name: build from source

on:
  push:
    branches:
      - master
      - dev
    paths:
      - .github/workflows/build.yaml
      - build/*
  pull_request:
    paths:
      - .github/workflows/build.yaml
      - build/*

env:
  DOCKER_REPO: shenxn/protonmail-bridge
  DOCKER_REPO_DEV: ghcr.io/shenxn/protonmail-bridge-dev
  PLATFORMS: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/riscv64

jobs:
  build:
    runs-on: ubuntu-latest
    services:
      registry:
        image: registry:2
        ports:
          - 5000:5000
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set version
        id: version
        run: echo "::set-output name=version::`cat build/VERSION`"
      - name: Set repo
        id: repo
        run: if [[ $GITHUB_REF == "refs/heads/master" ]]; then echo "::set-output name=repo::${DOCKER_REPO}"; else echo "::set-output name=repo::${DOCKER_REPO_DEV}"; fi
      - name: Docker meta
        id: docker_meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ steps.repo.outputs.repo }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          driver-opts: network=host
      - name: Build image without push to registry
        uses: docker/build-push-action@v6
        with:
          context: ./build
          file: ./build/Dockerfile
          platforms: ${{ env.PLATFORMS }}
          push: true
          tags: localhost:5000/protonmail-bridge:latest
      - name: Scan image
        id: scan
        uses: anchore/scan-action@v4
        with:
          image: localhost:5000/protonmail-bridge:latest
          fail-build: true
          severity-cutoff: critical
          output-format: sarif

      - name: Upload Anchore scan SARIF report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}
      - name: Login to DockerHub
        uses: docker/login-action@v3
        if: ${{ github.event_name != 'pull_request' && github.ref == 'refs/heads/master' }}
        with:
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        if: ${{ github.event_name != 'pull_request' && github.ref == 'refs/heads/dev' }}
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.CR_PAT }}
      - name: Push image
        uses: docker/build-push-action@v6
        with:
          context: ./build
          file: ./build/Dockerfile
          platforms: ${{ env.PLATFORMS }}
          tags: |
            ${{ steps.repo.outputs.repo }}:build
            ${{ steps.repo.outputs.repo }}:${{ steps.version.outputs.version }}-build
          labels: ${{ steps.docker_meta.outputs.labels }}
          push: ${{ github.event_name != 'pull_request' }}