.github/workflows/build-cli-docker.yml

---
name: Build bws Docker image

on:
  push:
    branches:
      - "main"
  workflow_dispatch:
  pull_request:

env:
  _AZ_REGISTRY: bitwardenprod.azurecr.io

jobs:
  build-docker:
    name: Build Docker image
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout Repository
        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

      - name: Check Branch to Publish
        id: publish-branch-check
        run: |
          if [[ "$GITHUB_REF" == "refs/heads/main" ]]; then
            echo "is_publish_branch=true" >> $GITHUB_ENV
          else
            echo "is_publish_branch=false" >> $GITHUB_ENV
          fi

      ########## Set up Docker ##########
      - name: Set up QEMU emulators
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1

      ########## Login to Docker registries ##########
      - name: Login to Azure - Prod Subscription
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

      - name: Login to Azure ACR
        run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}

      - name: Login to Azure - CI Subscription
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve github PAT secrets
        id: retrieve-secret-pat
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        with:
          keyvault: "bitwarden-ci"
          secrets: "github-pat-bitwarden-devops-bot-repo-scope"

      - name: Setup Docker Trust
        if: ${{ env.is_publish_branch == 'true' }}
        uses: bitwarden/gh-actions/setup-docker-trust@main
        with:
          azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
          azure-keyvault-name: "bitwarden-ci"

      ########## Generate image tag and build Docker image ##########
      - name: Generate Docker image tag
        id: tag
        run: |
          REF=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
          IMAGE_TAG=$(echo "${REF}" | sed "s#/#-#g")  # slash safe branch name
          if [[ "${IMAGE_TAG}" == "main" ]]; then
            IMAGE_TAG=dev
          fi

          echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT

      - name: Generate tag list
        id: tag-list
        env:
          IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
        run: |
          if [[ "${IMAGE_TAG}" == "dev" ]]; then
            echo "tags=$_AZ_REGISTRY/bws:${IMAGE_TAG},bitwarden/bws:${IMAGE_TAG}" >> $GITHUB_OUTPUT
          else
            echo "tags=$_AZ_REGISTRY/bws:${IMAGE_TAG}" >> $GITHUB_OUTPUT
          fi

      - name: Build and push Docker image
        uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 # v6.8.0
        with:
          context: .
          file: crates/bws/Dockerfile
          platforms: |
            linux/amd64,
            linux/arm64/v8
          push: true
          tags: ${{ steps.tag-list.outputs.tags }}
          secrets: |
            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"

      - name: Log out of Docker and disable Docker Notary
        if: ${{ env.is_publish_branch == 'true' }}
        run: |
          docker logout
          echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV

  check-failures:
    name: Check for failures
    if: always()
    runs-on: ubuntu-22.04
    needs: build-docker
    steps:
      - name: Check if any job failed
        if: github.ref == 'refs/heads/main'
        env:
          BUILD_DOCKER_STATUS: ${{ needs.build-docker.result }}
        run: |
          if [ "$BUILD_DOCKER_STATUS" = "failure" ]; then
              exit 1
          fi

      - name: Login to Azure - CI subscription
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
        if: failure()
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        if: failure()
        with:
          keyvault: "bitwarden-ci"
          secrets: "devops-alerts-slack-webhook-url"

      - name: Notify Slack on failure
        uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
        if: failure()
        env:
          SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
        with:
          status: ${{ job.status }}