.github/workflows/release.yml

name: Release version
on:
  push:
    branches: [master, hotfix]

jobs:
  tests:
    uses: "./.github/workflows/ci.yml"
    secrets:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

  release:
    concurrency:
      group: "release-${{ github.workflow }}-${{ github.ref }}"
    permissions: write-all
    outputs:
      VERSION: ${{ steps.get-version.outputs.VERSION }}
      PREV_VERSION: ${{ steps.get-prev-version.outputs.VERSION }}
    runs-on: ubuntu-latest
    steps:
      - name: Checkout project
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          persist-credentials: true

      - uses: actions/setup-node@v4
        with:
          node-version: 22.6

      - uses: actions/cache@v4
        with:
          path: |
            **/node_modules
            .yarn/install-state.gz
            .yarn/cache
          key: yarn-${{ hashFiles('**/yarn.lock') }}
          restore-keys: yarn-
          save-always: true

      - name: Install dependencies
        run: yarn install

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          platforms: linux/amd64
          install: true

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Expose GitHub Runtime
        uses: crazy-max/ghaction-github-runtime@v2

      - name: Retrieve previous version
        id: get-prev-version
        run: echo "VERSION=$(git describe --tags --abbrev=0 | cut -c2-)" >> "$GITHUB_OUTPUT"

      - name: bump and release
        run: yarn release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
          GITHUB_REF_NAME: ${{ env.GITHUB_REF_NAME }}

      - name: Retrieve new version
        id: get-version
        run: echo "VERSION=$(git describe --tags --abbrev=0 | cut -c2-)" >> "$GITHUB_OUTPUT"

  sentry-release:
    if: needs.release.outputs.VERSION != needs.release.outputs.PREV_VERSION
    needs: ["release"]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout project
        uses: actions/checkout@v4

      - name: Create vault pwd file
        run: echo ${{ secrets.VAULT_PWD }} > .infra/.vault_pwd.txt

      - name: Create sentry release
        run: .bin/mna-tdb sentry:release "${{ needs.release.outputs.VERSION }}" "${{ github.sha }}"
        env:
          ANSIBLE_VAULT_PASSWORD_FILE: .infra/.vault_pwd.txt

  docker-scout:
    if: needs.release.outputs.VERSION != needs.release.outputs.PREV_VERSION
    concurrency:
      group: "scout-${{ github.workflow }}-${{ github.ref }}"
    needs: ["release"]
    runs-on: ubuntu-latest
    steps:
      - name: Authenticate to Docker
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_PAT }}

      - name: Server Docker Scout
        uses: docker/scout-action@v1
        with:
          command: quickview,cves,recommendations,compare
          image: ghcr.io/mission-apprentissage/mna_tdb_server:${{ needs.release.outputs.VERSION }}
          to: ghcr.io/mission-apprentissage/mna_tdb_server:${{ needs.release.outputs.PREV_VERSION }}
          sarif-file: sarif-server.output.json

      - name: Server Docker Upload SARIF result
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: sarif-server.output.json
          category: Docker Server

      - name: UI Docker Scout
        uses: docker/scout-action@v1
        with:
          command: quickview,cves,recommendations,compare
          image: ghcr.io/mission-apprentissage/mna_tdb_ui:${{ needs.release.outputs.VERSION }}-production
          to: ghcr.io/mission-apprentissage/mna_tdb_ui:${{ needs.release.outputs.PREV_VERSION }}-production
          sarif-file: sarif-ui.output.json

      - name: UI Docker Upload SARIF result
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: sarif-ui.output.json
          category: Docker UI

  deploy:
    concurrency:
      group: "deploy-${{ github.workflow }}-${{ github.ref }}"
    needs: ["release"]
    name: Deploy ${{ needs.release.outputs.VERSION }} on recette
    uses: "./.github/workflows/_deploy.yml"
    with:
      environment: recette
      app_version: ${{ needs.release.outputs.VERSION }}
    secrets:
      DEPLOY_SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }}
      DEPLOY_PASS: ${{ secrets.DEPLOY_PASS }}
      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
      VAULT_PWD: ${{ secrets.VAULT_PWD }}