.github/workflows/deploy_reusable.yml

name: 'Container Build & Deploy'

on:
  workflow_call:
    inputs:
      ENVIRONMENT:
        required: true
        type: string
      REGISTRY:
        required: true
        type: string
      REPO:
        required: true
        type: string
      REPO_DOCS:
        required: true
        type: string
      APP:
        required: true
        type: string
    secrets:
      AZURE_CLIENT_ID:
        required: true
      AZURE_TENANT_ID:
        required: true
      AZURE_SUBSCRIPTION_ID:
        required: true


jobs:
  build:
    runs-on: ubuntu-latest
    environment:
      name: ${{ inputs.ENVIRONMENT }}
    permissions:
      id-token: write
      contents: read

    steps:
    - uses: actions/checkout@v4

    - uses: actions/setup-java@v4
      with:
        java-version: 17
        distribution: corretto
        cache: gradle

    - name: Build JAR
      run: ./gradlew clean :app:shadowJar

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3

    - name: Login via Azure CLI
      uses: azure/login@v2
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

    - name: Retrieve registry password
      id: retrieve-registry-password
      uses: azure/CLI@v2
      with:
        inlineScript: |
          ACR_PASSWORD=$(az acr login --name ${{ inputs.REGISTRY }} --expose-token --output tsv --query accessToken)
          echo "::add-mask::$ACR_PASSWORD"
          echo "ACR_PASSWORD=$ACR_PASSWORD" >> "$GITHUB_OUTPUT"

    - name: Log in to registry
      uses: docker/login-action@v3
      with:
        registry: ${{ inputs.REGISTRY }}
        username: 00000000-0000-0000-0000-000000000000
        password: ${{ steps.retrieve-registry-password.outputs.ACR_PASSWORD }}

    - name: Build and push container image to registry
      uses: docker/build-push-action@v5
      with:
        push: true
        tags: '${{ inputs.REGISTRY }}/${{ inputs.REPO }}:${{ github.sha }}'
        file: ./Dockerfile
        context: .

    - name: Build and push documentation container image to registry
      uses: docker/build-push-action@v5
      with:
        push: true
        tags: '${{ inputs.REGISTRY }}/${{ inputs.REPO_DOCS }}:${{ github.sha }}'
        file: ./ig/Dockerfile
        context: ./ig

  deploy:
    runs-on: ubuntu-latest
    needs: build
    environment:
      name: ${{ inputs.ENVIRONMENT }}
      url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
    permissions:
      id-token: write
      contents: read

    steps:
    - name: Login via Azure CLI
      uses: azure/login@v2
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

    - name: Deploy to Azure Web App
      id: deploy-to-webapp
      uses: azure/webapps-deploy@v3
      with:
        app-name: ${{ inputs.APP }}
        slot-name: production
        images: '${{ inputs.REGISTRY }}/${{ inputs.REPO }}:${{ github.sha }}'

    - name: Retrieve registry password
      id: retrieve-registry-password
      uses: azure/CLI@v2
      with:
        inlineScript: |
          ACR_PASSWORD=$(az acr login --name ${{ inputs.REGISTRY }} --expose-token --output tsv --query accessToken)
          echo "::add-mask::$ACR_PASSWORD"
          echo "ACR_PASSWORD=$ACR_PASSWORD" >> "$GITHUB_OUTPUT"

    - name: Log in to registry
      uses: docker/login-action@v3
      with:
        registry: ${{ inputs.REGISTRY }}
        username: 00000000-0000-0000-0000-000000000000
        password: ${{ steps.retrieve-registry-password.outputs.ACR_PASSWORD }}

    - name: Extract generated documentation from the documentation image
      id: extract
      uses: shrink/actions-docker-extract@v3
      with:
        image: '${{ inputs.REGISTRY }}/${{ inputs.REPO_DOCS }}:${{ github.sha }}'
        path: /trusted-intermediary/output/.

    - name: Upload docs to blob storage
      uses: azure/CLI@v2
      with:
        inlineScript: |
          if [ "${{ inputs.ENVIRONMENT }}" == "pr" ]; then
            MODIFIED_ENVIRONMENT=${{ inputs.ENVIRONMENT }}${{ github.event.number }}
          else
            MODIFIED_ENVIRONMENT=${{ inputs.ENVIRONMENT }}
          fi

          az storage blob sync --account-name cdcti${MODIFIED_ENVIRONMENT}docs -c '$web' -s ${{ steps.extract.outputs.destination }}