wonderwall/.github/workflows/deploy.yml

name: Build wonderwall
on: [push]
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
env:
  GOOGLE_REGISTRY: europe-north1-docker.pkg.dev
  GITHUB_REGISTRY: ghcr.io
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout latest code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
      - name: Set up Go
        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # ratchet:actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
      - name: Test Go
        run: |
          make test
          make check
  build:
    needs: test
    name: Publish to Google and GitHub registries
    if: github.ref == 'refs/heads/master'
    permissions:
      contents: "read"
      id-token: "write"
      packages: "write"
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
      - name: Install cosign
        uses: sigstore/cosign-installer@e40248c492a99ad409432e2ea978d7a2811f2e1f # ratchet:sigstore/cosign-installer@main
        with:
          cosign-release: 'v2.2.3'
      - name: Verify runner image
        run: cosign verify --certificate-oidc-issuer https://accounts.google.com  --certificate-identity keyless@distroless.iam.gserviceaccount.com gcr.io/distroless/static-debian12:nonroot
      - uses: nais/platform-build-push-sign@main # ratchet:exclude
        id: build_push_sign
        with:
          name: wonderwall
          dockerfile: Dockerfile
          google_service_account: gh-wonderwall
          multi-platform: true
          push: true
          push_ghcr: true
          workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
    outputs:
      version: ${{ steps.build_push_sign.outputs.version }}
  charts:
    needs: build
    name: Build and push chart
    if: github.ref == 'refs/heads/master'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    strategy:
      fail-fast: false
      matrix:
        chart: ["wonderwall", "wonderwall-forward-auth"]
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
      - id: "auth"
        name: "Authenticate to Google Cloud"
        uses: "google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193" # ratchet:google-github-actions/auth@v2
        with:
          workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
          service_account: "gh-wonderwall@nais-io.iam.gserviceaccount.com"
          token_format: "access_token"
      - name: "Login to registry"
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # ratchet:docker/login-action@v3
        with:
          registry: "${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature"
          username: "oauth2accesstoken"
          password: "${{ steps.auth.outputs.access_token }}"
      - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # ratchet:azure/setup-helm@v4
        name: 'Setup Helm'
        with:
          version: '3.13.2'
      - name: Package chart
        id: package_chart
        env:
          CHART_PATH: ./charts/${{ matrix.chart }}
        run: |
          base_version="1.0.0"
          chart_version="${base_version}-${{ needs.build.outputs.version }}"

          yq eval \
            '.version="'"$chart_version"'"' \
            "${{ env.CHART_PATH }}/Chart.yaml" --inplace
          yq eval \
            '.image.tag="${{ needs.build.outputs.version }}"' \
            "${{ env.CHART_PATH }}/values.yaml" --inplace

          helm dependency update "${{ env.CHART_PATH }}"
          helm package "${{ env.CHART_PATH }}" --destination .

          name=$(yq '.name' < "${{ env.CHART_PATH }}/Chart.yaml")
          echo "name=$name" >> $GITHUB_OUTPUT
          echo "version=$chart_version" >> $GITHUB_OUTPUT
          echo "archive=$name-$chart_version.tgz" >> $GITHUB_OUTPUT
      - name: Push Chart
        run: |-
          chart="${{ steps.package_chart.outputs.archive }}"
          echo "Pushing: $chart"
          helm push "$chart" oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature
  rollout:
    name: Rollout
    if: github.actor != 'dependabot[bot]' && github.ref == 'refs/heads/master'
    needs: [build, charts]
    runs-on: fasit-deploy
    permissions:
      id-token: write
    strategy:
      fail-fast: false
      matrix:
        chart: ["wonderwall", "wonderwall-forward-auth"]
    steps:
      - uses: nais/fasit-deploy@v2 # ratchet:exclude
        with:
          chart: oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature/${{ matrix.chart }}
          version: "1.0.0-${{ needs.build.outputs.version }}"