name: Server CI Artifacts

on:
  workflow_run:
    workflows:
      - "Server CI"
    types:
      - completed

env:
  COSIGN_VERSION: 2.2.0

jobs:
  ## We only need the condition on the first job
  ## This will run only when a pull request is created with server changes
  update-initial-status:
    if: github.repository_owner == 'mattermost' && github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
    runs-on: ubuntu-22.04
    steps:
      - uses: mattermost/actions/delivery/update-commit-status@d5174b860704729f4c14ef8489ae075742bfa08a
        env:
          GITHUB_TOKEN: ${{ github.token }}
        with:
          repository_full_name: ${{ github.repository }}
          commit_sha: ${{ github.event.workflow_run.head_sha }}
          context: Server CI/Artifacts Build
          description: Artifacts upload and build for mattermost team platform
          status: pending

  upload-artifacts:
    runs-on: ubuntu-22.04
    needs:
      - update-initial-status
    steps:
      - name: cd/configure-aws-credentials
        uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
        with:
          aws-region: us-east-1
          aws-access-key-id: ${{ secrets.PR_BUILDS_BUCKET_AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.PR_BUILDS_BUCKET_AWS_SECRET_ACCESS_KEY }}

      - name: cd/download-artifacts-from-PR-workflow
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          run-id: ${{ github.event.workflow_run.id }}
          github-token: ${{ github.token }}
          name: server-dist-artifact
          path: server/dist

      - name: cd/generate-packages-file-list
        working-directory: ./server/dist
        run: |
          echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
          ls | grep -E "*.(tar.gz|zip)$" >> "${GITHUB_ENV}"
          echo "EOF" >> "${GITHUB_ENV}"

      - name: cd/upload-artifacts-to-s3
        run: aws s3 sync server/dist/ s3://pr-builds.mattermost.com/mattermost/commit/${{ github.event.workflow_run.head_sha }}/ --cache-control no-cache --no-progress --acl public-read

      - name: cd/generate-summary
        run: |
          echo "### Download links for Mattermost team package" >> "${GITHUB_STEP_SUMMARY}"
          echo " " >> "${GITHUB_STEP_SUMMARY}"
          echo "Mattermost Repo SHA: \`${{ github.event.workflow_run.head_sha }}\`" >> "${GITHUB_STEP_SUMMARY}"
          echo "|Download Link|" >> "${GITHUB_STEP_SUMMARY}"
          echo "| --- |" >> "${GITHUB_STEP_SUMMARY}"
          for package in ${PACKAGES_FILE_LIST}
            do
              echo "|[${package}](https://pr-builds.mattermost.com/mattermost/commit/${{ github.event.workflow_run.head_sha }}/${package})|" >> "${GITHUB_STEP_SUMMARY}"
          done

  build-docker:
    runs-on: ubuntu-22.04
    needs:
      - upload-artifacts
    outputs:
      TAG: ${{ steps.set_tag.outputs.TAG }}
    steps:
      - name: cd/docker-login
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: mattermostdev
          password: ${{ secrets.DOCKERHUB_DEV_TOKEN }}

      - name: cd/setup-cosign
        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
        with:
          cosign-release: v${{ env.COSIGN_VERSION }}

      - name: cd/download-artifacts-from-PR-workflow
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          run-id: ${{ github.event.workflow_run.id }}
          github-token: ${{ github.token }}
          name: server-build-artifact
          path: server/build/

      - name: cd/setup-docker-buildx
        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

      - name: cd/set-docker-tag
        id: set_tag
        run: |
          echo "TAG=$(echo '${{ github.event.workflow_run.head_sha }}' | cut -c1-7)" >> $GITHUB_OUTPUT

      - name: cd/docker-build-and-push
        id: docker
        env:
          MM_PACKAGE: https://pr-builds.mattermost.com/mattermost/commit/${{ github.event.workflow_run.head_sha }}/mattermost-team-linux-amd64.tar.gz
          TAG: ${{ steps.set_tag.outputs.TAG }}
        run: |
          cd server/build
          docker buildx build --no-cache --platform linux/amd64 --push --build-arg MM_PACKAGE=${MM_PACKAGE} -t mattermostdevelopment/mm-te-test:${TAG} -t mattermostdevelopment/mattermost-team-edition:${TAG} .
          echo "DOCKERHUB_IMAGE_DIGEST=$(cosign triangulate mattermostdevelopment/mattermost-team-edition:${TAG} | cut -d: -f2 | sed 's/\.sig$//' | tr '-' ':')" >> "${GITHUB_OUTPUT}"

      - name: cd/generate-summary
        env:
          TAG: ${{ steps.set_tag.outputs.TAG }}
        run: |
          echo "### Docker Image for Mattermost team package" >> "${GITHUB_STEP_SUMMARY}"
          echo " " >> "${GITHUB_STEP_SUMMARY}"
          echo "Mattermost Repo SHA: \`${{ github.event.workflow_run.head_sha }}\`" >> "${GITHUB_STEP_SUMMARY}"
          echo " " >> "${GITHUB_STEP_SUMMARY}"
          echo "Docker Image: \`mattermostdevelopment/mattermost-team-edition:${TAG}\`" >> "${GITHUB_STEP_SUMMARY}"
          echo "Image Digest: \`${{ steps.docker.outputs.DOCKERHUB_IMAGE_DIGEST }}\`" >> "${GITHUB_STEP_SUMMARY}"
          echo "Secure Image: \`mattermostdevelopment/mattermost-team-edition:${TAG}@${{ steps.docker.outputs.DOCKERHUB_IMAGE_DIGEST }}\`" >> "${GITHUB_STEP_SUMMARY}"

  scan-docker-image:
    runs-on: ubuntu-22.04
    needs:
      - build-docker
    env:
      POLICY: "DevOps Vulnerabilities Policy"
    steps:
      - name: cd/setup-wizcli
        run: |
          curl -o wizcli https://downloads.wiz.io/wizcli/latest/wizcli-linux-amd64
          chmod +x wizcli
          ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
        env:
          WIZ_CLIENT_ID: ${{ secrets.WIZ_DEVOPS_CLIENT_ID }}
          WIZ_CLIENT_SECRET: ${{ secrets.WIZ_DEVOPS_CLIENT_SECRET }}

      - name: cd/download-container-image
        run: |
          docker pull mattermostdevelopment/mattermost-team-edition:${{ needs.build-docker.outputs.TAG }}

      - name: cd/scan-image
        run: |
          ./wizcli docker scan --image mattermostdevelopment/mattermost-team-edition:${{ needs.build-docker.outputs.TAG }} --policy "$POLICY"

  update-failure-final-status:
    if: (failure() || cancelled()) && github.event.workflow_run.event == 'pull_request'
    runs-on: ubuntu-22.04
    needs:
      - build-docker
    steps:
      - uses: mattermost/actions/delivery/update-commit-status@d5174b860704729f4c14ef8489ae075742bfa08a
        env:
          GITHUB_TOKEN: ${{ github.token }}
        with:
          repository_full_name: ${{ github.repository }}
          commit_sha: ${{ github.event.workflow_run.head_sha }}
          context: Server CI/Artifacts Build
          description: Artifacts upload and build for mattermost team platform
          status: failure

  update-success-final-status:
    if: success() && github.event.workflow_run.event == 'pull_request'
    runs-on: ubuntu-22.04
    needs:
      - build-docker
    steps:
      - uses: mattermost/actions/delivery/update-commit-status@d5174b860704729f4c14ef8489ae075742bfa08a
        env:
          GITHUB_TOKEN: ${{ github.token }}
        with:
          repository_full_name: ${{ github.repository }}
          commit_sha: ${{ github.event.workflow_run.head_sha }}
          context: Server CI/Artifacts Build
          description: Artifacts upload and build for mattermost team platform
          status: success