.github/workflows/ci-latest-release.yml

name: ci-latest-release

on:
  push:
    branches:
      - "main"
      - "v*"
    paths:
      - "KubeArmor/**"
      - "protobuf/**"
      - ".github/workflows/ci-latest-release.yml"
      - "!STABLE-RELEASE"

  create:
    branches:
      - "v*"

jobs:
  build:
    name: Create KubeArmor latest release
    if: github.repository == 'kubearmor/kubearmor'
    runs-on: ubuntu-20.04
    permissions:
      id-token: write 
    timeout-minutes: 60
    steps:
      - uses: actions/checkout@v3
        with:
          submodules: true

      - uses: actions/setup-go@v3
        with:
          go-version: "v1.20"

      - name: Install the latest LLVM toolchain
        run: ./.github/workflows/install-llvm.sh

      - name: Compile libbpf
        run: ./.github/workflows/install-libbpf.sh

      - name: Setup a Kubernetes enviroment
        id: vars
        run: |
          if [ ${{ github.ref }} == "refs/heads/main" ]; then
            echo "tag=latest" >> $GITHUB_OUTPUT
          else
            echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
          fi
          RUNTIME=docker ./contribution/k3s/install_k3s.sh

      - name: Generate KubeArmor artifacts
        run: GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh ${{ steps.vars.outputs.tag }}

      - name: Deploy KubeArmor into Kubernetes
        run: |
          helm upgrade --install kubearmor ./deployments/helm \
          --values ./KubeArmor/build/kubearmor-helm-test-values.yaml \
          -n kube-system;

          kubectl wait --for=condition=ready --timeout=5m -n kube-system pod -l kubearmor-app

      - name: Test KubeArmor using Ginkgo
        run: |
          go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
          make -C tests/
        timeout-minutes: 30

      - name: Login to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_AUTHTOK }}

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
          platforms: linux/amd64,linux/arm64/v8

      - name: Push KubeArmor images to Docker
        run: GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/push_kubearmor.sh ${{ steps.vars.outputs.tag }}

      - name: Install Cosign 
        uses: sigstore/cosign-installer@main

      - name: Get Image Digest
        id: digest
        run: | 
          echo "imagedigest=$(jq -r '.["containerimage.digest"]' kubearmor.json)" >> $GITHUB_OUTPUT
          echo "initdigest=$(jq -r '.["containerimage.digest"]' kubearmor-init.json)" >> $GITHUB_OUTPUT

      - name: Sign the Container Images
        run: |
          cosign sign -r kubearmor/kubearmor@${{ steps.digest.outputs.imagedigest }} --yes
          cosign sign -r kubearmor/kubearmor-init@${{ steps.digest.outputs.initdigest }} --yes

  push-stable-version:
    name: Create KubeArmor stable release
    needs: build
    if: github.ref != 'refs/heads/main'
    runs-on: ubuntu-20.04
    permissions:
      id-token: write
    timeout-minutes: 60
    steps:
      - uses: actions/checkout@v3
        with:
          ref: main

      - name: Install regctl
        run: |
          curl -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 >regctl
          chmod 755 regctl
          mv regctl /usr/local/bin

      - name: Check install
        run: regctl version

      - name: Get tag
        id: match
        run: |
          value=`cat STABLE-RELEASE`
          if [ ${{ github.ref }} == "refs/heads/$value" ]; then
            echo "tag=true" >> $GITHUB_OUTPUT
          else
            echo "tag=false" >> $GITHUB_OUTPUT
          fi

      - name: Login to Docker Hub
        if: steps.match.outputs.tag == 'true'
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_AUTHTOK }}

      - name: Generate the stable version of KubeArmor in Docker Hub
        if: steps.match.outputs.tag == 'true'
        run: |
          STABLE_VERSION=`cat STABLE-RELEASE`
          regctl image copy kubearmor/kubearmor:$STABLE_VERSION kubearmor/kubearmor:stable --digest-tags