name: Build + Deploy to GHCR

on:
  release:
    types: [published]

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

permissions:
  contents: read

jobs:
  build:
    name: Test Build
    runs-on: ubuntu-latest
    steps:
    
    - name: Harden Runner
      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
      with:
        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

    - name: Checkout
      uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
      with:
        fetch-depth: 0

    - name: Setup .Net
      uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87
      with:
        dotnet-version: 6.0.x

    - name: Restore Dependencies
      run: dotnet restore src/CodeCoverageSummary.sln

    - name: Build CodeCoverageSummary
      run: dotnet build src/CodeCoverageSummary.sln --configuration Release --no-restore

    - name: Test with sample file
      run: dotnet src/CodeCoverageSummary/bin/Release/net6.0/CodeCoverageSummary.dll --files **/coverage.*.xml --badge true

  deploy:
    name: Deploy to GHCR
    needs: [build]
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write # Used for identity challenge with sigstore/fulcio

    steps:

      - name: Harden Runner
        uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

      - name: Checkout
        uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf

      - name: Install Cosign
        uses: sigstore/cosign-installer@c68f43abf1ae5df2528c9c250088fa14ed2d0ef5
        with:
          cosign-release: 'v1.9.0'

      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6

      - name: Login to GitHub Container Registry
        uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@b2391d37b4157fa4aa2e118d643f417910ff3242
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

      - name: Build + Push Docker image
        id: build-and-push
        uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

      # Sign the Docker image digest
      # Uses the identity token to provision an ephemeral certificate against the community Fulcio instance
      # https://github.com/sigstore/cosign
      - name: Sign the Docker image
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}