.github/workflows/build.yml

on:
  pull_request:
  workflow_dispatch:

# Declare default permissions as read only.
permissions:
  contents: read

jobs:
  test_image:
    permissions:
      # Allow to write packages for the docker/scout-action to write a comment
      packages: write
      # Allow to write pull requests for the docker/scout-action to write a comment
      pull-requests: write
      # Allow to write security events for github/codeql-action/upload-sarif to upload SARIF results
      security-events: write 
    runs-on: ubuntu-24.04
    env:
      IMAGE_REPOSITORY_NAME: flutter-android
      VERSION_MANIFEST: config/version.json
    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

      - name: Login to Docker Hub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        with:
          username: ${{ secrets.DOCKER_HUB_USERNAME }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
 
      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ github.token }}

      - name: Read environment variables from version.json
        env:
          GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
        run: ./script/set_environment_variables.sh

      - name: Load image metadata
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
        id: metadata
        with:
          images: |
            ${{ env.IMAGE_REPOSITORY_PATH }}
            ghcr.io/${{ env.IMAGE_REPOSITORY_PATH }}
            quay.io/${{ env.IMAGE_REPOSITORY_PATH }}
          tags: |
            type=raw,value=${{ env.FLUTTER_VERSION }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3

      - name: Build image and push to local Docker daemon
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6
        with:
          load: true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          labels: ${{ steps.metadata.outputs.labels }}
          tags: ${{ steps.metadata.outputs.tags }}
          target: android
          build-args: |
            flutter_version=${{ env.FLUTTER_VERSION }}
            fastlane_version=${{ env.FASTLANE_VERSION }}
            android_build_tools_version=${{ env.ANDROID_BUILD_TOOLS_VERSION }}
            android_platform_versions=${{ env.ANDROID_PLATFORM_VERSIONS }}

      - name: Test image
        uses: plexsystems/container-structure-test-action@c0a028aa96e8e82ae35be556040340cbb3e280ca # v0.3.0
        with:
          image: ${{ fromJSON(steps.metadata.outputs.json).tags[0] }}
          config: test/android.yml

      # TODO: Parallelize testing and vulnerability scanning
      - name: Scan with Docker Scout
        id: docker-scout
        uses: docker/scout-action@6ac950eb733f8b2811f25c05d97bfb3d181b8026 # v1
        with:
          command: compare, recommendations
          # Use the Docker Hub image that is the first tag in the metadata
          image: local://${{ fromJson(steps.metadata.outputs.json).tags[0] }}
          # github-token is needed to be able to write the PR comment
          github-token: ${{ github.token }}
          only-fixed: true
          organization: ${{ secrets.DOCKER_HUB_USERNAME }}
          # sarif-file: output.sarif.json
          to-env: prod
          # Enable debug logging when needed
          # debug: true
          # verbose-debug: true

  validate_version:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

      - name: Setup Cue for JSON validation
        uses: cue-lang/setup-cue@a93fa358375740cd8b0078f76355512b9208acb1 # v1.0.1

      - name: Validate version.json and flutter_version.json
        run: |
          cue vet config/version.cue config/version.json
          cue vet config/flutter_version.cue config/flutter_version.json

  validate_generated_config:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

      - name: Generate test files
        uses: mikefarah/yq@bbdd97482f2d439126582a59689eb1c855944955 # v4
        with:
          cmd: ./script/update_test.sh

      - name: Check if there are any changes in the git working tree
        run: |
          git add -A
          git diff --exit-code HEAD

  build_docs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
      
      - name: Setup NodeJS
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
        with:
          cache: 'npm'
          cache-dependency-path: docs/src/package-lock.json
          node-version-file: docs/src/package.json

      - name: Update documentation
        working-directory: docs/src
        run: |
          npm ci --prefer-offline
          npm run build

      - name: Check if there are any changes in the git working tree
        run: |
          git add -A  
          git diff --exit-code HEAD

  test_gradle:
    permissions:
      # Allow to read packages to pull the container image from GitHub Container Registry
      packages: read
    runs-on: ubuntu-24.04
    container:
      image: ghcr.io/${{ github.repository_owner }}/flutter-android:${{ vars.FLUTTER_VERSION }}
      credentials:
        username: ${{ github.actor }}
        password: ${{ github.token }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

      - name: Read version.json
        id: version-json
        run: |
          {
            echo "content<<EOF" 
            cat ./config/version.json
            echo "EOF"
          } >> $GITHUB_OUTPUT

      - name: Set environment variables from version.json
        run: |
          echo "FLUTTER_VERSION=${{ fromJson( steps.version-json.outputs.content ).flutter.version }}" >> $GITHUB_ENV
          echo "FLUTTER_CHANNEL=${{ fromJson( steps.version-json.outputs.content ).flutter.channel }}" >> $GITHUB_ENV

      - name: Setup Flutter
        run: |
          cd $FLUTTER_ROOT
          git fetch origin ${{ env.FLUTTER_VERSION }}:${{ env.FLUTTER_VERSION }}
          git switch ${{ env.FLUTTER_VERSION }}

      - name: Create test application
        run: |
          flutter create test_app

      - name: Update default Android platform versions in Flutter
        working-directory: test_app/android
        run: |
          cat ../../script/updateAndroidVersions.gradle >> app/build.gradle
          ./gradlew --warning-mode all updateAndroidVersions

      - name: Setup Cue for JSON validation
        uses: cue-lang/setup-cue@a93fa358375740cd8b0078f76355512b9208acb1 # v1.0.1

      - name: Validate version.json
        run: cue vet config/version.cue config/version.json