.github/workflows/main.yml

name: Main - Attests to https://app.kosli.com

on:
  push:

env:
  KOSLI_DRY_RUN: ${{ vars.KOSLI_DRY_RUN }}           # false
  KOSLI_HOST: ${{ vars.KOSLI_HOST }}                 # https://app.kosli.com
  KOSLI_ORG: ${{ vars.KOSLI_ORG }}                   # cyber-dojo
  KOSLI_FLOW: ${{ vars.KOSLI_FLOW }}                 # languages-start-points-ci
  KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
  KOSLI_TRAIL: ${{ github.sha }}
  SERVICE_NAME: ${{ github.event.repository.name }}  # languages-start-points

jobs:

  setup:
    runs-on: ubuntu-latest
    outputs:
      image_tag:  ${{ steps.variables.outputs.image_tag }}
      image_name: ${{ steps.variables.outputs.image_name }}
    steps:
      - uses: actions/checkout@v4

      - name: Set outputs
        id: variables
        run: |
          IMAGE_TAG=${GITHUB_SHA:0:7}
          echo "image_tag=${IMAGE_TAG}" >> ${GITHUB_OUTPUT}       
          echo "image_name=cyberdojo/${{ env.SERVICE_NAME }}:${IMAGE_TAG}" >> ${GITHUB_OUTPUT}          


  pull-request:
    if: ${{ github.ref == 'refs/heads/main' }}
    needs: []
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
      pull-requests: read
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 1

      - name: Setup Kosli CLI
        uses: kosli-dev/setup-cli-action@v2
        with:
          version: ${{ vars.KOSLI_CLI_VERSION }}

      - name: Attest pull-request evidence to Kosli
        run:
          kosli attest pullrequest github
            --github-token=${{ secrets.GITHUB_TOKEN }}
            --name=pull-request


  snyk-code-scan:
    needs: []
    runs-on: ubuntu-latest
    env:
      SARIF_FILENAME: snyk.code.scan.json
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 1

      - name: Setup Snyk
        uses: snyk/actions/setup@master

      - name: Run Snyk code scan
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run:
          snyk code test 
            --sarif 
            --sarif-file-output="${SARIF_FILENAME}" 
            --policy-path=.snyk 
            .

      - name: Setup Kosli CLI
        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
        uses: kosli-dev/setup-cli-action@v2
        with:
          version: ${{ vars.KOSLI_CLI_VERSION }}

      - name: Attest evidence to Kosli
        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
        run:
          kosli attest snyk
            --name=languages-start-points.snyk-code-scan 
            --scan-results="${SARIF_FILENAME}"


  build-image:
    needs: [setup]
    runs-on: ubuntu-latest
    env:
      IMAGE_NAME: ${{ needs.setup.outputs.image_name }}
    outputs:
      kosli_fingerprint: ${{ steps.variables.outputs.kosli_fingerprint }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 1

      - name: Build image
        run: |
          git fetch origin main:main || true          
          make image

      - uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_PASS }}

      - name: Push image to Dockerhub registry
        run:
          docker push "${IMAGE_NAME}"

      - name: Setup Kosli CLI
        uses: kosli-dev/setup-cli-action@v2
        with:
          version: ${{ vars.KOSLI_CLI_VERSION }}

      - name: Attest image provenance to Kosli
        if: ${{ github.ref == 'refs/heads/main' }}
        run:
          kosli attest artifact "${IMAGE_NAME}"
            --artifact-type=docker
            --name=languages-start-points
            --trail="${GITHUB_SHA}"

      - name: Make artifact fingerprint available to following jobs
        id: variables
        run: |
          FINGERPRINT=$(kosli fingerprint "${IMAGE_NAME}" --artifact-type=docker)
          echo "kosli_fingerprint=${FINGERPRINT}" >> ${GITHUB_OUTPUT}


  snyk-container-scan:
    needs: [setup, build-image]
    runs-on: ubuntu-latest
    env:
      SARIF_FILENAME: snyk.container.scan.json
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 1

      - name: Setup Snyk
        uses: snyk/actions/setup@master

      - name: Run Snyk container scan
        env:
          IMAGE_NAME: ${{ needs.setup.outputs.image_name }}
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run:
          snyk container test ${IMAGE_NAME} 
            --sarif 
            --sarif-file-output="${SARIF_FILENAME}" 
            --policy-path=.snyk

      - name: Setup Kosli CLI
        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
        uses: kosli-dev/setup-cli-action@v2
        with:
          version: ${{ vars.KOSLI_CLI_VERSION }}

      - name: Attest evidence to Kosli
        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
        env:
          KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }}
        run:
          kosli attest snyk 
            --name=languages-start-points.snyk-container-scan 
            --scan-results="${SARIF_FILENAME}"


  sdlc-control-gate:
    if: ${{ github.ref == 'refs/heads/main' }}
    needs: [setup, build-image, pull-request, snyk-container-scan, snyk-code-scan]
    runs-on: ubuntu-latest
    steps:
      - name: Setup Kosli CLI
        uses: kosli-dev/setup-cli-action@v2
        with:
          version: ${{ vars.KOSLI_CLI_VERSION }}

      - name: Kosli SDLC gate to short-circuit the workflow
        env:
          IMAGE_NAME:        ${{ needs.setup.outputs.image_name }}
          KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }}
        run:
          kosli assert artifact ${IMAGE_NAME}


  approve-deployment-to-beta:
    needs: [setup, build-image, sdlc-control-gate]
    runs-on: ubuntu-latest
    environment:
      name: staging
      url: https://beta.cyber-dojo.org
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Setup Kosli CLI
        uses: kosli-dev/setup-cli-action@v2
        with:
          version: ${{ vars.KOSLI_CLI_VERSION }}

      - name: Attest approval of deployment to Kosli
        env:
          IMAGE_NAME:        ${{ needs.setup.outputs.image_name }}
          KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }}
          KOSLI_ENVIRONMENT: aws-beta
        run:
          kosli report approval ${IMAGE_NAME}
            --approver="${{ github.actor }}"


  deploy-to-beta:
    needs: [setup, approve-deployment-to-beta]
    uses: ./.github/workflows/sub_deploy_to_beta.yml
    with:
      IMAGE_TAG: ${{ needs.setup.outputs.image_tag }}
    secrets:
      KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}


  approve-deployment-to-prod:
    needs: [setup, build-image, deploy-to-beta]
    runs-on: ubuntu-latest
    environment:
      name: production
      url: https://cyber-dojo.org
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Setup Kosli CLI
        uses: kosli-dev/setup-cli-action@v2
        with:
          version: ${{ vars.KOSLI_CLI_VERSION }}

      - name: Attest approval of deployment to Kosli
        env:
          IMAGE_NAME:        ${{ needs.setup.outputs.image_name }}
          KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }}
          KOSLI_ENVIRONMENT: aws-prod
        run:
          kosli report approval ${IMAGE_NAME}
            --approver="${{ github.actor }}"


  deploy-to-prod:
    needs: [setup, approve-deployment-to-prod]
    uses: ./.github/workflows/sub_deploy_to_prod.yml
    with:
      IMAGE_TAG: ${{ needs.setup.outputs.image_tag }}
    secrets:
      KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}


  # The cyberdojo/versioner refresh-env.sh script
  # https://github.com/cyber-dojo/versioner/blob/master/sh/refresh-env.sh
  # relies on being able to:
  #   - get the :latest image
  #   - extract the SHA env-var embedded inside it
  #   - use the 1st 7 chars of the SHA as a latest-equivalent tag

  push-latest:
    needs: [setup, deploy-to-prod]
    runs-on: ubuntu-latest
    env:
      IMAGE_NAME: ${{ needs.setup.outputs.image_name }}
    steps:
      - uses: actions/checkout@v4

      - uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_PASS }}

      - name: Tag image to :latest and push to Dockerhub Registry
        run: |
          docker pull "${IMAGE_NAME}"
          docker tag "${IMAGE_NAME}" cyberdojo/${{ env.SERVICE_NAME }}:latest
          docker push cyberdojo/${{ env.SERVICE_NAME }}:latest