.github/workflows/build-push.yml

---
name: Build & Push

on:
  merge_group:
  pull_request:
  push:
    tags: ["v*.*.*"]
  workflow_dispatch:

concurrency:
  group: ${{ github.ref }}-${{ github.workflow }}
  cancel-in-progress: true

permissions:
  contents: read

env:
  REGISTRY: ghcr.io

jobs:
  build-push:
    runs-on: ubuntu-latest
    permissions:
      attestations: write
      # dependency-submission needs contents write permission.
      contents: write
      # attest-build-provenance needs id-token write permission.
      id-token: write
      packages: write
      pull-requests: write
    strategy:
      matrix:
        flavor: ["cpp", "rust"]
    steps:
      - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
        with:
          egress-policy: audit
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
      - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        if: github.event_name != 'merge_group'
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        if: matrix.flavor == 'cpp'
        id: buildkit-cache
        with:
          path: root-ccache
          key: buildkit-cache-${{ github.run_id }}
          restore-keys: |
            buildkit-cache
      - uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de # v3.1.2
        if: matrix.flavor == 'cpp'
        with:
          cache-map: |
            {
              "root-ccache": "/root/.ccache"
            }
          skip-extraction: ${{ steps.buildkit-cache.outputs.cache-hit }}
      - uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
        id: metadata
        env:
          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
        with:
          images: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}
          # Generate Docker tags based on the following events/attributes
          tags: |
            type=raw,value=latest,enable={{is_default_branch}}
            type=ref,event=pr
            type=semver,pattern={{raw}}
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
      # Generate image LABEL for devcontainer.metadata
      # the sed expression is a workaround for quotes being eaten in arrays (e.g. ["x", "y", "z"] -> ["x",y,"z"])
      - run: echo "metadata=$(jq -cj '[.]' .devcontainer/${{ matrix.flavor }}/devcontainer-metadata-vscode.json | sed 's/,"/, "/g')" >> "$GITHUB_OUTPUT"
        id: devcontainer-metadata
      - run: echo "git-commit-epoch=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"
        id: devcontainer-epoch
      - uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
        id: build-and-push
        env:
          SOURCE_DATE_EPOCH: ${{ steps.devcontainer-epoch.outputs.git-commit-epoch }}
        with:
          file: .devcontainer/${{ matrix.flavor }}/Dockerfile
          platforms: linux/amd64,linux/arm64
          push: ${{ github.event_name != 'merge_group' }}
          tags: ${{ steps.metadata.outputs.tags }}
          labels: |
            ${{ steps.metadata.outputs.labels }}
            devcontainer.metadata=${{ steps.devcontainer-metadata.outputs.metadata }}
          annotations: ${{ steps.metadata.outputs.annotations }}
          sbom: true
          cache-from: type=gha,scope=${{ github.repository }}-${{ matrix.flavor }}
          cache-to: type=gha,mode=max,scope=${{ github.repository }}-${{ matrix.flavor }}
      - uses: ./.github/actions/container-size-diff
        id: container-size-diff
        with:
          from-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}:latest
          to-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }}
      - uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0
        with:
          header: container-size-diff-${{ matrix.flavor }}
          message: |
            ${{ steps.container-size-diff.outputs.size-diff-markdown }}
      - uses: anchore/sbom-action@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9
        if: steps.build-and-push.outputs.digest != '' && github.event_name != 'merge_group'
        with:
          image: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }}
          dependency-snapshot: true
      - uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
        if: github.event_name == 'pull_request'
        with:
          comment-summary-in-pr: on-failure
          fail-on-severity: critical
      - uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
        if: github.event_name != 'merge_group'
        with:
          subject-name: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}
          subject-digest: ${{ steps.build-and-push.outputs.digest }}
          push-to-registry: true
      - name: Verify attestation
        if: github.event_name != 'merge_group'
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          gh attestation verify --repo ${{ github.repository }} oci://${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }}
  acceptance-test:
    if: github.event_name == 'pull_request'
    needs: build-push
    secrets: inherit
    uses: ./.github/workflows/acceptance-test.yml
    with:
      flavor: cpp