---
name: Build Self-Host

on:
  push:
    branches-ignore:
      - "l10n_master"
      - "gh-pages"
    paths-ignore:
      - ".github/workflows/**"
  workflow_dispatch:

jobs:
  build-docker:
    name: Build Docker image
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout repo
        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846

      - name: Check Branch to Publish
        env:
          PUBLISH_BRANCHES: "master,rc,hotfix-rc"
        id: publish-branch-check
        run: |
          IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES

          if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then
            echo "is_publish_branch=true" >> $GITHUB_ENV
          else
            echo "is_publish_branch=false" >> $GITHUB_ENV
          fi

      ########## Set up Docker ##########
      - name: Set up QEMU emulators
        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325

      ########## Login to Docker registries ##########
      - name: Login to Azure - QA Subscription
        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
        with:
          creds: ${{ secrets.AZURE_QA_KV_CREDENTIALS }}

      - name: Login to Azure ACR
        run: az acr login -n bitwardenqa

      - name: Login to Azure - Prod Subscription
        if: ${{ env.is_publish_branch == 'true' }}
        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

      - name: Retrieve secrets
        if: ${{ env.is_publish_branch == 'true' }}
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
          keyvault: "bitwarden-prod-kv"
          secrets: "docker-password,
            docker-username,
            dct-delegate-2-repo-passphrase,
            dct-delegate-2-key"

      - name: Log into Docker
        if: ${{ env.is_publish_branch == 'true' }}
        env:
          DOCKER_USERNAME: ${{ steps.retrieve-secrets.outputs.docker-username }}
          DOCKER_PASSWORD: ${{ steps.retrieve-secrets.outputs.docker-password }}
        run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin

      - name: Setup Docker Trust
        if: ${{ env.is_publish_branch == 'true' }}
        env:
          DCT_DELEGATION_KEY_ID: "c9bde8ec820701516491e5e03d3a6354e7bd66d05fa3df2b0062f68b116dc59c"
          DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }}
          DCT_REPO_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }}
        run: |
          mkdir -p ~/.docker/trust/private
          echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key
          echo "DOCKER_CONTENT_TRUST=1" >> $GITHUB_ENV
          echo "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$DCT_REPO_PASSPHRASE" >> $GITHUB_ENV

      ########## Generate image tag and build Docker image ##########
      - name: Generate Docker image tag
        id: tag
        run: |
          IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")  # slash safe branch name
          if [[ "$IMAGE_TAG" == "master" ]]; then
            IMAGE_TAG=dev
          elif [[ "$IMAGE_TAG" == "rc" ]] || [[ "$IMAGE_TAG" == "hotfix-rc" ]]; then
            IMAGE_TAG=beta
          fi

          echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT

      - name: Generate tag list
        id: tag-list
        env:
          IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
        run: |
          if [ "$IMAGE_TAG" = "dev" ] || [ "$IMAGE_TAG" = "beta" ]; then
            echo "tags=bitwardenqa.azurecr.io/self-host:${IMAGE_TAG},bitwarden/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT
          else
            echo "tags=bitwardenqa.azurecr.io/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT
          fi

      - name: Build Docker image
        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5
        with:
          context: .
          file: docker-unified/Dockerfile
          platforms: |
            linux/amd64,
            linux/arm/v7,
            linux/arm64/v8
          push: true
          tags: ${{ steps.tag-list.outputs.tags }}

      - name: Log out of Docker and disable Docker Notary
        if: ${{ env.is_publish_branch == 'true' }}
        run: |
          docker logout
          echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV

  check-failures:
    name: Check for failures
    if: always()
    runs-on: ubuntu-22.04
    needs: build-docker
    steps:
      - name: Check if any job failed
        if: |
          github.ref == 'refs/heads/master'
          || github.ref == 'refs/heads/rc'
          || github.ref == 'refs/heads/hotfix-rc'
        env:
          BUILD_DOCKER_STATUS: ${{ needs.build-docker.result }}
        run: |
          if [ "$BUILD_DOCKER_STATUS" = "failure" ]; then
              exit 1
          fi

      - name: Login to Azure - Prod Subscription
        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
        if: failure()
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        if: failure()
        with:
          keyvault: "bitwarden-prod-kv"
          secrets: "devops-alerts-slack-webhook-url"

      - name: Notify Slack on failure
        uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33
        if: failure()
        env:
          SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
        with:
          status: ${{ job.status }}