"
      release_id='${{ steps.balena_deploy.outputs.release_id }}'
      if [[ -n $release_notes ]] && [[ -n $app_id ]] && [[ -n $release_id ]]; then
          curl --silent --retry 3 --fail \
            -X PATCH "https://api.${{ inputs.balena_environment }}/v6/release?\$filter=belongs_to__application%20eq%20${app_id}%20and%20id%20eq%20${release_id}" \
            -H 'Content-Type: application/json' \
            -H 'Authorization: Bearer ${{ secrets.BALENA_API_KEY || secrets.BALENA_API_KEY_PUSH }}' \
            -d "{\"note\":${release_notes}}"
      fi

  - &checkoutMergeBranch
    # for pull_request_target events that are not closed we need to specify the merge branch manually
    # because the default checkout ref is the tip of the main/master branch
    name: Checkout merge branch
    if: github.event_name == 'pull_request_target' && github.event.action != 'closed'
    id: checkout_merge
    uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
    with:
      fetch-depth: 0
      submodules: "recursive"
      ref: "refs/pull/${{ github.event.number }}/merge"
      token: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}

  - &checkoutSha # otherwise use the default checkout behaviour
    name: Checkout sha
    if: github.event_name != 'pull_request_target' || github.event.action == 'closed'
    uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
    with:
      fetch-depth: 0
      submodules: "recursive"
      token: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}

  - &loginWithDockerHub
    name: Login to Docker Hub
    continue-on-error: true
    uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2
    with:
      registry: docker.io
      username: ${{ secrets.DOCKERHUB_USER || secrets.DOCKER_REGISTRY_USER }}
      password: ${{ secrets.DOCKERHUB_TOKEN || secrets.DOCKER_REGISTRY_PASS }}

  - &loginWithGitHubContainerRegistry
    name: Login to GitHub Container Registry
    continue-on-error: true
    uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2
    with:
      registry: ghcr.io
      username: ${{ github.actor }}
      # FIXME: as per GitHub support:
      # "You cannot authenticate with a GitHub App token on the GitHub Package Registry"
      # so this will fail for external PRs as the automatic actions token will be read-only
      password: ${{ secrets.GITHUB_TOKEN }}

  - &customWorkingDirectory
    defaults:
      run:
        working-directory: ${{ inputs.working_directory }}
        shell: bash --noprofile --norc -eo pipefail -x {0}

  - &rootWorkingDirectory
    defaults:
      run:
        working-directory: .
        shell: bash --noprofile --norc -eo pipefail -x {0}

  - &gitHubCliEnvironment
    # environment variables used by gh CLI
    # https://cli.github.com/manual/gh_help_environment
    GH_DEBUG: "true"
    GH_PAGER: "cat"
    GH_PROMPT_DISABLED: "true"
    GH_REPO: "${{ github.repository }}"
    # default to automatic actions token
    GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

  - &rejectExternalWorkflowChanges
    name: Reject external workflow changes
    <<: *ifExternalPullRequest
    env:
      <<: *gitHubCliEnvironment
    run: |
      if [[ $(gh pr diff ${{ github.event.pull_request.number }} --name-only) =~ ^\.github\/ ]]
      then
        echo "::error::Modifications to workflow files are not supported for external contributions. \
          Please contact a member of the organization for assistance."
        exit 1
      fi

  - &rejectExternalCustomActions
    name: Reject external custom actions
    if: |
      github.event.pull_request.head.repo.full_name != github.repository &&
      inputs.restrict_custom_actions == true
    run: |
      echo "::error::Custom actions are disabled for external contributors and will be skipped. \
        Please contact a member of the organization for assistance."
      exit 1

  - &logGitHubContext
    name: Log GitHub context
    env:
      GITHUB_CONTEXT: ${{ toJSON(github) }}
    run: echo "${GITHUB_CONTEXT}" || true

  - &deleteDraftGitHubRelease
    name: Delete draft GitHub release
    run: gh release delete --yes '${{ github.event.pull_request.head.ref }}' || true
    env:
      <<: *gitHubCliEnvironment
      GH_TOKEN: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}

  - &isDraftPullRequest # check both the github context (static) and via the gh cli (dynamic)
    name: Check if PR is draft
    id: is_draft_pr
    env:
      <<: *gitHubCliEnvironment
    run: |
      if gh pr view ${{ github.event.pull_request.number }} --json isDraft | jq -e '.isDraft == true'
      then
        echo "result=true" >> $GITHUB_OUTPUT
      else
        echo "result=false" >> $GITHUB_OUTPUT
      fi

  - &jsonArrayBuilder
    name: Build JSON array from comma-separated list
    id: to_json_array
    uses: kanga333/json-array-builder@c7cd9d3a8b17cd368e9c2210bc3c16b0e2714ce5 # v0.2.1
    with:
      cmd: bash -c "echo $INPUT | tr -d '[:space:]'"
      separator: ","

  - &newlineListBuilder
    name: Build newline-separated list from JSON array
    id: to_newline_list
    run: |
      build="$(echo "${{ join(fromJSON(env.INPUT),' ') }}" | tr " " "\n")"
      DELIMITER=$(echo $RANDOM | md5sum | head -c 32)
      echo "build<<${DELIMITER}" >> $GITHUB_OUTPUT
      echo "${build}" >> $GITHUB_OUTPUT
      echo "${DELIMITER}" >> $GITHUB_OUTPUT

  - &dockerPlatformSlugMap
    PLATFORM_SLUG_MAP: >
      {
        "linux/386": "i386",
        "linux/amd64": "amd64",
        "linux/arm64": "arm64v8",
        "linux/arm/v7": "arm32v7",
        "linux/arm/v6": "arm32v6",
        "linux/arm/v5": "arm32v5",
        "linux/s390x": "s390x",
        "linux/mips64le": "mips64le",
        "linux/ppc64le": "ppc64le",
        "linux/riscv64": "riscv64",
        "windows/amd64": "windows-amd64"
      }

  - &sanitizeDockerStrings
    name: Sanitize docker strings
    id: strings
    env:
      <<: *dockerPlatformSlugMap
      TARGET: ${{ matrix.target }}
      PLATFORM: ${{ matrix.platform }}
      IMAGE: ${{ matrix.image }}
    run: |
      target_slug="$(echo "${TARGET}" | sed 's/[^[:alnum:]]/-/g')"

      if [ -n "${TARGET}" ] && [ -z "${target_slug}" ]
      then
        echo "::error::Unsupported platform: ${TARGET}"
      fi

      if [ "${TARGET}" != "default" ]
      then
        if [ "${{ inputs.docker_invert_tags }}" = "true" ]
        then
          prefix_slug="${target_slug}-"
        else
          suffix_slug="-${target_slug}"
        fi
      fi

      platform_slug="$(jq -cr --arg platform "${PLATFORM}" '.[$platform] // ""' <<< "${PLATFORM_SLUG_MAP}")"

      if [ -n "${PLATFORM}" ] && [ -z "${platform_slug}" ]
      then
        echo "::error::Unsupported platform: ${PLATFORM}"
      fi

      if [ -n "${IMAGE}" ]
      then
        if [[ "${IMAGE}" =~ ^(.*\/)?([^\/]+)\/([^\/\:]+)(\:.+)?$ ]]
        then
          image_slug="${IMAGE}"
        else
          image_slug="docker.io/${IMAGE}"
        fi
      fi

      echo "image=${image_slug}" >> $GITHUB_OUTPUT
      echo "target=${target_slug}" >> $GITHUB_OUTPUT
      echo "platform=${platform_slug}" >> $GITHUB_OUTPUT
      echo "prefix=${prefix_slug}" >> $GITHUB_OUTPUT
      echo "suffix=${suffix_slug}" >> $GITHUB_OUTPUT

  - &dockerTestMetadata # https://github.com/docker/metadata-action
    name: Generate docker metadata
    id: test_meta
    uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4
    with: &dockerTestMetaWith
      images: |
        sut
        localhost:5000/sut
        ${{ needs.is_docker.outputs.docker_images_crlf }}
      labels: |
        org.opencontainers.image.version=${{ steps.version_tag.outputs.semver }}
        org.opencontainers.image.ref.name=${{ matrix.target }}
      tags: |
        type=raw,value=${{ github.event.pull_request.head.sha }}
        type=raw,value=build-${{ github.event.pull_request.head.sha }}
        type=raw,value=build-${{ github.event.pull_request.head.ref }}
      flavor: |
        latest=true
        prefix=${{ steps.strings.outputs.prefix }}
        suffix=${{ steps.strings.outputs.suffix }}

  - &dockerDraftMetadata
    <<: *dockerTestMetadata
    id: draft_meta
    with:
      <<: *dockerTestMetaWith
      images: |
        ${{ matrix.image }}
      flavor: |
        latest=false
        prefix=${{ steps.strings.outputs.prefix }}
        suffix=${{ steps.strings.outputs.suffix }}

  - &dockerFinalMetadata
    <<: *dockerTestMetadata
    id: final_meta
    with:
      <<: *dockerTestMetaWith
      images: |
        ${{ matrix.image }}
      # for unversioned merges we will use the base branch as the tag
      # and version tag and semver will be empty
      tags: |
        type=raw,value=${{ github.base_ref || github.ref_name }}
        type=raw,value=${{ steps.version_tag.outputs.tag }}
        type=raw,value=${{ steps.version_tag.outputs.semver }}
      flavor: |
        latest=${{ steps.version_tag.outputs.semver != '' }}
        prefix=${{ steps.strings.outputs.prefix }},onlatest=true
        suffix=${{ steps.strings.outputs.suffix }},onlatest=true

  - &rejectConflictingSecrets
    name: Check secrets
    run: |
      if [ -z '${{ secrets.FLOWZONE_TOKEN }}${{ secrets.GH_APP_PRIVATE_KEY }}' ]
      then
        echo '::error::Must specify either GH_APP_PRIVATE_KEY or FLOWZONE_TOKEN.'
        false
      fi

  - &rejectFailedJobs
    name: Reject failed jobs
    run: |
      if [ "${{ contains(needs.*.result, 'failure') }}" = "true" ]
      then
        echo "One or more jobs have failed"
        exit 1
      fi

  - &rejectCancelledJobs
    name: Reject cancelled jobs
    run: |
      if [ "${{ contains(needs.*.result, 'cancelled') }}" = "true" ]
      then
        echo "One or more jobs were cancelled"
        exit 1
      fi

  - &rejectExternalPullRequest
    name: Reject external pull_request events
    if: |
      github.event_name == 'pull_request' &&
      github.event.pull_request.head.repo.full_name != github.repository
    run: |
      echo "::error:External workflows can not be used with `pull_request` events. \
        Please contact a member of the organization for assistance."
      exit 1

  - &rejectInternalPullRequestTarget
    name: Reject external pull_request events
    if: |
      github.event_name == 'pull_request_target' &&
      github.event.pull_request.head.repo.full_name == github.repository
    run: |
      echo "::error:Internal workflows should not be used with `pull_request_target` events. \
        Please consult the documentation for more information."
      exit 1

  - &rejectSelfHostedRunners
    name: Reject self-hosted runners
    if: |
      github.event.pull_request.head.repo.full_name != github.repository &&
      (
        contains(fromJSON(inputs.runs_on), 'self-hosted') ||
        contains(fromJSON(inputs.custom_runs_on), 'self-hosted') ||
        contains(fromJSON(inputs.custom_runs_on).*, 'self-hosted') ||
        contains(fromJSON(inputs.docker_runs_on).*, 'self-hosted')
      )
    run: |
      echo "::error:External workflows can not be used with self-hosted runners. \
        Please contact a member of the organization for assistance."
      exit 1

  - &setupQemuBinfmt # https://github.com/docker/setup-qemu-action
    name: Setup QEMU
    uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2
    if: contains(matrix.runs_on, 'self-hosted') != true
    with:
      platforms: all
      # https://hub.docker.com/r/tonistiigi/binfmt
      image: tonistiigi/binfmt:qemu-v6.2.0

  - &setupBuildx # https://github.com/docker/setup-buildx-action
    name: Setup buildx
    uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2
    with:
      driver-opts: network=host
      install: true

  - &setupCrane # https://github.com/imjasonh/setup-crane
    uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
    with:
      version: v0.14.0

  # If there are no existing protections an empty object will be returned
  - &getBranchProtectionRules
    name: Get branch protection rules
    id: branch_protection
    env:
      <<: *gitHubCliEnvironment
      GH_TOKEN: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}
    run: |
      result="$(gh api "${BRANCH_PROTECTION_URI}" --jq '.' ; exit=$?)"

      if [[ "${exit}" -gt 0 ]]
      then
        message="$(echo "${result}" | jq -r '.message // ""')"
        case "${message}" in
          "Branch not Found"|"Branch not protected")
            echo  "::warning::Failed to get branch protection rules ${message} ${result}"
            exit 0
            ;;
          *)
            echo  "::error::Failed to get branch protection rules ${message} ${result}"
            exit 1
            ;;
        esac
      fi

      echo "json=${result}" >> $GITHUB_OUTPUT

      echo "required_status_checks__strict=$(jq -cr '.required_status_checks.strict // true' <<< "${result}")" >> $GITHUB_OUTPUT
      echo "required_status_checks__contexts=$(jq -cr '.required_status_checks.contexts // []' <<< "${result}")" >> $GITHUB_OUTPUT

      echo "required_pull_request_reviews__required_approving_review_count=$(jq -cr '.required_pull_request_reviews.required_approving_review_count // 0' <<< "${result}")" >> $GITHUB_OUTPUT
      echo "required_pull_request_reviews__dismiss_stale_reviews=$(jq -cr '.required_pull_request_reviews.dismiss_stale_reviews // false' <<< "${result}")" >> $GITHUB_OUTPUT
      echo "required_pull_request_reviews__require_code_owner_reviews=$(jq -cr '.required_pull_request_reviews.require_code_owner_reviews // false' <<< "${result}")" >> $GITHUB_OUTPUT

      echo "required_pull_request_reviews__dismissal_restrictions__users=$(jq -cr '.required_pull_request_reviews.dismissal_restrictions.users // []' <<< "${result}")" >> $GITHUB_OUTPUT
      echo "required_pull_request_reviews__dismissal_restrictions__teams=$(jq -cr '.required_pull_request_reviews.dismissal_restrictions.teams // []' <<< "${result}")" >> $GITHUB_OUTPUT
      echo "required_pull_request_reviews__dismissal_restrictions__apps=$(jq -cr '.required_pull_request_reviews.dismissal_restrictions.apps // []' <<< "${result}")" >> $GITHUB_OUTPUT

      echo "required_linear_history__enabled=$(jq -cr '.required_linear_history.enabled // false' <<< "${result}")" >> $GITHUB_OUTPUT
      echo "allow_force_pushes__enabled=$(jq -cr '.allow_force_pushes.enabled // false' <<< "${result}")" >> $GITHUB_OUTPUT
      echo "allow_deletions__enabled=$(jq -cr '.allow_deletions.enabled // false' <<< "${result}")" >> $GITHUB_OUTPUT
      echo "required_conversation_resolution__enabled=$(jq -cr '.required_conversation_resolution.enabled // false' <<< "${result}")" >> $GITHUB_OUTPUT
      echo "required_signatures__enabled=$(jq -cr '.required_signatures.enabled // false' <<< "${result}")" >> $GITHUB_OUTPUT
      echo "enforce_admins__enabled=$(jq -cr '.enforce_admins.enabled // false' <<< "${result}")" >> $GITHUB_OUTPUT
      echo "block_creations__enabled=$(jq -cr '.block_creations.enabled // false' <<< "${result}")" >> $GITHUB_OUTPUT

name: Flowzone

on:
  workflow_call:
    secrets:
      # https://github.com/organizations/product-os/settings/secrets/actions/GH_APP_PRIVATE_KEY
      GH_APP_PRIVATE_KEY:
        description: "GitHub App to generate ephemeral access tokens"
        required: false
      FLOWZONE_TOKEN:
        description: ".. or Personal Access Token (PAT) with admin/owner permissions in the org."
        required: false
      GPG_PRIVATE_KEY:
        description: "GPG private key exported with `gpg --armor --export-secret-keys ...` to sign commits"
        required: false
      GPG_PASSPHRASE:
        description: "Passphrase to decrypt GPG private key"
        required: false
      NPM_TOKEN:
        description: "The npm auth token to use for publishing"
        required: false
      DOCKERHUB_USER:
        description: "Username to publish to the Docker Hub container registry"
        required: false
      DOCKER_REGISTRY_USER:
        description: "Deprecated, use DOCKERHUB_USER instead"
        required: false
      DOCKERHUB_TOKEN:
        description: "A personal access token to publish to the Docker Hub container registry"
        required: false
      DOCKER_REGISTRY_PASS:
        description: "Deprecated, use DOCKERHUB_TOKEN instead"
        required: false
      BALENA_API_KEY:
        description: "API key for pushing releases to balena applications"
        required: false
      BALENA_API_KEY_PUSH:
        description: "Deprecated, use BALENA_API_KEY instead"
        required: false
      CARGO_REGISTRY_TOKEN:
        description: "A personal access token to publish to a cargo registry"
        required: false
      COMPOSE_VARS:
        description: "Optional base64 encoded docker-compose `.env` file for testing Docker images"
        required: false
      CF_ACCOUNT_ID:
        description: "Cloudflare account ID"
        required: false
      CF_API_TOKEN:
        description: "Cloudflare API token with limited access for Pages projects"
        required: false
      CUSTOM_JOB_SECRET_1:
        description: "Optional secret for using with custom jobs"
        required: false
      CUSTOM_JOB_SECRET_2:
        description: "Optional secret for using with custom jobs"
        required: false
      CUSTOM_JOB_SECRET_3:
        description: "Optional secret for using with custom jobs"
        required: false

    inputs:
      app_id:
        description: "GitHub App id to impersonate"
        type: string
        required: false
        # https://github.com/organizations/product-os/settings/apps/flowzone-app
        # https://github.com/organizations/product-os/settings/variables/actions/APP_ID
        default: "${{ vars.APP_ID || '291899' }}"
      # not needed if installed on this current org/repo
      installation_id:
        description: "GitHub App installation id"
        type: string
        required: false
        # https://github.com/organizations/product-os/settings/installations
        # https://github.com/organizations/product-os/settings/variables/actions/INSTALLATION_ID
        default: "${{ vars.INSTALLATION_ID || '34040165' }}"
      token_scope:
        description: "Ephemeral token scope(s)"
        type: string
        required: false
        # https://github.com/organizations/product-os/settings/installations/34040165
        # https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-a-scoped-access-token
        default: >-
          {
            "actions": "read",
            "administration": "write",
            "checks": "read",
            "contents": "write",
            "members": "read",
            "metadata": "read",
            "organization_secrets": "read",
            "packages": "write",
            "pages": "write",
            "pull_requests": "read",
            "secrets": "read",
            "statuses": "read",
            "workflows": "read"
          }
      jobs_timeout_minutes:
        description: "Timeout for the job(s)."
        type: number
        required: false
        default: 360
      working_directory:
        description: "GitHub actions working directory"
        type: string
        required: false
        default: "."
      docker_images:
        description: "Comma-delimited string of Docker images (without tags) to publish (skipped if empty)"
        type: string
        required: false
        default: ""
      bake_targets:
        description: "Comma-delimited string of Docker buildx bake targets to publish (skipped if empty)"
        type: string
        required: false
        default: "default"
      docker_invert_tags:
        description: "Invert the tags for the Docker images (e.g. `{tag}-{variant}` becomes `{variant}-{tag}`)"
        type: boolean
        required: false
        default: false
      docker_publish_platform_tags:
        description: "Publish platform-specific tags in addition to multi-arch manifests (e.g. `product-os/flowzone:latest-amd64`)"
        type: boolean
        required: false
        default: false
      balena_environment:
        description: "balenaCloud environment"
        type: string
        required: false
        default: balena-cloud.com
      balena_slugs:
        description: "Comma-delimited string of balenaCloud apps, fleets, or blocks to deploy (skipped if empty)"
        type: string
        required: false
        default: ""
      cargo_targets:
        description: "Comma-delimited string of Rust stable targets to publish (skipped if empty)"
        type: string
        required: false
        default: |
          aarch64-unknown-linux-gnu,
          armv7-unknown-linux-gnueabihf,
          arm-unknown-linux-gnueabihf,
          x86_64-unknown-linux-gnu,
          i686-unknown-linux-gnu
      rust_toolchain:
        description: "Version specifier (e.g. 1.65, stable, nigthly) for the toolchain to use when building Rust sources"
        type: string
        required: false
        default: stable
      rust_binaries:
        description: "Set to true to publish Rust binary release artifacts to GitHub"
        type: boolean
        required: false
        default: false
      repo_config:
        description: "Set to true to standardise repository settings after a successful run"
        type: boolean
        required: false
        default: false
      repo_allow_forking:
        description: "Allow forking of an organization repository"
        type: boolean
        required: false
        default: true
      repo_default_branch:
        description: "Set the default branch name for the repository"
        type: string
        required: false
        default: master
      repo_delete_branch_on_merge:
        description: "Delete head branch when pull requests are merged"
        type: boolean
        required: false
        default: true
      repo_allow_update_branch:
        description: "Always suggest updating pull request branches"
        type: boolean
        required: false
        default: true
      repo_description:
        description: "Description of the repository"
        type: string
        required: false
        default: ""
      repo_homepage:
        description: "Repository home page URL"
        type: string
        required: false
        default: ""
      repo_enable_auto_merge:
        description: "Enable auto-merge functionality"
        type: boolean
        required: false
        default: true
      repo_enable_issues:
        description: "Enable issues in the repository"
        type: boolean
        required: false
        default: true
      repo_enable_merge_commit:
        description: "Enable merging pull requests via merge commit"
        type: boolean
        required: false
        default: true
      repo_enable_projects:
        description: "Enable projects in the repository"
        type: boolean
        required: false
        default: false
      repo_enable_rebase_merge:
        description: "Enable merging pull requests via rebase"
        type: boolean
        required: false
        default: false
      repo_enable_squash_merge:
        description: "Enable merging pull requests via squashed commit"
        type: boolean
        required: false
        default: false
      repo_enable_wiki:
        description: "Enable wiki in the repository"
        type: boolean
        required: false
        default: false
      repo_visibility:
        description: "Change the visibility of the repository to {public,private,internal}"
        type: string
        required: false
        default: default
      disable_versioning:
        description: "Set to true to disable automatic versioning"
        type: boolean
        required: false
        default: false
      job_name:
        description: "The name of the job, necessary for branch protection if not using the default of 'Flowzone'"
        type: string
        required: false
        default: "Flowzone"
      checkout_fetch_depth:
        description: "Configures the depth of the actions/checkout git fetch."
        type: number
        required: false
        default: 1
      tests_run_on:
        description: "Deprecated, use 'custom_runs_on' input instead."
        type: string
        required: false
        default: ""
      runs_on:
        description: "JSON array of runner label strings for generic jobs."
        type: string
        required: false
        default: >
          [
            "ubuntu-22.04"
          ]
      custom_runs_on:
        description: "JSON 2-dimensional matrix of runner label strings for custom jobs."
        type: string
        required: false
        default: >
          [
            ["ubuntu-22.04"]
          ]
      docker_runs_on:
        description: "JSON key-value pairs mapping platforms to arrays of runner labels. Unlisted platforms will use `runs_on`."
        type: string
        required: false
        default: "{}"
      cloudflare_website:
        description: "Setting this to your existing CF pages project name will generate and deploy a website. Skipped if empty."
        type: string
        required: false
        default: ""
      docusaurus_website:
        description: "Set to false to disable building a docusaurus website. If false the script `npm run deploy-docs` will be run if it exists."
        type: boolean
        required: false
        default: true
      github_prerelease:
        description: "Finalize releases on merge."
        type: boolean
        required: false
        default: false
      restrict_custom_actions:
        description: "Do not execute custom actions for external contributors. Only remove this restriction if custom actions have been vetted as secure."
        type: boolean
        required: false
        default: true
      custom_test_matrix:
        description: "Comma-delimited string of values that will be passed to the custom test action."
        type: string
        required: false
        default: ""
      custom_publish_matrix:
        description: "Comma-delimited string of values that will be passed to the custom publish action."
        type: string
        required: false
        default: ""
      custom_finalize_matrix:
        description: "Comma-delimited string of values that will be passed to the custom finalize action."
        type: string
        required: false
        default: ""
      protect_branch:
        description: "Set to false to disable updating branch protection rules after a successful run."
        type: boolean
        required: false
        default: true
      required_approving_review_count:
        description: "Count of GitHub approved reviews required for Pull Requests to be merged. Set to 0 if using palantir/policy-bot for PR merge conditions."
        type: string
        required: false
        default: "0"
      required_status_checks:
        description: "JSON array of status checks that must pass before a Pull Requests can be merged. Skipped if `protect_branch` is false."
        type: string
        required: false
        default: >
          [
            "Flowzone / All tests",
            "Flowzone / All jobs",
            "policy-bot: ${{ github.event.repository.default_branch }}"
          ]
      toggle_auto_merge:
        description: "Set to false to disable toggling auto-merge on PRs."
        type: boolean
        required: false
        default: true

# https://docs.github.com/en/actions/using-jobs/using-concurrency
concurrency:
  group: flowzone-${{ github.ref }}
  # cancel jobs in progress as long as it's not a merged PR
  cancel-in-progress: ${{ github.ref != github.base_ref }}

env:
  NPM_REGISTRY: "https://registry.npmjs.org"
  CARGO_REGISTRY: crates.io

jobs:
  is_pr_open:
    name: Is PR Open
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    if: |
      (
        github.event_name == 'pull_request' ||
        github.event_name == 'pull_request_target'
      ) && (
        github.event.action == 'opened' ||
        github.event.action == 'synchronize'
      )
    steps:
      - *rejectExternalPullRequest
      - *rejectInternalPullRequestTarget
      - *rejectConflictingSecrets
      - *rejectExternalWorkflowChanges
      - *rejectSelfHostedRunners
      - *logGitHubContext

  # in our context closed does not include merged
  is_pr_closed:
    name: Is PR Closed
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    if: |
      (
        github.event_name == 'pull_request' ||
        github.event_name == 'pull_request_target'
      ) && (
        github.event.action == 'closed' &&
        github.event.pull_request.merged == false
      )
    steps:
      - *rejectExternalPullRequest
      - *rejectInternalPullRequestTarget
      - *rejectConflictingSecrets
      - *rejectExternalWorkflowChanges
      - *rejectSelfHostedRunners
      - *logGitHubContext

  is_pr_merged:
    name: Is PR Merged
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    if: |
      (
        github.event_name == 'pull_request' ||
        github.event_name == 'pull_request_target'
      ) && (
        github.event.action == 'closed' &&
        github.event.pull_request.merged == true
      )
    steps:
      - *rejectExternalPullRequest
      - *rejectInternalPullRequestTarget
      - *rejectConflictingSecrets
      - *logGitHubContext

  is_pushed_tag:
    name: Is Pushed Tag
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
    steps:
      - *rejectConflictingSecrets
      - *logGitHubContext

  versioned_source:
    name: Versioned source
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_open
      - is_pr_merged
      - is_pushed_tag
    if: |
      !failure() && !cancelled() && (
        needs.is_pushed_tag.result == 'success' ||
        needs.is_pr_open.result == 'success' ||
        needs.is_pr_merged.result == 'success'
      )

    <<: *rootWorkingDirectory

    outputs:
      tag: ${{ steps.versionist.outputs.tag || steps.version_tag.outputs.tag }}
      semver: ${{ steps.versionist.outputs.semver || steps.version_tag.outputs.semver }}

    steps:
      - *checkGitHubAppPrivateKey
      - *getGitHubAppToken
      - *checkoutMergeBranch
      - *checkoutSha

      # fail on merge commits (ones with more than one parent)
      - name: Reject merge commits
        run: |
          if [ "$(git cat-file -p ${{ github.event.pull_request.head.sha || github.event.head_commit.id }} | grep '^parent ' | wc -l)" -gt 1 ]
          then
            echo "::error::Latest commit appears to be a merge, which is currently unsupported. Try a rebase instead."
            exit 1
          fi

      - name: Import GPG key for signing commits
        if: inputs.disable_versioning != true
        id: import-gpg
        uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 # v5.2.0
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}
          git_config_global: true
          git_user_signingkey: true
          git_commit_gpgsign: true

      - name: Install versionist
        if: inputs.disable_versioning != true
        run: |
          npm install -g balena-versionist@0.14.12 versionist@6.9.2

      - name: Generate changelog
        if: inputs.disable_versioning != true
        env:
          GH_TOKEN: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}
        run: |
          if [ ! -f .versionbot/CHANGELOG.yml ]
          then
            (cd ${{ runner.temp }}

            wget https://github.com/mikefarah/yq/releases/download/3.0.1/yq_linux_amd64 -O yq
            echo "a1097c74b81a2ef255583d9718bf4be6  yq" | md5sum -c -
            chmod +x yq

            PATH="${PWD}:${PATH}" $(npm root -g)/versionist/scripts/generate-changelog.sh "${GITHUB_WORKSPACE}"
            )
          fi

      # run balena-versionist
      # print the error if anything fails
      # fail the workflow if the error is anything other than "No such file or directory"
      - name: Run versionist
        if: inputs.disable_versioning != true
        id: versionist
        env:
          GITHUB_TOKEN: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}
        run: |
          out="$(balena-versionist 2>&1)"
          error="$(awk '/Error:/{getline; print}' <<< "${out}")"

          case ${error} in
            "") # no error
              ;;
            'No such file or directory'*)
              echo "::error::${error}"
              ;;
            *)
              echo "::error::${error}"
              exit 1
              ;;
          esac

          git status --porcelain

          versions=()
          [ -f .versionbot/CHANGELOG.yml ] && versions+=($(yq e '.[0].version' .versionbot/CHANGELOG.yml))
          semver="${versions[0]}"

          echo "semver=${semver}" >> $GITHUB_OUTPUT
          echo "tag=v${semver}" >> $GITHUB_OUTPUT

      # create a versioned commit
      - name: Create versioned commit
        if: inputs.disable_versioning != true
        env:
          GIT_AUTHOR_NAME: ${{ steps.import-gpg.outputs.name }}
          GIT_AUTHOR_EMAIL: ${{ steps.import-gpg.outputs.email }}
          GIT_COMMITTER_NAME: ${{ steps.import-gpg.outputs.name }}
          GIT_COMMITTER_EMAIL: ${{ steps.import-gpg.outputs.email }}
          TAG: ${{ steps.versionist.outputs.tag }}
        run: |
          git add --all
          git commit -m "${TAG}"
          git tag -a "${TAG}" -m "${TAG}" -f
          git show -1
          git log -n 2

      - *getVersionTag

      # push the versioned commit only if the PR is merged
      - name: Push versioned commit
        if: inputs.disable_versioning != true && needs.is_pr_merged.result == 'success'
        continue-on-error: true
        run: |
          git push origin HEAD:refs/heads/${{ github.base_ref }}
          # We push the tag separately so that it is only pushed if the commit push succeed, this avoids
          # issues if something else updates the main branch whilst we're running and causes us to push
          # the tag successfully but not the main branch and breaks future versioning attempts
          git push origin "refs/tags/${{ steps.versionist.outputs.tag }}"

      # https://github.com/actions/upload-artifact#maintaining-file-permissions-and-case-sensitive-files
      - name: Compress source
        run: tar -acvf ${{ runner.temp }}/source.tgz .

      - name: Upload artifact
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
        with:
          name: source-${{ github.event.pull_request.head.sha || github.event.head_commit.id }}
          path: ${{ runner.temp }}/source.tgz
          retention-days: 1

  # check if the repository has a package.json file and which engine versions are supported
  is_npm:
    name: Is npm
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - versioned_source
    if: |
      !failure() && !cancelled() &&
      needs.versioned_source.result == 'success'

    <<: *customWorkingDirectory

    outputs:
      npm: ${{ steps.npm.outputs.enabled }}
      has_npm_lockfile: ${{ steps.npm_lock.outputs.has_npm_lockfile }}
      npm_private: ${{ steps.npm.outputs.private }} # can be null or unset
      npm_docs: ${{ steps.npm.outputs.docs }} # can be null or unset
      node_versions: ${{ steps.node_versions.outputs.json }}
      npm_access: ${{ steps.access.outputs.access }}

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact

      - name: Check for package.json
        id: npm
        run: |
          if test -f "package.json"
          then
            echo "found package.json"
            echo "enabled=true" >> $GITHUB_OUTPUT
            echo "private=$(jq -r '.private' package.json)" >> $GITHUB_OUTPUT
            echo "docs=$(jq -r '.scripts | has("doc")' package.json)" >> $GITHUB_OUTPUT
            echo "NODE_VERSIONS=[]" >> $GITHUB_ENV
          else
            echo "enabled=false" >> $GITHUB_OUTPUT
          fi

      - name: Check for package locks
        id: npm_lock
        run: |
          has_npm_lockfile="$([ -e package-lock.json ] || [ -e npm-shrinkwrap.json ] && echo true || echo false)"
          echo "has_npm_lockfile=${has_npm_lockfile}" >> $GITHUB_OUTPUT

      - name: Set access
        id: access
        run: |
          access="public"
          if [ "${{ github.event.repository.private }}" = "true" ]
          then
            access="restricted"
          fi
          echo "access=${access}" >> $GITHUB_OUTPUT

      # check which past and current and future Node.js LTS releases meet the engine requirements
      # if there are no engine requirements then the current LTS will be used

      - name: Setup Node.js 12.x
        if: steps.npm.outputs.enabled == 'true'
        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
        with:
          node-version: 12.x
      - name: Check engine
        if: steps.npm.outputs.enabled == 'true'
        run: |
          if npx -q -y -- check-engine
          then
            echo "NODE_VERSIONS=$(echo "${NODE_VERSIONS}" | jq -c '. + ["12.x"]')" >> $GITHUB_ENV
          fi

      - name: Setup Node.js 14.x
        if: steps.npm.outputs.enabled == 'true'
        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
        with:
          node-version: 14.x
      - name: Check engine
        if: steps.npm.outputs.enabled == 'true'
        run: |
          if npx -q -y -- check-engine
          then
            echo "NODE_VERSIONS=$(echo "${NODE_VERSIONS}" | jq -c '. + ["14.x"]')" >> $GITHUB_ENV
          fi

      - name: Setup Node.js 16.x
        if: steps.npm.outputs.enabled == 'true'
        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
        with:
          node-version: 16.x
      - name: Check engine
        if: steps.npm.outputs.enabled == 'true'
        run: |
          if npx -q -y -- check-engine
          then
            echo "NODE_VERSIONS=$(echo "${NODE_VERSIONS}" | jq -c '. + ["16.x"]')" >> $GITHUB_ENV
          fi

      - name: Setup Node.js 18.x
        if: steps.npm.outputs.enabled == 'true'
        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
        with:
          node-version: 18.x
      - name: Check engine
        if: steps.npm.outputs.enabled == 'true'
        run: |
          if npx -q -y -- check-engine
          then
            echo "NODE_VERSIONS=$(echo "${NODE_VERSIONS}" | jq -c '. + ["18.x"]')" >> $GITHUB_ENV
          fi

      # default to the current LTS version if none were matched
      # by the engine checks above
      - name: Set Node.js versions
        if: steps.npm.outputs.enabled == 'true'
        id: node_versions
        run: |
          echo "json=[\"16.x\"]" >> $GITHUB_OUTPUT
          if [ "${NODE_VERSIONS}" != "[]" ]
          then
            echo "json=${NODE_VERSIONS}" >> $GITHUB_OUTPUT
          fi

  # pre-process any docker-compose and docker-bake files
  is_docker:
    name: Is docker
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - versioned_source
    if: |
      !failure() && !cancelled() &&
      needs.versioned_source.result == 'success'

    <<: *customWorkingDirectory

    outputs:
      docker_images: ${{ steps.docker_images_json.outputs.build }}
      docker_images_crlf: ${{ steps.docker_images_crlf.outputs.build }}
      docker_compose_tests: ${{ steps.docker_compose_tests.outputs.found }}
      bake_targets: ${{ steps.bake_targets_json.outputs.build }}
      docker_bake_json: ${{ steps.docker_bake.outputs.json }}
      docker_test_matrix: ${{ steps.docker_test.outputs.build }}

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact

      - id: docker_images_json
        <<: *jsonArrayBuilder
        env:
          INPUT: ${{ inputs.docker_images }}

      - id: docker_images_crlf
        <<: *newlineListBuilder
        env:
          INPUT: ${{ steps.docker_images_json.outputs.build }}

      - id: bake_targets_json
        <<: *jsonArrayBuilder
        env:
          INPUT: ${{ inputs.bake_targets }}

      - name: Check for docker compose test files
        id: docker_compose_tests
        run: |
          if [ -n "$(ls docker-compose.test.{yml,yaml} 2>/dev/null)" ]
          then
            echo "found=true" >> $GITHUB_OUTPUT
          else
            echo "found=false" >> $GITHUB_OUTPUT
          fi

      - name: Setup buildx
        uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2
        with:
          # pin to a known working version because v0.10.x will
          # create a group called "default" that does not contain multiple targets
          version: v0.9.1

      # generate a custom bake json string from the provided bake targets and any discovered bake files
      # https://docs.docker.com/build/customize/bake/file-definition/#json-definition
      # in this custom bake json we also set some default cache values, and inherit the docker-metadata-action
      - name: Pre-process Docker bake files
        id: docker_bake
        if: |
          join(fromJSON(steps.docker_images_json.outputs.build)) != '' ||
          steps.docker_compose_tests.outputs.found == 'true'
        env:
          BAKE_FILE: /tmp/docker-bake.json
        run: |
          if [ -n "$(ls docker-bake{.override,}.{json,hcl} 2>/dev/null)" ]
          then
            files="$(echo $(ls -1 docker-bake{.override,}.{json,hcl} 2>/dev/null) | sed 's/ / -f /')"
          else
            echo '${{ steps.bake_targets_json.outputs.build }}' | jq -s '{target: (map({(.[]):{}}))}' > ${BAKE_FILE}
            files="${BAKE_FILE}"
          fi

          # log merged files and targets
          docker buildx bake --print ${{ join(fromJSON(steps.bake_targets_json.outputs.build),' ') }} -f ${files}

          json="$(docker buildx bake --print ${{ join(fromJSON(steps.bake_targets_json.outputs.build),' ') }} -f ${files} \
            | jq -cr '
              .target |= map_values(."inherits" += ["docker-metadata-action"]) |
              .target |= map_values(."platforms" //= ["linux/amd64"]) |
              del(.group."default") |
              if .group == {} then del(.group) else . end
            ')"

          echo "json=${json}">> $GITHUB_OUTPUT

      - name: Build docker test matrix
        id: docker_test
        if: steps.docker_bake.outputs.json != ''
        env:
          BAKE_JSON: "${{ steps.docker_bake.outputs.json }}"
          RUNS_ON: "${{ inputs.runs_on }}"
          DOCKER_RUNS_ON: "${{ inputs.docker_runs_on }}"
        run: |
          matrix="$(jq -cr '.target | to_entries |
            {include: map(.value.platforms[] as $p |
            {target: .key, platform: $p}
          )}' <<< "${BAKE_JSON}")"

          matrix="$(jq -cr --argjson in "$DOCKER_RUNS_ON" --argjson default "$RUNS_ON" '.include |=
            map(.platform as $p |
            .runs_on = if ($in | has($p)) then $in[$p] else $default end)' <<< "${matrix}")"

          echo "build=${matrix}">> $GITHUB_OUTPUT

  is_python:
    name: Is python
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - versioned_source
    if: |
      !failure() && !cancelled() &&
      needs.versioned_source.result == 'success'

    <<: *customWorkingDirectory

    outputs:
      python_poetry: ${{ steps.python_poetry.outputs.enabled }}
      python_versions: ${{ steps.python_versions.outputs.json }}

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact

      - name: Check for Python Poetry pyproject.toml
        id: python_poetry
        run: |
          if test -f "pyproject.toml"
          then
            echo "found pyproject.toml"
            if grep 'build-backend.*poetry' pyproject.toml
            then
              echo "Poetry used"
              echo "enabled=true" >> $GITHUB_OUTPUT
              echo "PYTHON_VERSIONS=[]" >> $GITHUB_ENV
            else
              echo "Poetry not used"
              echo "enabled=false" >> $GITHUB_OUTPUT
            fi
          else
            echo "enabled=false" >> $GITHUB_OUTPUT
          fi

      # Check which Python 3.7+ versions meet the Poetry project requirements
      - name: Install Poetry
        if: steps.python_poetry.outputs.enabled == 'true'
        run: |
          pipx install poetry

      - name: Set up Python 3.7
        if: steps.python_poetry.outputs.enabled == 'true'
        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4
        with:
          python-version: "3.7"

      - name: Check compatibility
        if: steps.python_poetry.outputs.enabled == 'true'
        run: |
          error_check=`(poetry env use 3.7 2>&1 || true)`
          if ! grep -q "Please choose a compatible version" <<< $error_check
          then
            echo "PYTHON_VERSIONS=$(echo "${PYTHON_VERSIONS}" | jq -c '. + ["3.7"]')" >> $GITHUB_ENV
          else
            echo "Python 3.7 does not meet project requirements."
          fi

      - name: Set up Python 3.8
        if: steps.python_poetry.outputs.enabled == 'true'
        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4
        with:
          python-version: "3.8"

      - name: Check compatibility
        if: steps.python_poetry.outputs.enabled == 'true'
        run: |
          error_check=`(poetry env use 3.8 2>&1 || true)`
          if ! grep -q "Please choose a compatible version" <<< $error_check
          then
            echo "PYTHON_VERSIONS=$(echo "${PYTHON_VERSIONS}" | jq -c '. + ["3.8"]')" >> $GITHUB_ENV
          else
            echo "Python 3.8 does not meet project requirements."
          fi

      - name: Set up Python 3.9
        if: steps.python_poetry.outputs.enabled == 'true'
        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4
        with:
          python-version: "3.9"

      - name: Check compatibility
        if: steps.python_poetry.outputs.enabled == 'true'
        run: |
          error_check=`(poetry env use 3.9 2>&1 || true)`
          if ! grep -q "Please choose a compatible version" <<< $error_check
          then
            echo "PYTHON_VERSIONS=$(echo "${PYTHON_VERSIONS}" | jq -c '. + ["3.9"]')" >> $GITHUB_ENV
          else
            echo "Python 3.9 does not meet project requirements."
          fi

      - name: Set up Python 3.10
        if: steps.python_poetry.outputs.enabled == 'true'
        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4
        with:
          python-version: "3.10"

      - name: Check compatibility
        if: steps.python_poetry.outputs.enabled == 'true'
        run: |
          error_check=`(poetry env use 3.10 2>&1 || true)`
          if ! grep -q "Please choose a compatible version" <<< $error_check
          then
            echo "PYTHON_VERSIONS=$(echo "${PYTHON_VERSIONS}" | jq -c '. + ["3.10"]')" >> $GITHUB_ENV
          else
            echo "Python 3.10 does not meet project requirements."
          fi

      # default to the latest version (^3.7) on the runner
      # if none were matched by the checks above
      - name: Set Python versions
        if: steps.python_poetry.outputs.enabled == 'true'
        id: python_versions
        run: |
          echo "json=[\"\^3.7\"]" >> $GITHUB_OUTPUT
          if [ "${PYTHON_VERSIONS}" != "[]" ]
          then
            echo "json=${PYTHON_VERSIONS}" >> $GITHUB_OUTPUT
          fi

  # check for Cargo.toml in source
  is_cargo:
    name: Is rust
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - versioned_source
    if: |
      !failure() && !cancelled() &&
      needs.versioned_source.result == 'success' &&
      inputs.cargo_targets != ''

    <<: *customWorkingDirectory

    outputs:
      cargo_targets: ${{ steps.cargo_targets.outputs.build }}
      cargo: ${{ steps.cargo_yml.outputs.enabled }}

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact

      - id: cargo_targets
        <<: *jsonArrayBuilder
        env:
          INPUT: ${{ inputs.cargo_targets }}

      - name: Check Cargo.toml
        id: cargo_yml
        run: |
          if test -f "Cargo.toml"
          then
            echo "found Cargo.toml"
            echo "enabled=true" >> $GITHUB_OUTPUT
          else
            echo "enabled=false" >> $GITHUB_OUTPUT
          fi

  # check for balena.yml in source
  is_balena:
    name: Is balena
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - versioned_source
    if: |
      !failure() && !cancelled() &&
      needs.versioned_source.result == 'success' &&
      inputs.balena_slugs != ''

    <<: *customWorkingDirectory

    outputs:
      balena_slugs: ${{ steps.balena_slugs.outputs.build }}
      balena_yml: ${{ steps.balena_yml.outputs.enabled }}

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact

      - id: balena_slugs
        <<: *jsonArrayBuilder
        env:
          INPUT: ${{ inputs.balena_slugs }}

      - name: Check for balena.yml
        id: balena_yml
        run: |
          if test -f balena.yml
          then
            echo "found balena.yml"
            echo "enabled=true" >> $GITHUB_OUTPUT
          else
            echo "enabled=false" >> $GITHUB_OUTPUT
          fi

  # check for custom actions in source
  is_custom:
    name: Is custom
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - versioned_source
    if: |
      !failure() && !cancelled() &&
      needs.versioned_source.result == 'success'

    <<: *rootWorkingDirectory

    outputs:
      custom_test: ${{ steps.custom.outputs.test }}
      custom_publish: ${{ steps.custom.outputs.publish }}
      custom_finalize: ${{ steps.custom.outputs.finalize }}
      custom_clean: ${{ steps.custom.outputs.clean }}
      custom_always: ${{ steps.custom.outputs.always }}

      custom_test_matrix: ${{ steps.custom_test_matrix.outputs.build }}
      custom_publish_matrix: ${{ steps.custom_publish_matrix.outputs.build }}
      custom_finalize_matrix: ${{ steps.custom_finalize_matrix.outputs.build }}

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact

      - id: custom_test_matrix
        <<: *jsonArrayBuilder
        env:
          INPUT: ${{ inputs.custom_test_matrix }}

      - id: custom_publish_matrix
        <<: *jsonArrayBuilder
        env:
          INPUT: ${{ inputs.custom_publish_matrix }}

      - id: custom_finalize_matrix
        <<: *jsonArrayBuilder
        env:
          INPUT: ${{ inputs.custom_finalize_matrix }}

      - name: Check for custom actions
        # skip custom actions for external contributions by default
        if: github.event.pull_request.head.repo.full_name == github.repository || inputs.restrict_custom_actions == false
        id: custom
        run: |
          if [ -d .github/actions/test ]
          then
            echo "test=true" >> $GITHUB_OUTPUT
          fi
          if [ -d .github/actions/publish ]
          then
            echo "publish=true" >> $GITHUB_OUTPUT
          fi
          if [ -d .github/actions/finalize ]
          then
            echo "finalize=true" >> $GITHUB_OUTPUT
          fi
          if [ -d .github/actions/clean ]
          then
            echo "clean=true" >> $GITHUB_OUTPUT
          fi
          if [ -d .github/actions/always ]
          then
            echo "always=true" >> $GITHUB_OUTPUT
          fi

  is_website:
    name: Is website
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - versioned_source
    if: |
      !failure() && !cancelled() &&
      needs.versioned_source.result == 'success' &&
      inputs.cloudflare_website != ''

    <<: *customWorkingDirectory

    outputs:
      has_readme: ${{ steps.has_readme.outputs.enabled }}

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact

      # Check if we have at least a README to build a website from
      - name: Check for README for building a website
        id: has_readme
        run: |
          if test -e "README.md"
          then
            echo "found README.md"
            echo "enabled=true" >> $GITHUB_OUTPUT
          else
            echo "enabled=false" >> $GITHUB_OUTPUT
          fi

  ###################################################
  ## npm
  ###################################################

  npm_test:
    name: Test npm
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_npm
      - is_pr_open
    if: |
      !failure() && !cancelled() &&
      needs.is_pr_open.result == 'success' &&
      needs.is_npm.outputs.npm == 'true'

    <<: *customWorkingDirectory

    strategy:
      fail-fast: false
      matrix:
        node_version: ${{ fromJSON(needs.is_npm.outputs.node_versions) }}

    outputs:
      package: ${{ steps.meta.outputs.package }}
      version: ${{ steps.meta.outputs.version }}
      branch_tag: ${{ steps.meta.outputs.branch_tag }}
      sha_tag: ${{ steps.meta.outputs.sha_tag }}
      version_tag: ${{ steps.meta.outputs.version_tag }}

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact

      - name: Setup Node.js - Cached
        if: needs.is_npm.outputs.has_npm_lockfile == 'true'
        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
        with:
          node-version: "${{ matrix.node_version }}"
          registry-url: "${{ env.NPM_REGISTRY }}"
          cache: "npm"

      - name: Setup Node.js
        if: needs.is_npm.outputs.has_npm_lockfile != 'true'
        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
        with:
          node-version: "${{ matrix.node_version }}"
          registry-url: "${{ env.NPM_REGISTRY }}"

      - name: Generate metadata
        id: meta
        run: |
          package="$(jq -r '.name' package.json)"
          version="$(jq -r '.version' package.json)"
          branch_tag="$(echo 'build-${{ github.event.pull_request.head.ref }}' | sed 's/[^[:alnum:]]/-/g')"
          sha_tag="${branch_tag}-${{ github.event.pull_request.head.sha }}"
          version_tag="${version}-${branch_tag}-${{ github.event.pull_request.head.sha }}"

          echo "package=${package}" >> $GITHUB_OUTPUT
          echo "version=${version}" >> $GITHUB_OUTPUT
          echo "branch_tag=${branch_tag}" >> $GITHUB_OUTPUT
          echo "sha_tag=${sha_tag}" >> $GITHUB_OUTPUT
          echo "version_tag=${version_tag}" >> $GITHUB_OUTPUT

      - name: Install native dependencies (if necessary)
        run: |
          npm run flowzone-preinstall --if-present

      - name: Install dependencies
        # private npm dependencies will fail to install unless NODE_AUTH_TOKEN is set in the environment
        # but to avoid leaking secrets we would also have to disable all scripts, like preinstall and postinstall
        # so only public npm dependencies supported for now
        # env:
        #   # make sure to 'npm config set ignore-scripts true' to avoid leaking secrets
        #   NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: |
          runner_os="$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')"
          os_count="$(jq '.os | length' package.json)"
          index="$(jq --arg os "${runner_os}" '.os | index($os) | select( . != null )' package.json)"

          if [[ -n "$index" ]] || [[ "$os_count" -lt 1 ]]; then
              if [ ${{ needs.is_npm.outputs.has_npm_lockfile }} == 'true' ]; then
                npm ci
              else
                npm i
              fi
          else
              echo "${runner_os} is not supported in package.json"
          fi

      - name: Run build
        run: npm run build --if-present

      - name: Run tests
        run: npm test

      - name: Run pack
        if: needs.is_npm.outputs.npm_private != 'true'
        run: |
          mkdir ${{ runner.temp }}/npm-pack && npm pack --pack-destination=${{ runner.temp }}/npm-pack

          # FIXME: workaround when `npm pack` for npm 6.x dumps tarball into the current directory because it has no `--pack-destination` flag
          [[ "$(npm --version)" =~ ^6\..* ]] && find . -maxdepth 1 -name '*.tgz' -exec mv {} ${{ runner.temp }}/npm-pack \; || true

      - name: Upload artifact
        if: needs.is_npm.outputs.npm_private != 'true'
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
        with:
          name: npm-${{ github.event.pull_request.head.sha }}-${{ matrix.node_version }}
          path: ${{ runner.temp }}/npm-pack/*.tgz
          retention-days: 90

      - name: Generate docs (if present)
        if: needs.is_npm.outputs.npm_docs == 'true'
        shell: bash
        run: npm run doc

      - name: Compress docs
        if: needs.is_npm.outputs.npm_docs == 'true'
        run: tar -acvf ${{ runner.temp }}/docs.tgz ./docs

      - name: Upload artifact
        if: needs.is_npm.outputs.npm_docs == 'true'
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
        with:
          name: docs-${{ github.event.pull_request.head.sha }}-${{ matrix.node_version }}
          path: ${{ runner.temp }}/docs.tgz
          retention-days: 90

  npm_publish:
    name: Publish npm
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_npm
      - npm_test
      - custom_test
      - docker_test
      - cargo_test
      - python_test
    if: |
      !failure() && !cancelled() &&
      needs.npm_test.result == 'success' &&
      needs.is_npm.outputs.npm_private != 'true'

    <<: *rootWorkingDirectory

    steps:
      - name: Download npm artifact
        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
        with:
          path: ${{ runner.temp }}
          name: npm-${{ github.event.pull_request.head.sha }}-${{ fromJSON(needs.is_npm.outputs.node_versions)[0] }}

      - name: Setup Node.js
        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
        with:
          # use npm v9 or later as the access flag behaviour has changed
          # https://docs.npmjs.com/cli/v9/commands/npm-publish?access
          node-version: "18"
          registry-url: "${{ env.NPM_REGISTRY }}"

      # unpack the tarball provided by the tests so we can apply the draft version to package.json
      # before publishing
      - name: Publish draft release
        env:
          # make sure to 'npm config set ignore-scripts true' to avoid leaking secrets
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: |
          npm config set ignore-scripts true

          pack="$(ls ${{ runner.temp }}/*.tgz | sort -t- -n -k3 | tail -n1)"
          tar xvf "${pack}"
          (cd package
            npm --loglevel=verbose --logs-max=0 --no-git-tag-version version ${{ needs.npm_test.outputs.version_tag }}-${{ github.run_attempt }} --allow-same-version
          )
          tar czvf "${pack}" package

          if [ ${{ github.run_attempt }} -gt  1 ]; then
            npm --loglevel=verbose --logs-max=0 unpublish ${{ needs.npm_test.outputs.package }}@${{ needs.npm_test.outputs.version_tag }}-$((${{ github.run_attempt }} - 1)) || true
          fi
          npm --loglevel=verbose --logs-max=0 publish --tag=${{ needs.npm_test.outputs.sha_tag }} "${pack}" --access="${{ needs.is_npm.outputs.npm_access }}"
          npm --loglevel=verbose --logs-max=0 dist-tag add ${{ needs.npm_test.outputs.package }}@${{ needs.npm_test.outputs.version_tag }}-${{ github.run_attempt }} ${{ needs.npm_test.outputs.branch_tag }}

  npm_finalize:
    name: Finalize npm
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_merged
      - is_pushed_tag
      - is_npm
    if: |
      !failure() && !cancelled() &&
      needs.is_pr_merged.result != needs.is_pushed_tag.result &&
      needs.is_npm.outputs.npm == 'true' &&
      needs.is_npm.outputs.npm_private != 'true'

    <<: *rootWorkingDirectory

    steps:
      - *checkGitHubAppPrivateKey
      - *getGitHubAppToken

      # https://github.com/dawidd6/action-download-artifact
      # TODO: what if this is a tag event and PR artifacts do not exist?
      - name: Download npm artifact from last run
        uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2
        with:
          github_token: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}
          commit: ${{ github.event.pull_request.head.sha || github.event.head_commit.id }}
          path: ${{ runner.temp }}
          workflow_conclusion: success
          name: npm-${{ github.event.pull_request.head.sha }}-${{ fromJSON(needs.is_npm.outputs.node_versions)[0] }}

      - name: Setup Node.js
        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
        with:
          # use npm v9 or later as the access flag behaviour has changed
          # https://docs.npmjs.com/cli/v9/commands/npm-publish?access
          node-version: "18"
          registry-url: "${{ env.NPM_REGISTRY }}"

      - name: Publish final release
        env:
          # make sure to 'npm config set ignore-scripts true' to avoid leaking secrets
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: |
          npm config set ignore-scripts true
          pack="$(ls ${{ runner.temp }}/*.tgz | sort -t- -n -k3 | tail -n1)"
          npm --loglevel=verbose --logs-max=0 publish --tag "latest" "${pack}" --access="${{ needs.is_npm.outputs.npm_access }}"

  npm_docs_finalize:
    name: Finalize npm docs
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_merged
      - is_pushed_tag
      - is_npm
    if: |
      !failure() && !cancelled() &&
      needs.is_pr_merged.result != needs.is_pushed_tag.result &&
      needs.is_npm.outputs.npm_docs == 'true'

    <<: *rootWorkingDirectory

    steps:
      - *checkGitHubAppPrivateKey
      - *getGitHubAppToken

      # https://github.com/dawidd6/action-download-artifact
      # TODO: what if this is a tag event and PR artifacts do not exist?
      - name: Download npm docs artifact from last run
        uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2
        with:
          github_token: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}
          commit: ${{ github.event.pull_request.head.sha || github.event.head_commit.id }}
          path: ${{ runner.temp }}
          workflow_conclusion: success
          name: docs-${{ github.event.pull_request.head.sha }}-${{ fromJSON(needs.is_npm.outputs.node_versions)[0] }}

      - name: Extract docs artifact
        run: |
          docs="$(ls ${{ runner.temp }}/*.tgz | sort -t- -n -k3 | tail -n1)"
          tar -xvf "${docs}"

      - name: Publish generated docs to GitHub Pages
        uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3
        with:
          github_token: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}
          publish_dir: docs
          publish_branch: docs

  ###################################################
  ## docker
  ###################################################

  docker_test:
    name: Test docker
    runs-on: ${{ matrix.runs_on }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_open
      - is_docker
    if: |
      !failure() && !cancelled() &&
      needs.is_docker.result == 'success' &&
      needs.is_pr_open.result == 'success' &&
      needs.is_docker.outputs.docker_bake_json != ''

    <<: *customWorkingDirectory

    strategy:
      fail-fast: false
      matrix: ${{ fromJSON(needs.is_docker.outputs.docker_test_matrix) }}

    env:
      DOCKER_BUILDKIT: "1"

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact
      - *getVersionTag
      - *checkGitHubAppPrivateKey
      - *getGitHubAppToken
      - *sanitizeDockerStrings
      - *dockerTestMetadata
      - *setupQemuBinfmt
      - *setupBuildx

      # allow access to private base images for private repositories only
      # to avoid leaking secrets
      - <<:
          - *loginWithGitHubContainerRegistry
          - *ifPrivateRepository
      - <<:
          - *loginWithDockerHub
          - *ifPrivateRepository

      - name: Export common env vars
        run: |
          echo "DOCKER_BAKE_FILE=${{ runner.temp }}/docker-bake.json" >> $GITHUB_ENV
          echo "DOCKER_TAR=${{ runner.temp }}/docker.tar" >> $GITHUB_ENV

          echo "COMPOSE_PROJECT_NAME=${{ github.run_id }}" >> $GITHUB_ENV
          echo "COMPOSE_FILE=${{ runner.temp }}/docker-compose.yml" >> $GITHUB_ENV
          echo "COMPOSE_ENV_FILE=${{ runner.temp }}/.env" >> $GITHUB_ENV

      # these secrets are being used in untrusted user code so only allow for internal PRs
      - name: Add COMPOSE_VARS to compose env file
        <<: *ifInternalPullRequest
        env:
          COMPOSE_VARS: ${{ secrets.COMPOSE_VARS }}
        # do not use shell tracing to avoid leaking secrets
        shell: bash
        run: |
          if [ -n "${COMPOSE_VARS}" ]
          then
            echo "${COMPOSE_VARS}" | base64 --decode > ${COMPOSE_ENV_FILE}

            while read -r line
            do
              secret="$(echo "${line}" | awk -F'=' '{print $2}')"
              echo "::add-mask::${secret}"
            done < ${COMPOSE_ENV_FILE}
          fi

      - name: Add GITHUB_TOKEN to compose env file
        <<: *ifInternalPullRequest
        env:
          GITHUB_TOKEN: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}
          GH_TOKEN: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}
        run: |
          if ! grep -q '^GH_TOKEN=' ${COMPOSE_ENV_FILE}
          then
            echo "GH_TOKEN=${GH_TOKEN}" >> ${COMPOSE_ENV_FILE}
          fi

          if ! grep -q '^GITHUB_TOKEN=' ${COMPOSE_ENV_FILE}
          then
            echo "GITHUB_TOKEN=${GITHUB_TOKEN}" >> ${COMPOSE_ENV_FILE}
          fi

      - name: Write docker bake file
        run: |
          echo '${{ needs.is_docker.outputs.docker_bake_json }}' > "${DOCKER_BAKE_FILE}"
          jq . "${DOCKER_BAKE_FILE}"

      - name: Write docker compose file
        if: needs.is_docker.outputs.docker_compose_tests == 'true'
        run: |
          files="
            docker-compose.yml
            docker-compose.yaml
            docker-compose.test.yml
            docker-compose.test.yaml
          "

          args=""
          for file in ${files}
          do
            test -f "${file}" || continue
            args="${args} -f ${file}"

            if [ ! -f .env ]
            then
              yq '.services.*.env_file |= map(with(select(. == ".env") ; . = "${{ env.COMPOSE_ENV_FILE }}"))' -i "${file}"
            fi
          done

          docker compose --env-file="${COMPOSE_ENV_FILE}" --project-directory="$(pwd)" ${args} config > "${COMPOSE_FILE}"

          yq '(.services.* | select(.build != null)).platform |= "${{ matrix.platform }}"' -i "${COMPOSE_FILE}"
          yq . "${COMPOSE_FILE}"

      # https://github.com/docker/bake-action
      - name: Docker bake
        id: docker_bake
        uses: docker/bake-action@39f20cb0172439e0d27decdfa0c6778b2720c3e6 # v3
        env:
          # use automatic github token for untrusted user code
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          workdir: ${{ inputs.working_directory }}
          files: |
            ${{ env.DOCKER_BAKE_FILE }}
            ${{ steps.test_meta.outputs.bake-file }}
          targets: ${{ matrix.target }}
          set: |
            *.platform=${{ matrix.platform }}
            *.secrets=id=GITHUB_TOKEN
            *.secrets=id=GH_TOKEN
            *.cache-to=type=gha,mode=min,scope=${{ github.head_ref }}-${{ matrix.target }}-${{ matrix.platform }}
            *.cache-from=type=gha,scope=${{ github.head_ref }}-${{ matrix.target }}-${{ matrix.platform }}
          load: true
          provenance: false

      # run docker compose tests and print the logs from all services
      - name: Run docker compose tests
        if: needs.is_docker.outputs.docker_compose_tests == 'true'
        run: |
          docker compose up sut --exit-code-from sut || { docker compose logs ; exit 1 ; }
          docker compose logs

      - name: Save image to file
        run: |
          docker save ${{ join(fromJSON(steps.test_meta.outputs.json).tags,' ') }} -o ${DOCKER_TAR}
          gzip -v ${DOCKER_TAR}

      # https://github.com/actions/upload-artifact
      - name: Upload artifacts
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
        with:
          # this docker-{sha}-{target}-{platform} naming scheme is used by docker_publish to find the correct artifact
          name: docker-${{ github.event.pull_request.head.sha }}-${{ steps.strings.outputs.target }}-${{ steps.strings.outputs.platform }}
          path: ${{ env.DOCKER_TAR }}.gz
          retention-days: 1

  docker_publish:
    name: Publish docker
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_docker
      - npm_test
      - custom_test
      - docker_test
      - cargo_test
      - python_test
    if: |
      !failure() && !cancelled() &&
      needs.docker_test.result == 'success' &&
      join(fromJSON(needs.is_docker.outputs.docker_images)) != ''

    <<: *rootWorkingDirectory

    services:
      registry:
        image: registry:2.8.1
        ports:
          - 5000:5000

    strategy:
      fail-fast: false
      matrix:
        image: ${{ fromJSON(needs.is_docker.outputs.docker_images) }}
        target: ${{ fromJSON(needs.is_docker.outputs.bake_targets) }}

    env:
      LOCAL_TAG: localhost:5000/sut:latest

    steps:
      - *sanitizeDockerStrings
      - *dockerDraftMetadata
      - *setupBuildx
      - *setupCrane

      - name: Warn if tests skipped
        if: needs.is_docker.outputs.docker_compose_tests != 'true'
        run: echo "::warning::Publishing Docker images without docker compose tests!"

      # https://github.com/actions/download-artifact
      - name: Download all artifacts
        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
        with:
          path: ${{ runner.temp }}

      - name: Decompress artifacts
        run: |
          for gz in ${{ runner.temp }}/docker-${{ github.event.pull_request.head.sha }}-${{ steps.strings.outputs.target }}-*/docker.tar.gz
          do
            gzip -vd "${gz}"
          done

      - name: Create local manifest
        run: |
          for tar in "${{ runner.temp }}"/*/docker.tar
          do
            artifact_name="$(basename "$(dirname "${tar}")")"
            sha="$(echo "${artifact_name}" | awk -F- '{print $2}')"
            target="$(echo "${artifact_name}" | awk -F- '{print $3}')"
            platform="$(echo "${artifact_name}" | awk -F- '{print $4}')"

            platform_tag="${LOCAL_TAG}-${platform}"

            skopeo copy --all "docker-archive:${tar}" "docker://${platform_tag}" --dest-tls-verify=false

            docker buildx imagetools create -t ${LOCAL_TAG} --append "${platform_tag}" || \
              docker buildx imagetools create -t ${LOCAL_TAG} "${platform_tag}"
            docker buildx imagetools inspect --raw "${LOCAL_TAG}" > "${{ runner.temp }}/manifest.json"
          done

      - *loginWithGitHubContainerRegistry
      - *loginWithDockerHub

      # https://github.com/akhilerm/tag-push-action
      - name: Publish manifest to remote(s)
        uses: akhilerm/tag-push-action@85bf542f43f5f2060ef76262a67ee3607cb6db37 # v2.1.0
        with:
          src: ${{ env.LOCAL_TAG }}
          dst: |
            ${{ steps.draft_meta.outputs.tags }}

      - &dockerPublishPlatformTags
        name: Publish tags for each platform
        if: inputs.docker_publish_platform_tags == true
        env:
          <<: *dockerPlatformSlugMap
          REMOTE_TAGS: ${{ steps.draft_meta.outputs.tags }}
        run: |
          for remote_tag in ${REMOTE_TAGS}
          do
            for b64 in $(jq -r '.manifests[].platform | @base64' <<< "$(docker buildx imagetools inspect --raw "${remote_tag}")")
            do
              json="$(echo "${b64}" | base64 --decode)"
              os="$(echo "${json}" | jq -r '.os')"
              arch="$(echo "${json}" | jq -r '.architecture')"
              variant="$(echo "${json}" | jq -r '.variant // ""')"

              if [ -z "${variant}" ]
              then
                platform="${os}/${arch}"
              else
                platform="${os}/${arch}/${variant}"
              fi

              platform_slug="$(jq -cr --arg platform "${platform}" '.[$platform] // ""' <<< "${PLATFORM_SLUG_MAP}")"

              if [ -z "{platform_slug}" ]
              then
                echo "::error::Unsupported platform: ${PLATFORM}"
              fi

              crane copy "${remote_tag}" "${remote_tag}-${platform_slug}" --platform "${platform}"
            done
          done

  docker_finalize:
    name: Finalize docker
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_merged
      - is_pushed_tag
      - is_docker
    if: |
      !failure() && !cancelled() &&
      needs.is_docker.result == 'success' &&
      needs.is_pr_merged.result != needs.is_pushed_tag.result &&
      join(fromJSON(needs.is_docker.outputs.docker_images)) != ''

    <<: *rootWorkingDirectory

    strategy:
      fail-fast: false
      matrix:
        image: ${{ fromJSON(needs.is_docker.outputs.docker_images) }}
        target: ${{ fromJSON(needs.is_docker.outputs.bake_targets) }}

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact
      - *getVersionTag
      - *sanitizeDockerStrings
      - *dockerFinalMetadata
      - *setupCrane
      - *loginWithGitHubContainerRegistry
      - *loginWithDockerHub

      # https://github.com/akhilerm/tag-push-action
      - name: Publish final tags
        uses: akhilerm/tag-push-action@85bf542f43f5f2060ef76262a67ee3607cb6db37 # v2.1.0
        with:
          src: ${{ matrix.image }}:${{ steps.strings.outputs.prefix }}build-${{ github.event.pull_request.head.sha || github.event.head_commit.id }}${{ steps.strings.outputs.suffix }}
          dst: |
            ${{ steps.final_meta.outputs.tags }}

      - <<: *dockerPublishPlatformTags
        env:
          <<: *dockerPlatformSlugMap
          REMOTE_TAGS: ${{ steps.final_meta.outputs.tags }}

      # attempt to update the dockerhub description, but do not abort on failure
      - name: Update DockerHub Description
        if: contains(steps.strings.outputs.image, 'docker.io') && github.base_ref == github.event.repository.default_branch
        continue-on-error: true
        uses: peter-evans/dockerhub-description@579f64ca0abced29dbbc44ab4c6a0b9e33ab3588 # v3
        with:
          username: ${{ secrets.DOCKERHUB_USER || secrets.DOCKER_REGISTRY_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN || secrets.DOCKER_REGISTRY_PASS }}
          repository: ${{ steps.dockerhub.outputs.repository }}
          readme-filepath: ./README.md

  ###################################################
  ## balena
  ###################################################

  balena_publish:
    name: Publish balena
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_open
      - is_balena
      - npm_test
      - custom_test
      - docker_test
      - cargo_test
      - python_test
    if: |
      !failure() && !cancelled() &&
      needs.is_balena.result == 'success' &&
      needs.is_pr_open.result == 'success'

    strategy:
      fail-fast: false
      matrix:
        slug: ${{ fromJSON(needs.is_balena.outputs.balena_slugs) }}

    <<: *customWorkingDirectory

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact
      - *deployToBalenaAction
      - *getReleaseNotes
      - *updateBalenaReleaseNotes

  balena_finalize:
    name: Finalize balena
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_merged
      - is_pushed_tag
      - is_balena
    if: |
      !failure() && !cancelled() &&
      needs.is_balena.result == 'success' &&
      needs.is_pr_merged.result != needs.is_pushed_tag.result

    strategy:
      fail-fast: false
      matrix:
        slug: ${{ fromJSON(needs.is_balena.outputs.balena_slugs) }}

    <<: *customWorkingDirectory

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact
      - *deployToBalenaAction
      - *getReleaseNotes
      - *updateBalenaReleaseNotes

  ###################################################
  ## Python
  ###################################################

  python_test:
    name: Test python poetry
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_open
      - is_python
    if: |
      !failure() && !cancelled() &&
      needs.is_pr_open.result == 'success' &&
      needs.is_python.outputs.python_poetry == 'true'

    <<: *customWorkingDirectory

    strategy:
      fail-fast: false
      matrix:
        python-version: ${{ fromJSON(needs.is_python.outputs.python_versions) }}

    outputs:
      package: ${{ steps.meta.outputs.package }}
      version: ${{ steps.meta.outputs.version }}
      branch_tag: ${{ steps.meta.outputs.branch_tag }}
      sha_tag: ${{ steps.meta.outputs.sha_tag }}
      version_tag: ${{ steps.meta.outputs.version_tag }}

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact
      - *getVersionTag

      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4
        with:
          python-version: ${{ matrix.python-version }}

      - name: Install Poetry
        run: |
          pipx install poetry

      - name: Run poetry install
        run: |
          poetry install

      - name: Add linters and pytest to poetry
        run: |
          dep_list=`poetry show`
          if (grep -wq ^flake8 <<< "$dep_list") && \
             (grep -wq ^pydocstyle <<< "$dep_list") && \
             (grep -wq ^pytest <<< "$dep_list")
          then
            echo "Dev dependencies already installed"
          else
            poetry add --group dev flake8@latest pydocstyle@latest pytest@latest
          fi

      - name: Lint with flake8
        run: |
          poetry run flake8 --max-line-length=120 --benchmark

      - name: Lint with pydocstyle
        run: |
          poetry run pydocstyle

      - name: Test with pytest
        run: |
          poetry run pytest tests/

      - name: Generate metadata
        id: meta
        run: |
          package="$(grep '^name = \"' pyproject.toml | awk -F[\"\"] '{print $2}')"
          version="${{ steps.version_tag.outputs.semver }}"
          branch_tag="$(echo '${{ github.event.pull_request.head.ref }}' | sed 's/[^[:alnum:]]/-/g')"
          sha_tag="${branch_tag}-${{ github.event.pull_request.head.sha }}"
          version_tag="${version}-${branch_tag}-${{ github.event.pull_request.head.sha }}"

          echo "package=${package}" >> $GITHUB_OUTPUT
          echo "version=${version}" >> $GITHUB_OUTPUT
          echo "branch_tag=${branch_tag}" >> $GITHUB_OUTPUT
          echo "sha_tag=${sha_tag}" >> $GITHUB_OUTPUT
          echo "version_tag=${version_tag}" >> $GITHUB_OUTPUT

  ###################################################
  # Website
  ###################################################

  website_publish:
    name: Publish website
    runs-on: ${{fromJSON(inputs.runs_on)}}
    env:
      CF_BRANCH: ${{ github.event.pull_request.head.ref || github.event.repository.default_branch }}
    needs:
      - is_pr_open
      - is_pr_merged
      - is_pushed_tag
      - is_website
      - npm_test
      - custom_test
      - docker_test
      - cargo_test
      - python_test
    if: |
      !failure() && !cancelled() &&
      needs.is_website.result == 'success'

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact

      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
        with:
          node-version: 18

      - name: Docusaurus Builder
        if: |
          needs.is_website.outputs.has_readme == 'true' &&
          inputs.docusaurus_website != false
        uses: product-os/docusaurus-builder@3c2a832a54574094e54ea8c02074681d90295ab0 # v1.5.4
        with:
          repo: ${{ github.event.repository.name }}
          org: ${{ github.repository_owner }}
          default_branch: ${{ github.event.repository.default_branch }}
          url: https://${{ inputs.cloudflare_website }}.pages.dev/

      - name: Custom Website Builder
        if: |
          inputs.docusaurus_website == false
        run: npm run deploy-docs --if-present

      - name: Update deploy branch for merged PRs
        if: needs.is_pr_open.result != 'success'
        run: |
          echo "CF_BRANCH=${{ github.event.repository.default_branch }}" >> $GITHUB_ENV

      - name: Deploy to Cloudflare Pages
        uses: cloudflare/wrangler-action@4c10c1822abba527d820b29e6333e7f5dac2cabd # 2.0.0
        with:
          apiToken: ${{ secrets.CF_API_TOKEN }}
          accountId: ${{ secrets.CF_ACCOUNT_ID }}
          wranglerVersion: "2.12.0" # latest - https://www.npmjs.com/package/wrangler
          preCommands: wrangler --version
          command: pages publish --branch ${{ env.CF_BRANCH }} --project-name=${{ inputs.cloudflare_website }} build/ | tee -a $GITHUB_STEP_SUMMARY

  ###################################################
  # GitHub
  ###################################################

  github_clean:
    name: Clean GitHub release
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_closed
    if: |
      !failure() && !cancelled() &&
      needs.is_pr_closed.result == 'success'
    <<: *rootWorkingDirectory
    steps:
      - *checkGitHubAppPrivateKey
      - *getGitHubAppToken
      - *deleteDraftGitHubRelease

  github_publish:
    name: Publish Github release
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - npm_publish
      - cargo_publish
      - custom_publish
      - is_pr_open
    if: |
      !failure() && !cancelled() &&
      needs.is_pr_open.result == 'success'

    <<: *rootWorkingDirectory

    steps:
      - *checkGitHubAppPrivateKey
      - *getGitHubAppToken
      - *deleteDraftGitHubRelease

      - name: Download all artifacts
        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
        with:
          path: ${{ runner.temp }}

      - name: Check if any release artifacts exist
        id: gh_artifacts
        env:
          GH_ARTIFACTS: ${{ runner.temp }}/gh-release-${{ github.event.pull_request.head.sha || github.event.head_commit.id }}
        run: |
          set -ea

          artifact_count=0
          [ -d "$GH_ARTIFACTS" ] && \
              artifact_count=$(ls "$GH_ARTIFACTS" | wc -l | sed 's/^ *//;s/ *$//')
          echo "count=$artifact_count" >> $GITHUB_OUTPUT

      # https://github.com/softprops/action-gh-release
      - name: Publish artifacts
        if: steps.gh_artifacts.outputs.count != '0'
        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
        with:
          token: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}
          name: ${{ github.event.pull_request.head.ref }}
          tag_name: ${{ github.event.pull_request.head.ref }}
          draft: true
          prerelease: true
          # Publish anything added to with the gh-release name
          files: ${{ runner.temp }}/gh-release-${{ github.event.pull_request.head.sha || github.event.head_commit.id }}/*

  github_finalize:
    name: Finalize GitHub release
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_merged
      - is_pushed_tag
      - versioned_source
    if: |
      !failure() && !cancelled() && (
        (
          needs.is_pr_merged.result == 'success' &&
          inputs.disable_versioning == false
        ) || (
          needs.is_pushed_tag.result == 'success' &&
          inputs.disable_versioning == true
        )
      )

    <<: *rootWorkingDirectory

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact
      - *getVersionTag
      - *checkGitHubAppPrivateKey
      - *getGitHubAppToken
      - *getReleaseNotes

      # https://docs.github.com/en/rest/releases
      - name: Finalize GitHub release (if any)
        env:
          <<: *gitHubCliEnvironment
          GH_TOKEN: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}
        run: |
          set -ea

          if gh release view '${{ github.event.pull_request.head.ref }}'; then
            gh release edit '${{ github.event.pull_request.head.ref }}' \
              --notes-file '${{ steps.release_notes.outputs.file }}' \
              --title '${{ steps.version_tag.outputs.tag }}' \
              --tag '${{ steps.version_tag.outputs.tag }}' \
              --prerelease='${{ inputs.github_prerelease }}' \
              --draft=false

            if [[ ${{ inputs.github_prerelease }} =~ false ]]; then
                release_id="$(gh api "/repos/${{ github.repository }}/releases/tags/${{ steps.version_tag.outputs.tag }}" \
                  -H 'Accept: application/vnd.github+json' | jq -r .id)"
                gh api --method PATCH "/repos/${{ github.repository }}/releases/${release_id}" \
                  -H 'Accept: application/vnd.github+json' \
                  -F make_latest=true
            fi
          else
            echo "No release found for the current PR"
          fi

  ###################################################
  # rust
  ###################################################

  cargo_test:
    name: Test rust
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_open
      - is_cargo
    if: |
      !failure() && !cancelled() &&
      needs.is_pr_open.result == 'success' &&
      needs.is_cargo.outputs.cargo == 'true'

    <<: *customWorkingDirectory

    strategy:
      fail-fast: false
      matrix:
        target: ${{ fromJSON(needs.is_cargo.outputs.cargo_targets) }}

    outputs:
      package: ${{ steps.meta.outputs.package }}
      version: ${{ steps.meta.outputs.version }}
      branch_tag: ${{ steps.meta.outputs.branch_tag }}
      sha_tag: ${{ steps.meta.outputs.sha_tag }}
      version_tag: ${{ steps.meta.outputs.version_tag }}

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact
      - *getVersionTag

      - name: Set up toolchain ${{ matrix.target }}
        uses: dtolnay/rust-toolchain@master
        with:
          toolchain: ${{ inputs.rust_toolchain }}
          targets: ${{ matrix.target }}
          components: rustfmt

      - name: Check formatting
        run: cargo fmt --check

      - name: Install cross
        run: cargo install cross

      - name: Lint with clippy
        run: cross -v clippy --all-targets --all-features -- -D warnings

      - name: Run tests for toolchain ${{ matrix.target }}
        run: cross -v test --target ${{ matrix.target }}

      - name: Generate metadata
        id: meta
        run: |
          package="$(grep '^name = \"' Cargo.toml | awk -F[\"\"] '{print $2}')"
          version="${{ steps.version_tag.outputs.semver }}"
          branch_tag="$(echo '${{ github.event.pull_request.head.ref }}' | sed 's/[^[:alnum:]]/-/g')"
          sha_tag="${branch_tag}-${{ github.event.pull_request.head.sha }}"
          version_tag="${version}-${branch_tag}-${{ github.event.pull_request.head.sha }}"

          echo "package=${package}" >> $GITHUB_OUTPUT
          echo "version=${version}" >> $GITHUB_OUTPUT
          echo "branch_tag=${branch_tag}" >> $GITHUB_OUTPUT
          echo "sha_tag=${sha_tag}" >> $GITHUB_OUTPUT
          echo "version_tag=${version_tag}" >> $GITHUB_OUTPUT

  cargo_publish:
    name: Publish rust
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_cargo
      - npm_test
      - custom_test
      - docker_test
      - cargo_test
      - python_test
    if: |
      !failure() && !cancelled() &&
      needs.cargo_test.result == 'success' &&
      inputs.rust_binaries == true

    <<: *customWorkingDirectory

    strategy:
      fail-fast: false
      matrix:
        target: ${{ fromJSON(needs.is_cargo.outputs.cargo_targets) }}

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact

      - name: Set up toolchain ${{ matrix.target }}
        uses: dtolnay/rust-toolchain@master
        with:
          toolchain: ${{ inputs.rust_toolchain }}
          targets: ${{ matrix.target }}

      - name: Install cross
        run: cargo install cross

      - name: Build release for toolchain ${{ matrix.target }}
        run: cross -v build --release --target ${{ matrix.target }}

      - name: Install LLVM
        run: sudo apt-get install -y llvm

      - name: LLVM strip
        run: llvm-strip target/${{ matrix.target }}/release/${{ needs.cargo_test.outputs.package }}

      - name: Compress
        run: |
          tar -czvf ${{ needs.cargo_test.outputs.package }}-${{ matrix.target }}.tar.gz -C target/${{ matrix.target }}/release ${{ needs.cargo_test.outputs.package }}

      - name: Upload artifact
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
        with:
          name: gh-release-${{ github.event.pull_request.head.sha || github.event.head_commit.id }}
          path: ${{ needs.cargo_test.outputs.package }}-${{ matrix.target }}.tar.gz
          retention-days: 1

  cargo_finalize:
    name: Finalize rust
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_merged
      - is_pushed_tag
      - is_cargo
    if: |
      !failure() && !cancelled() &&
      needs.is_pr_merged.result != needs.is_pushed_tag.result &&
      needs.is_cargo.outputs.cargo == 'true'

    <<: *customWorkingDirectory

    steps:
      - *downloadSourceArtifact
      - *extractSourceArtifact

      - name: Set up toolchain ${{ matrix.target }}
        uses: dtolnay/rust-toolchain@stable

      - name: Publish crate to ${{ env.CARGO_REGISTRY }}
        env:
          CARGO_REGISTRY_DEFAULT: ${{ env.CARGO_REGISTRY }}
          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
        run: |
          if [ -n "$CARGO_REGISTRY_TOKEN" ]; then
            cargo publish
          fi

  ###################################################
  ## custom
  ###################################################

  custom_test:
    name: Test custom
    runs-on: ${{ matrix.os }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_open
      - is_custom
    if: |
      !failure() && !cancelled() &&
      needs.is_pr_open.result == 'success' &&
      needs.is_custom.outputs.custom_test == 'true'

    strategy:
      fail-fast: false
      matrix:
        value: ${{ fromJSON(needs.is_custom.outputs.custom_test_matrix) }}
        os: ${{ fromJSON(inputs.tests_run_on || inputs.custom_runs_on) }}

    steps:
      - *rejectExternalCustomActions
      - *downloadSourceArtifact
      - *extractSourceArtifact

      - name: Set the matrix value env var
        run: |
          echo "matrix_value=${{ matrix.value }}" >> $GITHUB_ENV
          echo "os_value=${{ matrix.os }}" >> $GITHUB_ENV

      - uses: ./.github/actions/test
        with:
          json: ${{ toJSON(inputs) }}
          secrets: ${{ toJSON(secrets) }}
          variables: ${{ toJSON(vars) }}

  custom_publish:
    name: Publish custom
    runs-on: ${{ matrix.os }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_open
      - is_custom
      - npm_test
      - custom_test
      - docker_test
      - cargo_test
      - python_test
    if: |
      !failure() && !cancelled() &&
      needs.is_pr_open.result == 'success' &&
      needs.is_custom.outputs.custom_publish == 'true'

    strategy:
      fail-fast: false
      matrix:
        value: ${{ fromJSON(needs.is_custom.outputs.custom_publish_matrix) }}
        os: ${{ fromJSON(inputs.tests_run_on || inputs.custom_runs_on) }}

    steps:
      - *rejectExternalCustomActions
      - *downloadSourceArtifact
      - *extractSourceArtifact

      - name: Set the matrix value env var
        run: |
          echo "matrix_value=${{ matrix.value }}" >> $GITHUB_ENV
          echo "os_value=${{ matrix.os }}" >> $GITHUB_ENV

      - uses: ./.github/actions/publish
        with:
          json: ${{ toJSON(inputs) }}
          secrets: ${{ toJSON(secrets) }}
          variables: ${{ toJSON(vars) }}

  custom_finalize:
    name: Finalize custom
    runs-on: ${{ matrix.os }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_merged
      - is_pushed_tag
      - is_custom
    if: |
      !failure() && !cancelled() &&
      needs.is_pr_merged.result != needs.is_pushed_tag.result &&
      needs.is_custom.outputs.custom_finalize == 'true'

    strategy:
      fail-fast: false
      matrix:
        value: ${{ fromJSON(needs.is_custom.outputs.custom_finalize_matrix) }}
        os: ${{ fromJSON(inputs.tests_run_on || inputs.custom_runs_on) }}

    steps:
      - *rejectExternalCustomActions
      - *downloadSourceArtifact
      - *extractSourceArtifact

      - name: Set the matrix value env var
        run: |
          echo "matrix_value=${{ matrix.value }}" >> $GITHUB_ENV
          echo "os_value=${{ matrix.os }}" >> $GITHUB_ENV

      - uses: ./.github/actions/finalize
        with:
          json: ${{ toJSON(inputs) }}
          secrets: ${{ toJSON(secrets) }}
          variables: ${{ toJSON(vars) }}

  custom_clean:
    name: Clean custom
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: true
      matrix:
        os: ${{ fromJSON(inputs.tests_run_on || inputs.custom_runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_closed
      - is_custom
    if: |
      !failure() && !cancelled() &&
      needs.is_pr_closed.result == 'success' &&
      needs.is_custom.outputs.custom_clean == 'true'

    steps:
      - *rejectExternalCustomActions
      - *downloadSourceArtifact
      - *extractSourceArtifact

      - uses: ./.github/actions/clean
        with:
          json: ${{ toJSON(inputs) }}
          secrets: ${{ toJSON(secrets) }}
          variables: ${{ toJSON(vars) }}

  custom_always:
    name: Always custom
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: true
      matrix:
        os: ${{ fromJSON(inputs.tests_run_on || inputs.custom_runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - custom_test
      - custom_publish
      - custom_finalize
      - custom_clean
      - is_custom
    if: |
      always() &&
      needs.is_custom.outputs.custom_always == 'true'

    steps:
      - *rejectExternalCustomActions
      - *downloadSourceArtifact
      - *extractSourceArtifact

      - uses: ./.github/actions/always
        with:
          json: ${{ toJSON(inputs) }}
          secrets: ${{ toJSON(secrets) }}
          variables: ${{ toJSON(vars) }}

  protect_branch:
    name: Protect branch
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_open
    if: |
      !failure() && !cancelled() &&
      needs.is_pr_open.result == 'success' &&
      inputs.protect_branch == true &&
      github.event.pull_request.head.repo.full_name == github.repository &&
      github.event.repository.default_branch == github.event.pull_request.base.ref

    <<: *rootWorkingDirectory

    env:
      BRANCH_PROTECTION_URI: repos/${{ github.repository }}/branches/${{ github.event.repository.default_branch }}/protection

    steps:
      - *checkGitHubAppPrivateKey
      - *getGitHubAppToken
      - *getBranchProtectionRules
      - *isDraftPullRequest

      - name: Prepare protection rules
        id: prepare_protection_rules
        if: steps.branch_protection.outputs.json != ''
        env:
          REQUIRED_STATUS_CHECKS_INPUT: ${{ inputs.required_status_checks }}
          REQUIRED_APROVING_REVIEW_COUNT_INPUT: ${{ inputs.required_approving_review_count }}
          required_status_checks__strict: ${{ steps.branch_protection.outputs.required_status_checks__strict }}
          required_status_checks__contexts: ${{ steps.branch_protection.outputs.required_status_checks__contexts }}
          required_pull_request_reviews__required_approving_review_count: ${{ steps.branch_protection.outputs.required_pull_request_reviews__required_approving_review_count }}
          required_pull_request_reviews__dismissal_restrictions__users: ${{ steps.branch_protection.outputs.required_pull_request_reviews__dismissal_restrictions__users }}
          required_pull_request_reviews__dismissal_restrictions__teams: ${{ steps.branch_protection.outputs.required_pull_request_reviews__dismissal_restrictions__teams }}
          required_pull_request_reviews__dismissal_restrictions__apps: ${{ steps.branch_protection.outputs.required_pull_request_reviews__dismissal_restrictions__apps }}
          required_pull_request_reviews__dismiss_stale_reviews: ${{ steps.branch_protection.outputs.required_pull_request_reviews__dismiss_stale_reviews }}
          required_pull_request_reviews__require_code_owner_reviews: ${{ steps.branch_protection.outputs.required_pull_request_reviews__require_code_owner_reviews }}
          enforce_admins__enabled: ${{ steps.branch_protection.outputs.enforce_admins__enabled }}
          required_linear_history__enabled: ${{ steps.branch_protection.outputs.required_linear_history__enabled }}
          required_conversation_resolution__enabled: ${{ steps.branch_protection.outputs.required_conversation_resolution__enabled }}
          allow_force_pushes__enabled: ${{ steps.branch_protection.outputs.allow_force_pushes__enabled }}
          allow_deletions__enabled: ${{ steps.branch_protection.outputs.allow_deletions__enabled }}
          required_signatures__enabled: ${{ steps.branch_protection.outputs.required_signatures__enabled }}
          block_creations__enabled: ${{ steps.branch_protection.outputs.block_creations__enabled }}

        run: |
          new_required_status_checks__contexts="$(echo $required_status_checks__contexts | \
            jq -r "map(
              select(
                test(\"^${{ inputs.job_name }} /\";\"i\") | not
              )
            ) | . + ${REQUIRED_STATUS_CHECKS_INPUT} | unique"
          )"

          if [ $(echo ${new_required_status_checks__contexts} | jq 'length') -lt 1 ]
          then
            echo "::error::Not applying empty list of status checks"
            exit 1
          fi

          newjson=$(cat <<-END
            {
              "required_status_checks": {
                  "strict": ${required_status_checks__strict},
                  "contexts": ${new_required_status_checks__contexts}
              },
              "required_pull_request_reviews": {
                  "dismissal_restrictions": {
                      "users": ${required_pull_request_reviews__dismissal_restrictions__users},
                      "teams": ${required_pull_request_reviews__dismissal_restrictions__teams},
                      "apps": ${required_pull_request_reviews__dismissal_restrictions__apps}
                  },
                  "dismiss_stale_reviews": ${required_pull_request_reviews__dismiss_stale_reviews},
                  "require_code_owner_reviews": ${required_pull_request_reviews__require_code_owner_reviews},
                  "required_approving_review_count": ${REQUIRED_APROVING_REVIEW_COUNT_INPUT},
                  "bypass_pull_request_allowances": {
                      "users": [],
                      "teams": []
                  }
              },
              "enforce_admins": ${enforce_admins__enabled},
              "required_signatures": ${required_signatures__enabled},
              "restrictions": null,
              "required_linear_history": ${required_linear_history__enabled},
              "allow_force_pushes": ${allow_force_pushes__enabled},
              "allow_deletions": ${allow_deletions__enabled},
              "block_creations": ${block_creations__enabled},
              "required_conversation_resolution": ${required_conversation_resolution__enabled}
            }
          END
          )

          # unsupported restrictions outside of Github organisations
          if [[ -z '${{ github.event.organization }}' ]]; then
              newjson="$(echo "${newjson}" | jq -r 'del(.required_pull_request_reviews.dismissal_restrictions, .required_pull_request_reviews.bypass_pull_request_allowances)')"
          fi

          diff_exit_code="$(diff -Z <(echo ${new_required_status_checks__contexts} | jq 'sort_by(.)') <(echo ${required_status_checks__contexts} | jq 'sort_by(.)') 1>&2; echo $?)"

          if [ ${diff_exit_code} -eq 0 ] && [ ${required_pull_request_reviews__required_approving_review_count} -eq ${REQUIRED_APROVING_REVIEW_COUNT_INPUT} ]
          then
            echo "::debug::Branch protection rules are unchanged, skipping update"
            exit 0
          fi

          result=$(echo "${newjson}" | jq -c '. | @json' )
          echo "result=${result}" >> $GITHUB_OUTPUT

      # https://github.com/cli/cli/issues/3528
      - name: Apply branch protection rules
        id: apply_branch_protection_rules
        if: |
          steps.is_draft_pr.outputs.result == 'false' &&
          steps.prepare_protection_rules.outputs.result != ''
        env:
          <<: *gitHubCliEnvironment
          GH_TOKEN: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}
        run: |
          result="$(echo '${{ fromJSON(steps.prepare_protection_rules.outputs.result) }}' \
            | gh api --method PUT ${{ env.BRANCH_PROTECTION_URI }} --input -)"
          message="$(echo "${result}" | jq -r .message)"
          if ! [[ $message =~ null ]]
          then
            echo "::error::Failed to apply branch protection rules with ${message} ${result} "
            exit 1
          fi
          echo "::notice::Branch protection rules have been updated"

  ###################################################
  ## configure standard repository settings
  ###################################################

  repo_config:
    name: Apply repo settings
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_merged
    if: |
      !failure() && !cancelled() &&
      needs.is_pr_merged.result == 'success' &&
      inputs.repo_config == true
    steps:
      - *checkGitHubAppPrivateKey
      - *getGitHubAppToken

      - name: Configure repository
        env:
          <<: *gitHubCliEnvironment
          GH_TOKEN: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}
        run: |
          # only change repository visibility if explicitly set to one of the permissible values
          visibility=''
          if [[ '${{ inputs.repo_visibility }}' =~ private|public|internal ]]; then
              gh repo edit '${{ github.repository }}' \
                --visibility '${{ inputs.repo_visibility }}'
          fi

          if [[ -n '${{ inputs.repo_description }}' ]]; then
              gh repo edit '${{ github.repository }}' \
                --description '${{ inputs.repo_description }}'
          fi

          if [[ -n '${{ inputs.repo_homepage }}' ]]; then
              homepage='${{ inputs.repo_homepage }}'
          elif [[ -n '${{ inputs.cloudflare_website }}' ]]; then
              homepage='https://${{ inputs.cloudflare_website }}.pages.dev'
          else
              homepage=''
          fi
          [[ -n "${homepage}" ]] && gh repo edit '${{ github.repository }}' \
            --homepage "${homepage}"

          # HTTP 422: This organization does not allow private repository forking
          if ! gh repo edit '${{ github.repository }}' \
            --allow-forking=${{ inputs.repo_allow_forking }}; then
              echo '::warning::Failed to configure some repository settings.'
          fi

          # FIXME: https://github.com/cli/cli/issues/6652#issuecomment-1323908232
          gh repo edit '${{ github.repository }}' \
            --default-branch=${{ inputs.repo_default_branch }} \
            --delete-branch-on-merge=${{ inputs.repo_delete_branch_on_merge }} \
            --enable-auto-merge=${{ inputs.repo_enable_auto_merge }} \
            --enable-issues=${{ inputs.repo_enable_issues }} \
            --enable-merge-commit=${{ inputs.repo_enable_merge_commit }} \
            --enable-projects=${{ inputs.repo_enable_projects }} \
            --enable-rebase-merge=${{ inputs.repo_enable_rebase_merge }} \
            --enable-squash-merge=${{ inputs.repo_enable_squash_merge }} \
            --enable-wiki=${{ inputs.repo_enable_wiki }}

          # allow_update_branch not currently available for update via gh-cli
          gh api --method PATCH '/repos/${{ github.repository }}' \
            -H "Accept: application/vnd.github+json" \
            -F allow_update_branch='${{ inputs.repo_allow_update_branch }}'

  all_tests:
    name: All tests
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_open
      - npm_test
      - docker_test
      - python_test
      - cargo_test
      - custom_test
    if: |
      always() &&
      needs.is_pr_open.result != 'skipped'
    steps:
      - *rejectFailedJobs
      - *rejectCancelledJobs

  all_jobs:
    name: All jobs
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_open
      - versioned_source
      - is_npm
      - is_docker
      - is_python
      - is_cargo
      - is_balena
      - is_custom
      - is_website
      - all_tests
      - npm_publish
      - docker_publish
      - balena_publish
      - website_publish
      - github_publish
      - cargo_publish
      - custom_publish
      - custom_always
      - protect_branch
    if: |
      always() &&
      needs.is_pr_open.result != 'skipped'

    steps:
      - *rejectFailedJobs
      - *rejectCancelledJobs

  auto-merge:
    name: Auto-merge
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
    needs:
      - is_pr_open
      - protect_branch
    if: |
      !failure() && !cancelled() &&
      needs.is_pr_open.result != 'skipped' &&
      inputs.toggle_auto_merge == true

    env:
      BRANCH_PROTECTION_URI: repos/${{ github.repository }}/branches/${{ github.event.pull_request.base.ref }}/protection

    steps:
      - *checkGitHubAppPrivateKey
      - *getGitHubAppToken
      - *getBranchProtectionRules
      - *isDraftPullRequest

      - <<: *getGitHubAppToken
        id: non_admin_token
        with:
          app_id: ${{ inputs.app_id }}
          installation_id: ${{ inputs.installation_id }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
          permissions: >-
            {
              "actions": "read",
              "checks": "read",
              "contents": "write",
              "members": "read",
              "metadata": "read",
              "organization_secrets": "read",
              "packages": "read",
              "pages": "read",
              "pull_requests": "write",
              "secrets": "read",
              "statuses": "read",
              "workflows": "read"
            }

      # do not use automatic github token to enable auto-merge as it will not trigger merge events
      - name: Toggle auto-merge
        if: |
          steps.is_draft_pr.outputs.result == 'false' &&
          steps.branch_protection.outputs.json != '' &&
          steps.branch_protection.outputs.required_status_checks__contexts != '[]'
        env:
          <<: *gitHubCliEnvironment
          GH_TOKEN: "${{ steps.non_admin_token.outputs.token || secrets.FLOWZONE_TOKEN }}"
        run: |
          gh pr merge ${{ github.event.pull_request.number }} --merge --auto || true