name: Build wonderwall
on: [push]
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
env:
  GOOGLE_REGISTRY: europe-north1-docker.pkg.dev
  GITHUB_REGISTRY: ghcr.io
permissions:
  contents: read
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout latest code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
      - name: Set up Go
        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # ratchet:actions/setup-go@v6
        with:
          go-version-file: 'go.mod'
      - uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # ratchet:jdx/mise-action@v3
      - run: mise run check
      - run: mise run test
  build:
    needs: test
    name: Publish to Google and GitHub registries
    if: github.ref == 'refs/heads/master'
    permissions:
      id-token: "write"
      packages: "write"
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
      - name: Install cosign
        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # ratchet:sigstore/cosign-installer@v4.0.0
      - name: Verify runner image
        run: cosign verify --certificate-oidc-issuer https://accounts.google.com  --certificate-identity keyless@distroless.iam.gserviceaccount.com gcr.io/distroless/static-debian12:nonroot
      - uses: nais/platform-build-push-sign@a16d89d06262f12e3468a20b9cc70f5317290bab # ratchet:nais/platform-build-push-sign@main
        id: build_push_sign
        with:
          name: wonderwall
          dockerfile: Dockerfile
          google_service_account: gh-wonderwall
          multi-platform: true
          push: true
          push_ghcr: true
          workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
    outputs:
      version: ${{ steps.build_push_sign.outputs.version }}
  charts:
    needs: build
    name: Build and push chart
    if: github.ref == 'refs/heads/master'
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    strategy:
      fail-fast: false
      matrix:
        chart: ["wonderwall", "wonderwall-forward-auth"]
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
      - id: "auth"
        name: "Authenticate to Google Cloud"
        uses: "google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093" # ratchet:google-github-actions/auth@v3
        with:
          workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
          service_account: "gh-wonderwall@nais-io.iam.gserviceaccount.com"
          token_format: "access_token"
      - name: "Login to registry"
        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # ratchet:docker/login-action@v4
        with:
          registry: "${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature"
          username: "oauth2accesstoken"
          password: "${{ steps.auth.outputs.access_token }}"
      - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # ratchet:azure/setup-helm@v4
        name: 'Setup Helm'
        with:
          version: '3.13.2'
      - name: Package chart
        id: package_chart
        env:
          CHART_PATH: ./charts/${{ matrix.chart }}
        run: |
          base_version="1.0.0"
          chart_version="${base_version}-${{ needs.build.outputs.version }}"

          yq eval \
            '.version="'"$chart_version"'"' \
            "${{ env.CHART_PATH }}/Chart.yaml" --inplace
          yq eval \
            '.image.tag="${{ needs.build.outputs.version }}"' \
            "${{ env.CHART_PATH }}/values.yaml" --inplace

          helm dependency update "${{ env.CHART_PATH }}"
          helm package "${{ env.CHART_PATH }}" --destination .

          name=$(yq '.name' < "${{ env.CHART_PATH }}/Chart.yaml")
          echo "name=$name" >> $GITHUB_OUTPUT
          echo "version=$chart_version" >> $GITHUB_OUTPUT
          echo "archive=$name-$chart_version.tgz" >> $GITHUB_OUTPUT
      - name: Push Chart
        run: |-
          chart="${{ steps.package_chart.outputs.archive }}"
          echo "Pushing: $chart"
          helm push "$chart" oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature
  rollout:
    name: Rollout
    if: github.actor != 'dependabot[bot]' && github.ref == 'refs/heads/master'
    needs: [build, charts]
    runs-on: fasit-deploy
    permissions:
      id-token: write
    strategy:
      fail-fast: false
      matrix:
        chart: ["wonderwall", "wonderwall-forward-auth"]
    steps:
      - uses: nais/fasit-deploy@8727ed1c7a5a465e837873e6016a9a692a6b874a # ratchet:nais/fasit-deploy@v2
        with:
          chart: oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature/${{ matrix.chart }}
          version: "1.0.0-${{ needs.build.outputs.version }}"