name: build next

on:
  push:
    branches:
      - next
    paths:
      - .github/workflows/next.yaml
      - docker/*
      - protonmail_version/*
      - VERSION
  pull_request:
    paths:
      - .github/workflows/next.yaml
      - docker/*
      - protonmail_version/*
      - VERSION

env:
  DOCKER_REPO: shenxn/protonmail-bridge-ng
  DOCKER_REPO_DEV: ghcr.io/shenxn/protonmail-bridge-ng-dev
  PLATFORMS: linux/amd64,linux/arm64/v8,linux/arm/v7

jobs:
  build:
    runs-on: ubuntu-latest
    services:
      registry:
        image: registry:2
        ports:
          - 5000:5000
    steps:
      - name: Checkout
        uses: actions/checkout@master
      - name: Set version
        id: version
        run: |
          echo "::set-output name=image_version::$(cat VERSION)" && \
          echo "::set-output name=protonmail_bridge_version::$(cat protonmail_bridge_version/VERSION_LATEST)"
      - name: Set repo
        id: repo
        run: if [[ $GITHUB_REF == "refs/heads/master" ]]; then echo "::set-output name=repo::${DOCKER_REPO}"; else echo "::set-output name=repo::${DOCKER_REPO_DEV}"; fi
      - name: Docker meta
        id: docker_meta
        uses: crazy-max/ghaction-docker-meta@v1
        with:
          images: ${{ steps.repo.outputs.repo }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
        with:
          driver-opts: network=host
      - name: Build image without push to registry
        uses: docker/build-push-action@v2
        with:
          context: ./docker
          file: ./docker/Dockerfile
          build-args: PROTONMAIL_BRIDGE_VERSION=${{ steps.version.outputs.protonmail_bridge_version }}
          platforms: ${{ env.PLATFORMS }}
          push: true
          tags: localhost:5000/protonmail-bridge:latest
      - name: Scan image
        id: scan
        uses: anchore/scan-action@v2
        with:
          image: localhost:5000/protonmail-bridge:latest
          fail-build: true
          severity-cutoff: critical
          acs-report-enable: true
      - name: Upload Anchore scan SARIF report
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}
      - name: Login to DockerHub
        uses: docker/login-action@v1
        if: ${{ github.event_name != 'pull_request' && github.ref == 'refs/heads/master' }}
        with:
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v1
        if: ${{ github.event_name != 'pull_request' && github.ref == 'refs/heads/next' }}
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.CR_PAT }}
      - name: Push image
        uses: docker/build-push-action@v2
        with:
          context: ./docker
          file: ./docker/Dockerfile
          build-args: PROTONMAIL_BRIDGE_VERSION=${{ steps.version.outputs.protonmail_bridge_version }}
          platforms: ${{ env.PLATFORMS }}
          tags: |
            ${{ steps.repo.outputs.repo }}:latest
            ${{ steps.repo.outputs.repo }}:${{ steps.version.outputs.image_version }}-${{ steps.version.outputs.protonmail_bridge_version }}
          labels: ${{ steps.docker_meta.outputs.labels }}
          push: ${{ github.event_name != 'pull_request' }}