.github/workflows/release.yml

name: AST Cli Release

on:
  workflow_call:
    inputs:
      tag:
        description: 'Next release tag'
        required: true
        type: string
      dev:
        description: 'Is dev build'
        required: false
        default: true
        type: boolean
  workflow_dispatch:
    inputs:
      tag:
        description: 'Next release tag'
        required: true
        type: string
      dev:
        description: 'Is dev build'
        required: false
        default: true
        type: boolean

permissions:
  id-token: write
  contents: write

jobs:
  build:
    runs-on: macos-13
    env:
      AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
      APPLE_DEVELOPER_CERTIFICATE_P12_BASE64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
      APPLE_DEVELOPER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
      COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
      COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
    steps:
      - name: Checkout
        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4.0.0
        with:
          fetch-depth: 0
      - name: Install Go
        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 #v4
        with:
          go-version-file: go.mod
      - name: Import Code-Signing Certificates
        uses: Apple-Actions/import-codesign-certs@253ddeeac23f2bdad1646faac5c8c2832e800071 #v1
        with:
          # The certificates in a PKCS12 file encoded as a base64 string
          p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
          # The password used to import the PKCS12 file.
          p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
      - name: Updating and upgrading brew to a specific version
        run: |
          brew --version
          cd $(brew --repo)
          git fetch --tags
          git checkout 4.4.15
          export HOMEBREW_NO_AUTO_UPDATE=1
          brew --version

      - name: Install gon
        run: |
          brew install Bearer/tap/gon
      - name: Setup Docker on macOS
        if: inputs.dev == false
        uses: douglascamata/setup-docker-macos-action@4fe96839fcba8a2d746e020d00a89a37afbc7dc9  #v1-alpha.15
      - name: Test docker
        if: inputs.dev == false
        run: |
          docker version
          docker info
      - name: Login to Docker Hub
        if: inputs.dev == false
        uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 #v1
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Install Cosign
        if: inputs.dev == false
        run: |
          brew install sigstore/tap/cosign

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 #v2
        with:
          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
          aws-region: ${{ secrets.AWS_ASSUME_ROLE_REGION }}
      - name: Tag
        run: |
          echo ${{ inputs.tag }}
          echo "NEXT_VERSION=${{ inputs.tag }}" >> $GITHUB_ENV
          tag=${{ inputs.tag }}
          message='${{ inputs.tag }}: PR #${{ github.event.pull_request.number }} ${{ github.event.pull_request.title }}'
          git config user.name "${GITHUB_ACTOR}"
          git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
          git tag -a "${tag}" -m "${message}"
          git push origin "${tag}"
      - name: Build GoReleaser Args
        run: |
          args='release --clean --debug'
          if [ ${{ inputs.dev }} = true ]; then
            args=${args}' --config=".goreleaser-dev.yml"'
          fi
          echo "GR_ARGS=${args}" >> $GITHUB_ENV
      - name: Echo GoReleaser Args
        run: echo ${{ env.GR_ARGS }}
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 #v3
        with:
          version: v1.18.2
          args: ${{ env.GR_ARGS }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GO_BOT_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
          S3_BUCKET_NAME: ${{ secrets.S3_BUCKET_NAME }}
          S3_BUCKET_REGION: ${{ secrets.S3_BUCKET_REGION }}
          SIGNING_REMOTE_SSH_USER: ${{ secrets.SIGNING_REMOTE_SSH_USER }}
          SIGNING_REMOTE_SSH_HOST: ${{ secrets.SIGNING_REMOTE_SSH_HOST }}
          SIGNING_REMOTE_SSH_PRIVATE_KEY: ${{ secrets.SIGNING_REMOTE_SSH_PRIVATE_KEY }}
          SIGNING_HSM_CREDS: ${{ secrets.SIGNING_HSM_CREDS }}
      - name: Sign Docker Image with Cosign
        if: inputs.dev == false
        run: |
          cosign sign --yes --key env://COSIGN_PRIVATE_KEY checkmarx/ast-cli:${{ inputs.tag }}

      - name: Verify Docker image signature
        if: inputs.dev == false
        run: |
          echo "${{ secrets.COSIGN_PUBLIC_KEY }}" > cosign.pub
          cosign verify --key cosign.pub checkmarx/ast-cli:${{ inputs.tag }}
        env:
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

  notify:
    needs: build
    uses: Checkmarx/plugins-release-workflow/.github/workflows/release-notify.yml@main
    with:
      product_name: CLI
      release_version: ${{ inputs.tag }}
      cli_release_version: ""
      release_author: "Phoenix Team"
      release_url: https://github.com/Checkmarx/ast-cli/releases/tag/${{ inputs.tag }}
    secrets: inherit