.github/workflows/deploy-BETA.yml

---
#########################
#########################
## Deploy Docker Image ##
#########################
#########################

#
# Documentation:
# https://help.github.com/en/articles/workflow-syntax-for-github-actions
#

#######################################
# Start the job on all push to main #
#######################################
name: "Build & Deploy - BETA"
on:
  push:
    branches:
      - main
      - dbgbeta
    paths:
      - ".github/workflows/**"
      - "Dockerfile"
      - "flavors/**"
      - "megalinter/**"
      - "mega-linter-runner/**"
      - "**/linter-versions.json"
      - "TEMPLATES/**"
      - ".trivyignore"
      - "**/.sh"

###############
# Set the Job #
###############
concurrency:
  group: ${{ github.ref }}-${{ github.workflow }}
  cancel-in-progress: true

jobs:
  build:
    # Name the Job
    name: Deploy Docker Image - BETA
    # Set the agent to run on
    runs-on: ubuntu-latest
    permissions:
      actions: write
      packages: write
    # Only run this on the main repo
    if: github.repository == 'oxsecurity/megalinter' && !contains(github.event.head_commit.message, 'skip deploy') && !contains(github.event.head_commit.message, 'Release MegaLinter v')
    environment:
      name: beta
    ##################
    # Load all steps #
    ##################
    steps:
      - name: Checkout Code
        uses: actions/checkout@v4

      ########################################################
      # Publish updated version of mega-linter-runner on NPM #
      ########################################################
      - uses: actions/setup-node@v4.1.0
        with:
          node-version: "20.x"
          registry-url: "https://registry.npmjs.org"
      - run: cd mega-linter-runner && yarn install --frozen-lockfile
      - run: cd mega-linter-runner && BETAID=$(date '+%Y%m%d%H%M') && npm version prerelease --preid="beta$BETAID"
        shell: bash
      - run: cd mega-linter-runner && npm publish --tag beta || echo "mega-linter-runner beta not published"
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

      # Free disk space
      - name: Free Disk space
        shell: bash
        run: |
          sudo rm -rf /usr/local/lib/android  # will release about 10 GB if you don't need Android
          sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET
          sudo rm -rf /opt/ghc
          sudo rm -rf "$AGENT_TOOLSDIRECTORY"

      - name: Docker Metadata action
        uses: docker/metadata-action@v5.6.1
        id: meta
        with:
          images: |
            name=ghcr.io/${{ github.repository }}
          tags: |
            type=raw,value=beta

      - name: Docker Metadata action (Docker Hub)
        uses: docker/metadata-action@v5.6.1
        id: meta-dhub
        with:
          images: |
            name=docker.io/${{ github.repository }}
          tags: |
            type=raw,value=beta

      - name: Docker Metadata action (Server)
        uses: docker/metadata-action@v5.6.1
        id: meta-s
        with:
          images: |
            name=ghcr.io/${{ github.repository }}-server
          tags: |
            type=raw,value=beta

      - name: Docker Metadata action (Server Docker Hub)
        uses: docker/metadata-action@v5.6.1
        id: meta-s-dhub
        with:
          images: |
            name=docker.io/${{ github.repository }}-server
          tags: |
            type=raw,value=beta

      # - name: Docker Metadata action (Worker)
      #   uses: docker/metadata-action@v5.5.1
      #   id: meta-w
      #   with:
      #     images: |
      #       name=ghcr.io/${{ github.repository }}-worker
      #     tags: |
      #       type=raw,value=beta

      - name: Docker Metadata action (Worker Server)
        uses: docker/metadata-action@v5.6.1
        id: meta-w-dhub
        with:
          images: |
            name=docker.io/${{ github.repository }}-worker
          tags: |
            type=raw,value=beta

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build & Push Docker Image (Server)
        uses: docker/build-push-action@v6
        with:
          context: .
          file: server/Dockerfile
          platforms: linux/amd64
          build-args: |
            BUILD_DATE=${{ fromJSON(steps.meta-s.outputs.json).labels['org.opencontainers.image.created'] }}
            BUILD_VERSION=${{ fromJSON(steps.meta-s.outputs.json).labels['org.opencontainers.image.version'] }}
            BUILD_REVISION=${{ fromJSON(steps.meta-s.outputs.json).labels['org.opencontainers.image.revision'] }}
          load: false
          push: ${{ github.event_name != 'pull_request' }}
          secrets: |
            GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
          tags: ${{ steps.meta-s.outputs.tags }}

      - name: Invoke Mirror docker image workflow (Server image)
        uses: benc-uk/workflow-dispatch@v1
        with:
          workflow: mirror-docker-image.yml
          inputs: '{ "source-image": "${{ steps.meta-s.outputs.tags }}", "target-image": "${{ steps.meta-s-dhub.outputs.tags }}" }'

      - name: Build & Push Docker Image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: Dockerfile
          platforms: linux/amd64
          build-args: |
            BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
            BUILD_VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
            BUILD_REVISION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
          load: false
          push: ${{ github.event_name != 'pull_request' }}
          secrets: |
            GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
          tags: ${{ steps.meta.outputs.tags }}

      - name: Invoke Mirror docker image workflow (Main image)
        uses: benc-uk/workflow-dispatch@v1
        with:
          workflow: mirror-docker-image.yml
          inputs: '{ "source-image": "${{ steps.meta.outputs.tags }}", "target-image": "${{ steps.meta-dhub.outputs.tags }}" }'

      # - name: Build & Push Docker Worker Image
      #   uses: docker/build-push-action@v6
      #   with:
      #     context: .
      #     file: Dockerfile-worker
      #     platforms: linux/amd64
      #     build-args: |
      #       MEGALINTER_BASE_IMAGE=${{ fromJson(steps.meta-w.outputs.json).tags[0]}}
      #       BUILD_DATE=${{ fromJSON(steps.meta-w.outputs.json).labels['org.opencontainers.image.created'] }}
      #       BUILD_VERSION=${{ fromJSON(steps.meta-w.outputs.json).labels['org.opencontainers.image.version'] }}
      #       BUILD_REVISION=${{ fromJSON(steps.meta-w.outputs.json).labels['org.opencontainers.image.revision'] }}
      #     load: false
      #     push: ${{ github.event_name != 'pull_request' }}
      #     secrets: |
      #       GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
      #     tags: ${{ steps.meta-w.outputs.tags }}

      # - name: Invoke Mirror docker image workflow (Worker image)
      #   uses: benc-uk/workflow-dispatch@v1
      #   with:
      #     workflow: mirror-docker-image.yml
      #     inputs: '{ "source-image": "${{ steps.meta-w.outputs.tags }}", "target-image": "${{ steps.meta-w-dhub.outputs.tags }}" }'

      # ###############################
      # # Run tests for code coverage #
      # ###############################
      # - name: Run Test Cases and code coverage
      #   shell: bash
      #   run: |
      #     export CI_ENV="$(bash <(curl -s https://codecov.io/env)) -e GITHUB_ACTIONS"
      #     echo "CI_ENV=${CI_ENV}"
      #     docker run $CI_ENV -e TEST_CASE_RUN=true -e OUTPUT_FORMAT=text -e OUTPUT_FOLDER=${{ github.sha }} -e OUTPUT_DETAIL=detailed -e GITHUB_SHA=${{ github.sha }} -e GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" -e MEGALINTER_VOLUME_ROOT="${GITHUB_WORKSPACE}" -v "/var/run/docker.sock:/var/run/docker.sock:rw" -v ${GITHUB_WORKSPACE}:/tmp/lint oxsecurity/megalinter:beta
      #   timeout-minutes: 60

      ##############################################
      # Check Docker image security with Trivy #
      ##############################################
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: "${{ steps.meta.outputs.tags }}"
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          scanners: vuln
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
          timeout: 15m0s
        env:
            ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }}