name: Build wonderwall
on: [push]
env:
  GOOGLE_REGISTRY: europe-north1-docker.pkg.dev/nais-io/nais/images
  GITHUB_REGISTRY: ghcr.io
jobs:
  test:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout latest code
        uses: actions/checkout@v4 # ratchet:actions/checkout@v3
      - name: Set up Go
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # ratchet:actions/setup-go@v4
        with:
          go-version: "1.21"
          check-latest: true
      - name: Test Go
        run: |
          make test
          make check
  publish-images:
    needs: test
    name: Publish to Google and GitHub registries
    if: github.ref == 'refs/heads/master'
    permissions:
      contents: "read"
      id-token: "write"
      packages: "write"
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4 # ratchet:actions/checkout@v3
      - name: Install cosign
        uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # ratchet:sigstore/cosign-installer@main
        with:
          cosign-release: 'v2.2.1'
      - name: Verify runner image
        run: cosign verify --certificate-oidc-issuer https://accounts.google.com  --certificate-identity keyless@distroless.iam.gserviceaccount.com gcr.io/distroless/static-debian11:nonroot
      - uses: nais/platform-build-push-sign@fb7da39ee56c8904ed15c02705a1780cb278a65b # ratchet:nais/platform-build-push-sign@main
        id: build_push_sign
        with:
          name: wonderwall
          dockerfile: Dockerfile
          google_service_account: gh-wonderwall
          multi-platform: true
          push: true
          push_ghcr: true
          workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}