name: Build wonderwall
on: [push]
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
env:
  GOOGLE_REGISTRY: europe-north1-docker.pkg.dev
  GITHUB_REGISTRY: ghcr.io
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout latest code
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # ratchet:actions/checkout@v4
      - name: Set up Go
        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # ratchet:actions/setup-go@v5
        with:
          go-version: "1.23"
          check-latest: true
      - name: Test Go
        run: |
          make test
          make check
  build:
    needs: test
    name: Publish to Google and GitHub registries
    if: github.ref == 'refs/heads/master'
    permissions:
      contents: "read"
      id-token: "write"
      packages: "write"
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # ratchet:actions/checkout@v4
      - name: Install cosign
        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # ratchet:sigstore/cosign-installer@main
        with:
          cosign-release: 'v2.2.3'
      - name: Verify runner image
        run: cosign verify --certificate-oidc-issuer https://accounts.google.com  --certificate-identity keyless@distroless.iam.gserviceaccount.com gcr.io/distroless/static-debian12:nonroot
      - uses: nais/platform-build-push-sign@main # ratchet:exclude
        id: build_push_sign
        with:
          name: wonderwall
          dockerfile: Dockerfile
          google_service_account: gh-wonderwall
          multi-platform: true
          push: true
          push_ghcr: true
          workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
      - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # ratchet:azure/setup-helm@v4
        name: 'Setup Helm'
        with:
          version: '3.13.2'
      - name: Package chart
        id: package_chart
        env:
          CHART_PATH: ./charts/wonderwall
        run: |
          base_version="$(yq '.version' < "${{ env.CHART_PATH }}/Chart.yaml")"
          chart_version="${base_version}-${{ steps.build_push_sign.outputs.version }}"

          yq eval \
            '.version="'"$chart_version"'"' \
            "${{ env.CHART_PATH }}/Chart.yaml" --inplace
          yq eval \
            '.image.tag="${{ steps.build_push_sign.outputs.version }}"' \
            "${{ env.CHART_PATH }}/values.yaml" --inplace

          # helm dependency update "${{ env.CHART_PATH }}"
          helm package "${{ env.CHART_PATH }}" --destination .

          name=$(yq '.name' < "${{ env.CHART_PATH }}/Chart.yaml")
          echo "name=$name" >> $GITHUB_OUTPUT
          echo "version=$chart_version" >> $GITHUB_OUTPUT
          echo "archive=$name-$chart_version.tgz" >> $GITHUB_OUTPUT
      - name: Push Chart
        run: |-
          chart="${{ steps.package_chart.outputs.archive }}"
          echo "Pushing: $chart"
          helm push "$chart" oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature
    outputs:
      chart_name: ${{ steps.package_chart.outputs.name }}
      chart_version: ${{ steps.package_chart.outputs.version }}
      chart_archive: ${{ steps.package_chart.outputs.archive }}
  rollout:
    name: Rollout
    if: github.actor != 'dependabot[bot]' && github.ref == 'refs/heads/master'
    needs: build
    runs-on: fasit-deploy
    permissions:
      id-token: write
    steps:
      - uses: nais/fasit-deploy@v2 # ratchet:exclude
        with:
          chart: oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature/${{ needs.build.outputs.chart_name }}
          version: ${{ needs.build.outputs.chart_version }}