.github/workflows/envoy-publish.yml

# This workflow is triggered by azp currently
# Once arm/x64 build jobs are shifted to github, this can be triggered
#  by on: workflow_run
name: Envoy/Publish & verify

permissions:
  contents: read

on:
  workflow_run:
    workflows:
    # Workaround issue with PRs not triggering tertiary workflows
    - Request
    # - Envoy/Prechecks
    types:
    - completed

concurrency:
  group: >-
    ${{ ((github.event.workflow_run.head_branch == 'main'
          || startsWith(github.event.workflow_run.head_branch, 'release/v'))
          && github.event.repository.full_name == github.repository)
        && github.run_id
        || github.event.workflow_run.head_branch }}-${{ github.event.repository.full_name }}-${{ github.workflow }}
  cancel-in-progress: true

env:
  CI_DEBUG: ${{ vars.CI_DEBUG }}


jobs:
  load:
    secrets:
      app-key: ${{ secrets.ENVOY_CI_APP_KEY }}
      app-id: ${{ secrets.ENVOY_CI_APP_ID }}
    permissions:
      actions: read
      contents: read
      packages: read
      pull-requests: read
    if: >-
      ${{ github.event.workflow_run.conclusion == 'success' }}
    uses: ./.github/workflows/_load.yml
    with:
      check-name: publish
      # head-sha: ${{ github.sha }}

  build:
    permissions:
      contents: read
      packages: read
    secrets:
      dockerhub-username: >-
        ${{ fromJSON(needs.load.outputs.trusted)
            && secrets.DOCKERHUB_USERNAME
            || '' }}
      dockerhub-password: >-
        ${{ fromJSON(needs.load.outputs.trusted)
            && secrets.DOCKERHUB_PASSWORD
            || '' }}
      gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }}
      gpg-key: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_GPG_MAINTAINER_KEY || secrets.ENVOY_GPG_SNAKEOIL_KEY }}
      gpg-key-password: >-
        ${{ fromJSON(needs.load.outputs.trusted)
            && secrets.ENVOY_GPG_MAINTAINER_KEY_PASSWORD
            || secrets.ENVOY_GPG_SNAKEOIL_KEY_PASSWORD }}
    if: ${{ fromJSON(needs.load.outputs.request).run.publish || fromJSON(needs.load.outputs.request).run.verify }}
    needs:
    - load
    uses: ./.github/workflows/_publish_build.yml
    name: Build
    with:
      gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }}
      request: ${{ needs.load.outputs.request }}
      trusted: ${{ fromJSON(needs.load.outputs.trusted) }}

  publish:
    secrets:
      ENVOY_CI_SYNC_APP_ID: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_SYNC_APP_ID || '' }}
      ENVOY_CI_SYNC_APP_KEY: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_SYNC_APP_KEY || '' }}
      ENVOY_CI_PUBLISH_APP_ID: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_PUBLISH_APP_ID || '' }}
      ENVOY_CI_PUBLISH_APP_KEY: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_PUBLISH_APP_KEY || '' }}
      gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }}
    permissions:
      contents: read
      packages: read
    if: ${{ fromJSON(needs.load.outputs.request).run.publish }}
    needs:
    - load
    - build
    uses: ./.github/workflows/_publish_publish.yml
    name: Publish
    with:
      gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }}
      request: ${{ needs.load.outputs.request }}
      trusted: ${{ fromJSON(needs.load.outputs.trusted) }}

  verify:
    secrets:
      gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }}
    permissions:
      contents: read
      packages: read
    if: ${{ fromJSON(needs.load.outputs.request).run.verify }}
    needs:
    - load
    - build
    uses: ./.github/workflows/_publish_verify.yml
    name: Verify
    with:
      gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }}
      request: ${{ needs.load.outputs.request }}
      trusted: ${{ fromJSON(needs.load.outputs.trusted) }}

  request:
    secrets:
      app-id: ${{ secrets.ENVOY_CI_APP_ID }}
      app-key: ${{ secrets.ENVOY_CI_APP_KEY }}
    permissions:
      actions: read
      contents: read
      pull-requests: read
    if: >-
      ${{ always()
          && (fromJSON(needs.load.outputs.request).run.publish
              || fromJSON(needs.load.outputs.request).run.verify) }}
    needs:
    - load
    - build
    - publish
    - verify
    uses: ./.github/workflows/_finish.yml
    with:
      needs: ${{ toJSON(needs) }}