.github/workflows/release.yaml

---
name: Release

on:
  push:
    branches: [main]

jobs:
  semrel:
    permissions:
      actions: none
      checks: none
      contents: none
      deployments: none
      issues: none
      packages: none
      pull-requests: none
      repository-projects: none
      security-events: none
      statuses: none
      id-token: none

    name: Semantic Release
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.semrel.outputs.version }}
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4

      - name: Semantic Release
        uses: go-semantic-release/action@v1
        id: semrel
        with:
          github-token: ${{ secrets.ADFINISBOT_PAT }}
          allow-initial-development-versions: true
  backend:
    name: Release Backend
    runs-on: ubuntu-latest
    if: needs.semrel.outputs.version != ''
    needs: semrel
    permissions:
      actions: none
      checks: none
      contents: none
      deployments: none
      issues: none
      packages: write
      pull-requests: none
      repository-projects: none
      security-events: write
      statuses: none
      id-token: write # needed for signing the images with GitHub OIDC using cosign

    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4

      - name: Adjust Version
        run: |
          sed 's/"0.0.0"/"${{ needs.semrel.outputs.version }}"/g' -i ./backend/pyproject.toml

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository }}/backend
          flavor: |
            latest=auto
          tags: |
            type=semver,pattern={{version}},value=${{ needs.semrel.outputs.version }}
            type=semver,pattern={{major}}.{{minor}},value=${{ needs.semrel.outputs.version }}
            type=semver,pattern={{major}},value=${{ needs.semrel.outputs.version }}
          labels: |
            org.opencontainers.image.title=backend
            org.opencontainers.image.description=${{ github.event.repository.description }}
            org.opencontainers.image.url=${{ github.event.repository.html_url }}
            org.opencontainers.image.source=${{ github.event.repository.clone_url }}
            org.opencontainers.image.revision=${{ github.sha }}
            org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }}

      - name: Build and Push backend Docker Image
        uses: docker/build-push-action@v5
        id: docker
        with:
          context: ./backend/
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: |
            ${{ steps.meta.outputs.labels }}

      - name: Sign backend image and attach SBOM attestation
        uses: adfinis/container-scanning-action@v0.2.3
        with:
          image-ref: ghcr.io/${{ github.repository }}/backend
          token: ${{ secrets.GITHUB_TOKEN }}
          digest: ${{ steps.docker.outputs.digest }}
          attest: true

  frontend:
    name: Release frontend
    runs-on: ubuntu-latest
    if: needs.semrel.outputs.version != ''
    needs: semrel
    permissions:
      actions: none
      checks: none
      contents: none
      deployments: none
      issues: none
      packages: write
      pull-requests: none
      repository-projects: none
      security-events: write
      statuses: none
      id-token: write # needed for signing the images with GitHub OIDC using cosign

    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4

      - name: Adjust Version
        run: |
          sed 's/"0.0.0"/"${{ needs.semrel.outputs.version }}"/g' -i ./frontend/package.json

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository }}/frontend
          flavor: |
            latest=auto
          tags: |
            type=semver,pattern={{version}},value=${{ needs.semrel.outputs.version }}
            type=semver,pattern={{major}}.{{minor}},value=${{ needs.semrel.outputs.version }}
            type=semver,pattern={{major}},value=${{ needs.semrel.outputs.version }}
          labels: |
            org.opencontainers.image.title=frontend
            org.opencontainers.image.description=${{ github.event.repository.description }}
            org.opencontainers.image.url=${{ github.event.repository.html_url }}
            org.opencontainers.image.source=${{ github.event.repository.clone_url }}
            org.opencontainers.image.revision=${{ github.sha }}
            org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }}

      - name: Build and Push
        uses: docker/build-push-action@v5
        id: docker
        with:
          context: ./frontend/
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: |
            ${{ steps.meta.outputs.labels }}

      - name: Sign image and attach SBOM attestation
        uses: adfinis/container-scanning-action@v0.2.3
        with:
          image-ref: ghcr.io/${{ github.repository }}/frontend
          token: ${{ secrets.GITHUB_TOKEN }}
          digest: ${{ steps.docker.outputs.digest }}
          attest: true

  chart:
    name: Release Helm Chart
    runs-on: ubuntu-latest
    if: needs.semrel.outputs.version != ''
    needs:
      - backend
      - frontend
      - semrel
    permissions:
      actions: none
      checks: none
      contents: none
      deployments: none
      issues: none
      packages: write
      pull-requests: none
      repository-projects: none
      security-events: none
      statuses: none
      id-token: none

    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4

      - name: Adjust Version
        run: |
          sed -r 's/"(0.0.0|latest)"/"${{ needs.semrel.outputs.version }}"/g' -i ./charts/timed/Chart.yaml

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Helm
        uses: azure/setup-helm@v4
        with:
          version: v3.14.0

      - name: Package Chart
        run: |
          helm repo add bitnami https://charts.bitnami.com/bitnami
          helm dependency build charts/timed
          helm package --destination=dist charts/timed

      - name: Push Chart
        run: helm push dist/*.tgz oci://ghcr.io/${{ github.repository }}/helm