name: Build + Deploy to GHCR

on:
  release:
    types: [published]

permissions:
  contents: read

env:
  DOTNET_NOLOGO: true                     # Disable the .NET logo in the console output
  DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true # Disable the .NET first time experience to skip caching NuGet packages and speed up the build
  DOTNET_CLI_TELEMETRY_OPTOUT: true       # Disable sending .NET CLI telemetry to Microsoft
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  build:
    name: Test Build
    runs-on: ubuntu-latest
    steps:
    
    - name: Harden Runner
      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
      with:
        egress-policy: block
        allowed-endpoints: >
          api.nuget.org:443
          dotnetbuilds.azureedge.net:443
          dotnetcli.azureedge.net:443
          dotnetcli.blob.core.windows.net:443
          github.com:443

    - name: Checkout
      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
      with:
        fetch-depth: 0

    - name: Setup .Net
      uses: actions/setup-dotnet@4d4a70f4a5b2a5a5329f13be4ac933f2c9206ac0
      with:
        dotnet-version: 6.0.x

    - name: Restore Dependencies
      run: dotnet restore src/CodeCoverageSummary.sln

    - name: Build CodeCoverageSummary
      run: dotnet build src/CodeCoverageSummary.sln --configuration Release --no-restore

    - name: Test with sample file
      run: dotnet src/CodeCoverageSummary/bin/Release/net6.0/CodeCoverageSummary.dll --files **/coverage.*.xml --badge true

  deploy:
    name: Deploy to GHCR
    needs: [build]
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write # Used for identity challenge with sigstore/fulcio

    steps:

      - name: Harden Runner
        uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
        with:
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            api.nuget.org:443
            auth.docker.io:443
            fulcio.sigstore.dev:443
            ghcr.io:443
            github.com:443
            mcr.microsoft.com:443
            pipelines.actions.githubusercontent.com:443
            pkg-containers.githubusercontent.com:443
            registry-1.docker.io:443
            storage.googleapis.com:443

      - name: Checkout
        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8

      - name: Install Cosign
        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b
        with:
          cosign-release: 'v1.9.0'

      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325

      - name: Login to GitHub Container Registry
        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

      - name: Build + Push Docker image
        id: build-and-push
        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

      # Sign the Docker image digest
      # Uses the identity token to provision an ephemeral certificate against the community Fulcio instance
      # https://github.com/sigstore/cosign
      - name: Sign the Docker image
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}