.github/workflows/artifacts.yaml

name: Artifacts

on:
  workflow_call:
    inputs:
      publish:
        description: Publish artifacts to the artifact store
        default: false
        required: false
        type: boolean
    outputs:
      container-image-name:
        description: Container image name
        value: ${{ jobs.container-image.outputs.name }}
      container-image-digest:
        description: Container image digest
        value: ${{ jobs.container-image.outputs.digest }}
      container-image-tag:
        description: Container image tag
        value: ${{ jobs.container-image.outputs.tag }}
      container-image-ref:
        description: Container image ref
        value: ${{ jobs.container-image.outputs.ref }}

permissions:
  contents: read

jobs:
  container-image:
    name: Container image
    runs-on: ubuntu-latest-large

    permissions:
      contents: read
      packages: write
      id-token: write
      security-events: write

    outputs:
      name: ${{ steps.image-name.outputs.value }}
      digest: ${{ steps.build.outputs.digest }}
      tag: ${{ steps.meta.outputs.version }}
      ref: ${{ steps.image-ref.outputs.value }}

    steps:
      - name: Checkout repository
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Set up QEMU
        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

      - name: Set image name
        id: image-name
        run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT"

      - name: Gather build metadata
        id: meta
        uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0
        with:
          images: ${{ steps.image-name.outputs.value }}
          flavor: |
            latest = false
          tags: |
            type=ref,event=branch
            type=ref,event=pr,prefix=pr-
            type=semver,pattern={{raw}}
            type=raw,value=latest,enable={{is_default_branch}}
            type=ref,event=branch,suffix=-{{sha}}-{{date 'X'}},enable={{is_default_branch}}

      # Multiple exporters are not supported yet
      # See https://github.com/moby/buildkit/pull/2760
      - name: Determine build output
        uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1
        id: build-output
        with:
          cond: ${{ inputs.publish }}
          if_true: type=image,push=true
          if_false: type=oci,dest=image.tar

      - name: Login to GitHub Container Registry
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ github.token }}
        if: inputs.publish

      - name: Build and push image
        id: build
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
        with:
          context: .
          target: ${{ matrix.target }}
          build-args: |
            VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
          platforms: linux/amd64,linux/arm64
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max,ignore-error=true
          outputs: ${{ steps.build-output.outputs.value }}
          # push: ${{ inputs.publish }}

      - name: Set image ref
        id: image-ref
        run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"

      - name: Fetch image
        run: skopeo --insecure-policy copy docker://${{ steps.image-ref.outputs.value }} oci-archive:image.tar
        if: inputs.publish

      - name: Extract OCI tarball
        run: |
          mkdir -p image
          tar -xf image.tar -C image

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1
        with:
          input: image
          format: sarif
          output: trivy-results.sarif

      - name: Upload Trivy scan results as artifact
        uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
        with:
          name: "[${{ github.job }}] Trivy scan results"
          path: trivy-results.sarif
          retention-days: 5

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
        with:
          sarif_file: trivy-results.sarif