From b26719d6e054bb3e3b24ba0a421335a0f305be52 Mon Sep 17 00:00:00 2001
From: Jose Javier Merchante <jjmerchante@bitergia.com>
Date: Mon, 10 Oct 2022 10:10:33 +0200
Subject: [PATCH 1/2] [docker] Build image automatically after each release

This commit creates the image for grimoirelab/grimoirelab
when a new release is generated. The tag for the image
will be obtainer from the release name. Latest tag will
not be updated when a release candidate is built.

Signed-off-by: Jose Javier Merchante <jjmerchante@bitergia.com>
---
 .github/workflows/docker-image.yml | 74 ++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 .github/workflows/docker-image.yml

diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
new file mode 100644
index 00000000..5da8ca7b
--- /dev/null
+++ b/.github/workflows/docker-image.yml
@@ -0,0 +1,74 @@
+name: Publish Docker image
+
+on:
+  release:
+    types: [published]
+
+env:
+  DOCKER_IMAGE_NAME: "grimoirelab/grimoirelab"
+
+jobs:
+  package-ready:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Python 3.8
+        uses: actions/setup-python@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          python-version: 3.8
+
+      - name: Wait for GrimoireLab package ready in PyPI
+        run: |
+          package="grimoirelab"
+          version="${{github.ref_name}}"
+          # Format version 1.2.3-rc.1 to 1.2.3rc1
+          versionNum=${version%-*}
+          versionRC=${version#$versionNum}
+          versionRC=${versionRC//[-.]/}
+          currentVersion="${versionNum}${versionRC}"
+
+          pip install --upgrade pip
+          for i in $(seq 20)
+          do
+            pip index versions --pre $package > pip_versions.txt
+            pipVersion=$(cat pip_versions.txt | head -n 1 | cut -f2 -d '(' | cut -f1 -d ')')
+            echo "$currentVersion $pipVersion"
+            if [ "$pipVersion" = "$currentVersion" ]
+            then
+              echo "Same version"
+              exit 0
+            fi
+            echo "Wait for PyPI..."
+            sleep 10
+          done
+          echo "Latest version doesn't match after several retries"
+          exit 1
+
+  build-image:
+    runs-on: ubuntu-latest
+    needs: [package-ready]
+    environment: docker-release
+    steps:
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # v4.0.1
+        with:
+          images: |
+            ${{ env.DOCKER_IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 # v2.0.0
+
+      - name: Login to DockerHub
+        uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # v2.0.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@c84f38281176d4c9cdb1626ffafcd6b3911b5d94 # v3.1.1
+        with:
+          context: "{{defaultContext}}:docker"
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}

From 9d3b760c1813e66eae619e23de0303ebd6361029 Mon Sep 17 00:00:00 2001
From: Jose Javier Merchante <jjmerchante@bitergia.com>
Date: Tue, 11 Oct 2022 09:58:55 +0200
Subject: [PATCH 2/2] [docker] Sign image with sigstore

This commit signs Docker images with cosign. This
allows to include an extra security layer.

Signed-off-by: Jose Javier Merchante <jjmerchante@bitergia.com>
---
 .github/workflows/docker-image.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
index 5da8ca7b..38d8bab2 100644
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -48,6 +48,9 @@ jobs:
     needs: [package-ready]
     environment: docker-release
     steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@7cc35d7fdbe70d4278a0c96779081e6fac665f88 # v2.8.0
+
       - name: Docker metadata
         id: meta
         uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # v4.0.1
@@ -72,3 +75,11 @@ jobs:
           context: "{{defaultContext}}:docker"
           push: true
           tags: ${{ steps.meta.outputs.tags }}
+
+      - name: Sign image with a key
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY ${TAGS}
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}