---
name: Build

on:
  workflow_dispatch:
  push:
    branches:
      - "main"
  pull_request:

jobs:
  build-artifacts:
    name: Build artifacts
    runs-on: ubuntu-22.04

    steps:
      - name: Check out repo
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Set up .NET
        uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1

      - name: Publish project
        working-directory: src/KeyConnector
        run: |
          echo "Publish"
          dotnet publish -c "Release" -o obj/build-output/publish
          cd obj/build-output/publish
          zip -r KeyConnector.zip .
          mv KeyConnector.zip ../../../
          pwd
          ls -atlh ../../../

      - name: Upload project artifact
        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
        with:
          name: KeyConnector.zip
          path: src/KeyConnector/KeyConnector.zip
          if-no-files-found: error

  build-docker:
    name: Build Docker images
    runs-on: ubuntu-22.04
    needs: build-artifacts
    env:
      _AZ_REGISTRY: bitwardenprod.azurecr.io
      _PROJECT_NAME: key-connector

    steps:
      - name: Check out repo
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Log in to Azure
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

      - name: Log in to ACR
        run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}

      - name: Generate Docker image tag
        id: tag
        run: |
          IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")  # slash safe branch name
          if [[ "$IMAGE_TAG" == "main" ]]; then
            IMAGE_TAG=dev
          fi
          echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT

      - name: Generate full image name
        id: image-name
        env:
          IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
        run: echo "name=${_AZ_REGISTRY}/${_PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT

      - name: Get build artifact
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: KeyConnector.zip

      - name: Set up build artifact
        run: |
          mkdir -p src/KeyConnector/obj/build-output/publish
          unzip KeyConnector.zip -d src/KeyConnector/obj/build-output/publish

      - name: Build Docker image
        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
        with:
          context: src/KeyConnector
          file: src/KeyConnector/Dockerfile
          platforms: linux/amd64
          push: true
          tags: ${{ steps.image-name.outputs.name }}

      - name: Scan Docker image
        id: container-scan
        uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
        with:
          image: ${{ steps.image-name.outputs.name }}
          fail-build: false
          output-format: sarif

      - name: Upload Grype results to GitHub
        uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
        with:
          sarif_file: ${{ steps.container-scan.outputs.sarif }}