.github/workflows/docker.yml

name: docker

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
  release:
    types:
      - published
  workflow_dispatch:
    inputs:
      version:
        description: Application version to use when publishing the project
        required: false
      image-tag:
        description: Additional Docker image tag to apply on deployment
        required: false

jobs:
  # Determine version
  version:
    runs-on: ubuntu-latest
    permissions:
      contents: read

    steps:
      - name: Determine stable version
        id: stable-version
        if: ${{ inputs.version || github.event_name == 'release' }}
        run: |
          version="${{ inputs.version || github.event.release.tag_name }}"

          if ! [[ $version =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z].*)?$ ]]; then
              echo "Invalid version: $version"
              exit 1
          fi

          echo "version=$version" >> $GITHUB_OUTPUT

      - name: Determine prerelease version
        id: pre-version
        run: |
          hash="${{ github.event.pull_request.head.sha || github.sha }}"
          echo "version=0.0.0-ci-${hash:0:7}" >> $GITHUB_OUTPUT

    outputs:
      version: ${{ steps.stable-version.outputs.version || steps.pre-version.outputs.version }}

  # Build the image without deploying just to make sure the dockerfile is valid
  pack:
    needs: version

    strategy:
      matrix:
        app:
          - Api
          #- AdminConsole
          - Self-Host
        include:
          - app: Api
            dockerfile: Api.dockerfile
          #- app: AdminConsole
          #  dockerfile: AdminConsole.dockerfile
          - app: Self-Host
            dockerfile: self-host/Dockerfile

    runs-on: ubuntu-latest
    permissions:
      contents: read

    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Install Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

      - name: Build image
        run: >
          docker buildx build .
          --file ${{ matrix.dockerfile }}
          --platform linux/amd64,linux/arm64
          --build-arg VERSION=${{ needs.version.outputs.version }}
          --output type=tar,dest=image.tar

  # Build and deploy the image
  deploy:
    if: ${{ github.event_name != 'pull_request' }}
    needs: version

    strategy:
      matrix:
        app:
          - Api
          #- AdminConsole
          - Self-Host
        include:
          - app: Api
            dockerfile: Api.dockerfile
            name: passwordless-test-api
          #- app: AdminConsole
          #  dockerfile: AdminConsole.dockerfile
          #  repository: passwordless-test-admin-console
          - app: Self-Host
            dockerfile: self-host/Dockerfile
            name: passwordless-self-host

    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write

    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Install Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

      - name: Setup Docker Content Trust
        id: setup-dct
        uses: bitwarden/gh-actions/setup-docker-trust@main
        with:
          azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
          azure-keyvault-name: "bitwarden-ci"

      - name: Build & push image
        env:
          DOCKER_CONTAINER_NAMESPACE: bitwarden
          DOCKER_CONTENT_TRUST: 1
          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }}
        run: >
          docker buildx build .
          --file ${{ matrix.dockerfile }}
          --platform linux/amd64,linux/arm64
          --build-arg VERSION=${{ needs.version.outputs.version }}
          --push
          ${{ format('--tag {0}/{1}:dev', env.DOCKER_CONTAINER_NAMESPACE, matrix.name) }}
          ${{ github.event_name == 'release' && format('--tag {0}/{1}:qa', env.DOCKER_CONTAINER_NAMESPACE, matrix.name) || '' }}
          ${{ github.event_name == 'release' && !github.event.release.prerelease && format('--tag {0}/{1}:latest', env.DOCKER_CONTAINER_NAMESPACE, matrix.name) || '' }}
          ${{ github.event_name == 'release' && !github.event.release.prerelease && format('--tag {0}/{1}:stable', env.DOCKER_CONTAINER_NAMESPACE, matrix.name) || '' }}
          ${{ github.event_name == 'release' && format('--tag {0}/{1}:{2}', env.DOCKER_CONTAINER_NAMESPACE, matrix.name, github.ref_name) || '' }}
          ${{ inputs.image-tag && format('--tag {0}/{1}:{2}', env.DOCKER_CONTAINER_NAMESPACE, matrix.name, inputs.image-tag) || '' }}

      - name: Log out of Docker and disable Docker Notary
        run: |
          docker logout
          echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV