name: Container Images

on:
  pull_request:
    branches:
      - "*"
    paths:
      - 'images/**'

  push:
    branches:
      - main
    paths:
      - 'images/**'

permissions:
  contents: write
  packages: write

env:
  PLATFORMS: linux/amd64

jobs:
  changes:
    permissions:
      contents: read  # for dorny/paths-filter to fetch a list of changed files
      pull-requests: read  # for dorny/paths-filter to read pull requests
    runs-on: ubuntu-latest
    outputs:
      custom-error-pages: ${{ steps.filter.outputs.custom-error-pages }}
      cfssl: ${{ steps.filter.outputs.cfssl }}
      fastcgi-helloserver: ${{ steps.filter.outputs.fastcgi-helloserver }}
      e2e-test-echo: ${{ steps.filter.outputs.e2e-test-echo }}
      go-grpc-greeter-server: ${{ steps.filter.outputs.go-grpc-greeter-server }}
      httpbun: ${{ steps.filter.outputs.httpbun }}
      kube-webhook-certgen: ${{ steps.filter.outputs.kube-webhook-certgen }}
      ext-auth-example-authsvc: ${{ steps.filter.outputs.ext-auth-example-authsvc }}
      nginx: ${{ steps.filter.outputs.nginx }}

    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
        id: filter
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          filters: |
            custom-error-pages:
              - 'images/custom-error-pages/**'
            cfssl:
              - 'images/cfssl/**'
            fastcgi-helloserver:
              - 'images/fastcgi-helloserver/**'
            e2e-test-echo:
              - 'images/e2e-test-echo/**'
            go-grpc-greeter-server:
              - 'images/go-grpc-greeter-server/**'
            httpbun:
              - 'images/httpbun/**'
            kube-webhook-certgen:
              - 'images/kube-webhook-certgen/**'
            ext-auth-example-authsvc:
              - 'images/ext-auth-example-authsvc/**'
            nginx:
              - 'images/nginx/**'
 
  #### TODO: Make the below jobs 'less dumb' and use the job name as parameter (the github.job context does not work here)
  cfssl:
    needs: changes
    if: |
      (needs.changes.outputs.cfssl == 'true')
    uses: ./.github/workflows/zz-tmpl-images.yaml
    with:
      name: cfssl
    secrets: inherit

  custom-error-pages:
    needs: changes
    if: |
      (needs.changes.outputs.custom-error-pages == 'true')
    uses: ./.github/workflows/zz-tmpl-images.yaml
    with:
      name: custom-error-pages
    secrets: inherit


  e2e-test-echo:
    needs: changes
    if: |
      (needs.changes.outputs.e2e-test-echo == 'true')
    uses: ./.github/workflows/zz-tmpl-images.yaml
    with:
      name: e2e-test-echo
    secrets: inherit

  ext-auth-example-authsvc:
    needs: changes
    if: |
      (needs.changes.outputs.ext-auth-example-authsvc == 'true')
    uses: ./.github/workflows/zz-tmpl-images.yaml
    with:
      name: ext-auth-example-authsvc
    secrets: inherit

  fastcgi-helloserver:
    needs: changes
    if: |
      (needs.changes.outputs.fastcgi-helloserver == 'true')
    uses: ./.github/workflows/zz-tmpl-images.yaml
    with:
      name: fastcgi-helloserver
    secrets: inherit

  go-grpc-greeter-server:
    needs: changes
    if: |
      (needs.changes.outputs.go-grpc-greeter-server == 'true')
    uses: ./.github/workflows/zz-tmpl-images.yaml
    with:
      name: go-grpc-greeter-server
    secrets: inherit

  httpbun:
    needs: changes
    if: |
      (needs.changes.outputs.httpbun == 'true')
    uses: ./.github/workflows/zz-tmpl-images.yaml
    with:
      name: httpbun
    secrets: inherit

  kube-webhook-certgen:
    runs-on: ubuntu-latest
    needs: changes
    if: |
      (needs.changes.outputs.kube-webhook-certgen == 'true')
    strategy:
      matrix:
        k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0, 1.29.0]
    steps:
    - name: Checkout
      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
    - name: Set up Go
      id: go
      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
      with:
        go-version: '1.21.5'
        check-latest: true
    - name: image build
      run: |
        cd images/ && make NAME=kube-webhook-certgen build
    - name: Create Kubernetes cluster
      id: kind
      run: |
        kind create cluster --image=kindest/node:${{ matrix.k8s }}
    - name: image test
      run: |
        cd images/ && make NAME=kube-webhook-certgen test test-e2e

  nginx:
    runs-on: ubuntu-latest
    needs: changes
    if: |
      (needs.changes.outputs.nginx == 'true')
    steps:
    - name: Checkout
      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
    - name: nginx-base-image
      run: |
        cd images/nginx/rootfs && docker build -t docker.io/nginx-test-workflow/nginx:${{ github.sha }} .
    - name: Run Trivy on NGINX Image
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: 'docker.io/nginx-test-workflow/nginx:${{ github.sha }}'
        format: 'sarif'
        ignore-unfixed: true
        output: 'trivy-results.sarif'
    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v3.23.0
      with:
        sarif_file: 'trivy-results.sarif'