variables:
  - &file Containerfile
  - &repo dev.shielddagger.com/opensource/discord-notifier

when:
- event: [push, pull_request]

steps:
- name: configure
  when:
  - event: push
    branch: main
  image: alpine:latest
  commands:
  - echo ${CI_COMMIT_SHA:0:8} > .version
- name: dryrun
  image: woodpeckerci/plugin-docker-buildx
  backend_options:
      kubernetes:
        securityContext:
          privileged: true
  settings:
    dockerfile: *file
    platforms: linux/arm64,linux/amd64
    cache_from: type=registry,ref=dev.shielddagger.com/opensource/discord-notifier
    cache_to: type=inline
    dry_run: true
    repo: *repo
    tags: latest
    registry: dev.shielddagger.com
    username:
      from_secret: registry_username
    password:
      from_secret: registry_password
  when:
  - event: pull_request
- name: publish
  image: woodpeckerci/plugin-docker-buildx
  backend_options:
      kubernetes:
        securityContext:
          privileged: true
  settings:
    dockerfile: *file
    platforms: linux/arm64,linux/amd64
    cache_from: type=registry,ref=dev.shielddagger.com/opensource/discord-notifier
    cache_to: type=inline
    repo: *repo
    auto_tag: true
    tags: ${CI_COMMIT_SHA:0:8}
    registry: dev.shielddagger.com
    username:
      from_secret: registry_username
    password:
      from_secret: registry_password
  when:
  - event: push
    branch: main
- name: gather-digests
  image: quay.io/skopeo/stable:latest
  environment:
    DOCKER_USER:
      from_secret: registry_username
    DOCKER_PASS:
      from_secret: registry_password
  when:
  - event: push
    branch: main
  commands:
  - dnf install -y jq
  - skopeo login dev.shielddagger.com --username $DOCKER_USER --password $DOCKER_PASS
  - skopeo inspect --raw docker://dev.shielddagger.com/opensource/discord-notifier:latest | jq -r .'manifests[] | select(.platform.architecture=="arm64").digest' > digest-arm64
  - skopeo inspect --raw docker://dev.shielddagger.com/opensource/discord-notifier:latest | jq -r .'manifests[] | select(.platform.architecture=="amd64").digest' > digest-amd64
- name: image-scan
  image: aquasec/trivy
  environment:
    TRIVY_USER:
      from_secret: registry_username
    TRIVY_PASSWORD:
      from_secret: registry_password
    TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
    TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
    TRIVY_CHECKS_BUNDLE_REPOSITORY: public.ecr.aws/aquasecurity/trivy-checks
  commands:
  - export ARM64_DIGEST=$(cat digest-arm64)
  - trivy image --platform linux/arm64 --debug dev.shielddagger.com/opensource/discord-notifier@$ARM64_DIGEST --exit-code 1 --username $TRIVY_USER --severity HIGH,CRITICAL
  when:
  - event: push
    branch: main
- name: notify
  image: dev.shielddagger.com/opensource/discord-notifier
  failure: ignore
  settings:
    webhook_url:
      from_secret: discord_webhook
    woodpecker_url: https://ci.shielddagger.com/api
    woodpecker_token:
      from_secret: woodpecker_token
    icon_url: https://discord.com/api/webhooks/1231848304694919270/1ApQzOPMfNosxhQ62HbYScBT5s94m0bIUn1IFGQlT6d8Ru2ImcHHjjkFA_SaonBNU3yz
  when:
  - status: [success, failure]

depends_on:
- scans