name: Build Self-Host Unified

on:
  push:
    paths:
      - "docker-unified/**"
      - ".github/workflows/build-unified.yml"
  workflow_call:
    inputs:
      server_branch:
        type: string
        default: main
  workflow_dispatch:
    inputs:
      server_branch:
        description: "Server branch name to deploy (examples: 'main', 'rc', 'feature/sm')"
        type: string
        default: main
  pull_request:
    paths:
      - ".github/workflows/build-unified.yml"
      - "docker-unified/**"

env:
  _AZ_REGISTRY: bitwardenprod.azurecr.io

jobs:
  build-docker:
    name: Build Docker image
    runs-on: ubuntu-22.04
    permissions:
      security-events: write
      id-token: write
    steps:
      - name: Checkout Repository - workflow_call
        if: ${{ github.event_name == 'workflow_call' }}
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: bitwarden/self-host
          ref: main

      - name: Checkout Repository - workflow_dispatch
        if: ${{ github.event_name != 'workflow_call' }}
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Get server branch to checkout
        id: server-branch-name
        env:
          SERVER_BRANCH: ${{ inputs.server_branch }}
        run: |
          if [[ -z "${SERVER_BRANCH}" ]]; then
            echo "server_branch=main" >> $GITHUB_OUTPUT
          else
            echo "server_branch=${SERVER_BRANCH#refs/heads/}" >> $GITHUB_OUTPUT
          fi

      - name: Check Branch to Publish
        env:
          PUBLISH_BRANCHES: "main,rc,hotfix-rc"
          SERVER_BRANCH: ${{ steps.server-branch-name.outputs.server_branch }}
        id: publish-branch-check
        run: |
          if [[ "${{ github.event_name }}" == "workflow_call" ]]; then
            REF=main
          else
            REF=${GITHUB_REF#refs/heads/}
          fi

          IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES

          if [[ "${publish_branches[*]}" =~ "${REF}" && "${publish_branches[*]}" =~ "${SERVER_BRANCH}" ]]; then
            echo "is_publish_branch=true" >> $GITHUB_ENV
          else
            echo "is_publish_branch=false" >> $GITHUB_ENV
          fi

      ########## Set up Docker ##########
      - name: Set up QEMU emulators
        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0

      ########## Login to Docker registries ##########
      - name: Login to Azure - Prod Subscription
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

      - name: Login to Azure ACR
        run: az acr login -n bitwardenprod

      - name: Login to Azure - CI Subscription
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve github PAT secrets
        id: retrieve-secret-pat
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        with:
          keyvault: "bitwarden-ci"
          secrets: "github-pat-bitwarden-devops-bot-repo-scope"

      - name: Setup Docker Trust
        if: ${{ env.is_publish_branch == 'true' }}
        uses: bitwarden/gh-actions/setup-docker-trust@main
        with:
          azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
          azure-keyvault-name: "bitwarden-ci"

      ########## Generate image tag and build Docker image ##########
      - name: Generate Docker image tag
        id: tag
        env:
          SERVER_BRANCH: ${{ steps.server-branch-name.outputs.server_branch }}
        run: |
          IMAGE_TAG=$(echo "${SERVER_BRANCH}" | sed "s#/#-#g")  # slash safe branch name
          if [[ "${IMAGE_TAG}" == "main" ]]; then
            IMAGE_TAG=dev
          elif [[ ("${IMAGE_TAG}" == "rc") || ("${IMAGE_TAG}" == "hotfix-rc") ]]; then
            IMAGE_TAG=beta
          fi

          echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT

      - name: Generate tag list
        id: tag-list
        env:
          IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
          IS_PUBLISH_BRANCH: ${{ env.is_publish_branch }}
        run: |
          if [[ ("${IMAGE_TAG}" == "dev" || "${IMAGE_TAG}" == "beta") && "${IS_PUBLISH_BRANCH}" == "true" ]]; then
            echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG},bitwarden/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT
          else
            echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT
          fi

      - name: Checkout server repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: bitwarden/server
          token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
          ref: ${{ steps.server-branch-name.outputs.server_branch }}
          path: "server"

      - name: Build and push Docker image
        id: build-docker
        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
        with:
          context: .
          file: docker-unified/Dockerfile
          platforms: |
            linux/amd64,
            linux/arm/v7,
            linux/arm64/v8
          push: true
          tags: ${{ steps.tag-list.outputs.tags }}
          secrets: |
            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"

      - name: Install Cosign
        if: env.is_publish_branch == 'true'
        uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0

      - name: Sign image with Cosign
        if: env.is_publish_branch == 'true'
        env:
          DIGEST: ${{ steps.build-docker.outputs.digest }}
          TAGS: ${{ steps.tag-list.outputs.tags }}
        run: |
          IFS="," read -a tags <<< "${TAGS}"
          images=""
          for tag in "${tags[@]}"; do
            images+="${tag}@${DIGEST} "
          done
          cosign sign --yes ${images}

      - name: Scan Docker image
        id: container-scan
        uses: anchore/scan-action@869c549e657a088dc0441b08ce4fc0ecdac2bb65 # v5.3.0
        with:
          image: ${{ steps.tag-list.outputs.primary_tag }}
          fail-build: false
          output-format: sarif

      - name: Upload Grype results to GitHub
        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
        with:
          sarif_file: ${{ steps.container-scan.outputs.sarif }}

      - name: Log out of Docker and disable Docker Notary
        if: ${{ env.is_publish_branch == 'true' }}
        run: |
          docker logout
          echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV

  check-failures:
    name: Check for failures
    if: always()
    runs-on: ubuntu-22.04
    needs: build-docker
    steps:
      - name: Check if any job failed
        if: |
          (github.ref == 'refs/heads/main'
          || github.ref == 'refs/heads/rc'
          || github.ref == 'refs/heads/hotfix-rc')
          && contains(needs.*.result, 'failure')
        run: exit 1

      - name: Login to Azure - CI subscription
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
        if: failure()
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        if: failure()
        with:
          keyvault: "bitwarden-ci"
          secrets: "devops-alerts-slack-webhook-url"

      - name: Notify Slack on failure
        uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
        if: failure()
        env:
          SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
        with:
          status: ${{ job.status }}