.github/workflows/release.yaml

name: Release
permissions:
  contents: read

on:
  release:
    types:
      - published

jobs:
  goreleaser:
    permissions:
      contents: write
      issues: read
      pull-requests: read
    runs-on: ubuntu-latest
    env:
      DOCKER_CLI_EXPERIMENTAL: "enabled"
    outputs:
      tag: ${{ steps.tagName.outputs.tag }}
    steps:
      - name: Checkout
        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # pin@v3

      - name: Unshallow
        run: git fetch --prune --unshallow

      - name: Set up Node.js
        uses: actions/setup-node@969bd2663942d722d85b6a8626225850c2f7be4b # pin@v3
        with:
          node-version: 16.x

      - name: Set up Go
        uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # pin@v2
        with:
          go-version: 1.18.x

      - name: Set up Docker
        run: docker run --rm --privileged multiarch/qemu-user-static --reset -p yes

      - uses: azure/docker-login@81744f9799e7eaa418697cb168452a2882ae844a # pin@v1
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - uses: google-github-actions/setup-gcloud@877d4953d2c70a0ba7ef3290ae968eb24af233bb # pin@v0
        with:
          project_id: pomerium-io
          service_account_key: ${{ secrets.GCP_SERVICE_ACCOUNT }}

      - name: Gcloud login
        run: gcloud auth configure-docker

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@ff11ca24a9b39f2d36796d1fbd7a4e39c182630a # pin@v2
        with:
          version: v0.184.0
          args: release --config .github/goreleaser.yaml
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          APPARITOR_GITHUB_TOKEN: ${{ secrets.APPARITOR_GITHUB_TOKEN }}

      - name: Get tag name
        id: tagName
        run: |
          TAG=$(git describe --tags --exact-match)
          echo ::set-output name=tag::${TAG}
          echo ::set-output name=version::${TAG#v}

      - name: Install Cloudsmith CLI
        run: |
          pip3 install cloudsmith-cli

      - name: Publish to Cloudsmith
        env:
          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
        working-directory: dist/
        run: |
          VERSION=${{ steps.tagName.outputs.version }}
          RPMS="pomerium-${VERSION}-1.x86_64.rpm pomerium-${VERSION}-1.aarch64.rpm"
          for pkg in $(echo $RPMS); do
            cloudsmith push rpm pomerium/pomerium/el/any-version $pkg
          done

          DEBS="pomerium_${VERSION}-1_amd64.deb pomerium_${VERSION}-1_arm64.deb"
          for pkg in $(echo $DEBS); do
            cloudsmith push deb pomerium/pomerium/any-distro/any-version $pkg
          done

      - name: Find latest tag
        id: latestTag
        run: |
          LATEST_TAG=$(git tag | grep -vi 'rc' | sort --version-sort | tail -1)
          echo "::set-output name=tag::${LATEST_TAG}"

      - name: Publish latest tag
        if: "steps.latestTag.outputs.tag == steps.tagName.outputs.tag"
        run: |
          docker manifest create -a pomerium/pomerium:latest pomerium/pomerium:amd64-${{ steps.tagName.outputs.tag }} pomerium/pomerium:arm64v8-${{ steps.tagName.outputs.tag }}
          docker manifest push pomerium/pomerium:latest

          docker tag gcr.io/pomerium-io/pomerium:${{ steps.tagName.outputs.tag }}-cloudrun gcr.io/pomerium-io/pomerium:latest-cloudrun
          docker push gcr.io/pomerium-io/pomerium:latest-cloudrun

          docker manifest create -a pomerium/pomerium:nonroot pomerium/pomerium:nonroot-amd64-${{ steps.tagName.outputs.tag }} pomerium/pomerium:nonroot-arm64v8-${{ steps.tagName.outputs.tag }}
          docker manifest push pomerium/pomerium:nonroot

          docker manifest create -a pomerium/pomerium:debug pomerium/pomerium:debug-amd64-${{ steps.tagName.outputs.tag }} pomerium/pomerium:debug-arm64v8-${{ steps.tagName.outputs.tag }}
          docker manifest push pomerium/pomerium:debug

          docker manifest create -a pomerium/pomerium:debug-nonroot pomerium/pomerium:debug-nonroot-amd64-${{ steps.tagName.outputs.tag }} pomerium/pomerium:debug-nonroot-arm64v8-${{ steps.tagName.outputs.tag }}
          docker manifest push pomerium/pomerium:debug-nonroot

  deploy:
    runs-on: ubuntu-latest
    needs: goreleaser
    steps:
      - name: Checkout Gitops Repo
        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # pin@v3
        with:
          repository: pomerium/gitops-argocd
          token: ${{ secrets.APPARITOR_GITHUB_TOKEN }}

      - name: Bump test environment
        uses: mikefarah/yq@9b6961875e10b058aeb482f263f26ca0f6b18eb8 # pin@v4.23.1
        with:
          cmd: yq eval '.pomerium.image.tag = "${{ needs.goreleaser.outputs.tag }}"' -i projects/pomerium-demo/pomerium-demo/values.yaml

      - name: Commit changes
        uses: stefanzweifel/git-auto-commit-action@6c32682a4040e023c054b2fc60a7cf65cc77f7ad # pin@v4
        with:
          commit_message: |
            Bump test environment pomerium/pomerium
            Image tag: ${{ needs.goreleaser.outputs.tag }}
            Source Repo: ${{ github.repository }}@${{ github.sha }}