From 42bdb2bc419c21bafb5d5a804a183999ef866360 Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <aj@gsa.gov>
Date: Mon, 23 Sep 2024 23:53:42 -0400
Subject: [PATCH 1/6] [WIP] Initial pass at Dockerfile for #22

---
 Dockerfile | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 Dockerfile

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..dce5fc7
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,23 @@
+ARG BUILDER_IMAGE=maven:3.9.9-eclipse-temurin-17-alpine
+ARG RUNNER_IMAGE=eclipse-temurin:17-alpine
+ARG CONTAINER_BUILD=yes
+
+FROM ${BUILDER_IMAGE} as builder
+ARG CONTAINER_BUILD
+COPY . /usr/local/src
+RUN if [ -n "$CONTAINER_BUILD" ]; \
+    then apk add --no-cache git unzip && \
+    cd /usr/local/src && \
+    mvn -B -e -Prelease package; \
+    else echo Building on host outside container to copy later; \
+    fi && \
+    cp target/*.zip /tmp
+COPY ./target/oscal-cli-enhanced-2.1.0-SNAPSHOT-oscal-cli.zip /tmp
+WORKDIR /tmp
+RUN unzip *.zip -d /opt/oscal-cli-extended
+
+
+FROM ${RUNNER_IMAGE} as runner
+COPY --from=builder /opt/oscal-cli-extended /opt/oscal-cli-extended
+WORKDIR /opt/oscal-cli-extended
+ENTRYPOINT [ "/opt/oscal-cli-extended/bin/oscal-cli" ]

From ba09d73d5c5b5fcf8f1c4ab41083fe946c108b2f Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <aj@gsa.gov>
Date: Tue, 8 Oct 2024 20:54:01 -0400
Subject: [PATCH 2/6] Complete Dockerfile for #22

This supports "inside container" builds and outside container builds to
hard-code as the default for GitHub Actions to follow in the GHA
workflow YAML definition because that will not require repeat builds of
the container in the pipeline.
---
 Dockerfile | 55 ++++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 43 insertions(+), 12 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index dce5fc7..bb54acb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,23 +1,54 @@
 ARG BUILDER_IMAGE=maven:3.9.9-eclipse-temurin-17-alpine
 ARG RUNNER_IMAGE=eclipse-temurin:17-alpine
-ARG CONTAINER_BUILD=yes
+# Not set by default, so it will build in container locally. See the GitHub
+# Actions build.yml where build-arg is provider to override and build inside
+# the container.
+ARG USE_PREBUILT_ZIP
 
 FROM ${BUILDER_IMAGE} as builder
-ARG CONTAINER_BUILD
-COPY . /usr/local/src
-RUN if [ -n "$CONTAINER_BUILD" ]; \
-    then apk add --no-cache git unzip && \
-    cd /usr/local/src && \
-    mvn -B -e -Prelease package; \
-    else echo Building on host outside container to copy later; \
-    fi && \
-    cp target/*.zip /tmp
-COPY ./target/oscal-cli-enhanced-2.1.0-SNAPSHOT-oscal-cli.zip /tmp
+ARG USE_PREBUILT_ZIP
+ARG BUILDER_JDK_VENDOR=temurin
+ARG BUILDER_JDK_MAJOR_VERSION=17
+ARG BUILDER_JDK_HOME_PATH=/opt/java/openjdk
+ADD . /usr/local/src
+# You can't copy conditionally for a folder that doesn't exist.
+# Make the build boostrap files regardless.
+RUN mkdir -p "/root/.m2"
+COPY  <<M2TEMPLATE /root/.m2/toolchains.xml
+<?xml version="1.0" encoding="UTF-8"?>
+<toolchains>
+    <toolchain>
+    <type>jdk</type>
+    <provides>
+        <version>${BUILDER_JDK_MAJOR_VERSION}</version>
+        <vendor>${BUILDER_JDK_VENDOR}</vendor>
+        <id>${BUILDER_JDK_VENDOR}_${BUILDER_JDK_MAJOR_VERSION}</id>
+    </provides>
+    <configuration>
+        <jdkHome>${BUILDER_JDK_HOME_PATH}</jdkHome>
+    </configuration>
+    </toolchain>
+</toolchains>
+M2TEMPLATE
+RUN if [[ -z "$USE_PREBUILT_ZIP" ]]; then \
+        apk add --no-cache git unzip && \
+        cd /usr/local/src && \
+        mvn -B -e -Prelease package && \
+        cp ./target/*.zip /tmp; \
+    else \
+        echo "Using prebuilt ZIP archive from outside container"; \
+    fi
+
+# Conditional source to prevent failed check for pre-built zip when the variable
+# USE_PREBUILT_ZIP is set. See the following:
+# https://stackoverflow.com/a/43656644   
+# https://stackoverflow.com/a/46801962
+COPY pom.xml ./target/*.zi[p] /tmp
 WORKDIR /tmp
 RUN unzip *.zip -d /opt/oscal-cli-extended
 
-
 FROM ${RUNNER_IMAGE} as runner
 COPY --from=builder /opt/oscal-cli-extended /opt/oscal-cli-extended
 WORKDIR /opt/oscal-cli-extended
+RUN /opt/oscal-cli-extended/bin/oscal-cli --version
 ENTRYPOINT [ "/opt/oscal-cli-extended/bin/oscal-cli" ]

From 14797e6d95973e1e87c751b6300db024d8dd3c39 Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <aj@gsa.gov>
Date: Tue, 8 Oct 2024 21:30:01 -0400
Subject: [PATCH 3/6] Capitalize FROM ... AS defs for image spec for #22

---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index bb54acb..670d84c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,7 +5,7 @@ ARG RUNNER_IMAGE=eclipse-temurin:17-alpine
 # the container.
 ARG USE_PREBUILT_ZIP
 
-FROM ${BUILDER_IMAGE} as builder
+FROM ${BUILDER_IMAGE} AS builder
 ARG USE_PREBUILT_ZIP
 ARG BUILDER_JDK_VENDOR=temurin
 ARG BUILDER_JDK_MAJOR_VERSION=17
@@ -47,7 +47,7 @@ COPY pom.xml ./target/*.zi[p] /tmp
 WORKDIR /tmp
 RUN unzip *.zip -d /opt/oscal-cli-extended
 
-FROM ${RUNNER_IMAGE} as runner
+FROM ${RUNNER_IMAGE} AS runner
 COPY --from=builder /opt/oscal-cli-extended /opt/oscal-cli-extended
 WORKDIR /opt/oscal-cli-extended
 RUN /opt/oscal-cli-extended/bin/oscal-cli --version

From 85c19733b0c803210bbdb7a76d9352ef365a74e5 Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <aj@gsa.gov>
Date: Tue, 8 Oct 2024 20:59:15 -0400
Subject: [PATCH 4/6] Set up build in GHA of container for #22

---
 .github/workflows/build.yml | 68 +++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ecc4d8b..c098f5b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -25,6 +25,13 @@ on:
         type: boolean
 name: Build and Test
 env:
+  HOME_REPO: metaschema-framework/oscal-cli
+  IMAGE_NAME: metaschema-framework/oscal-cli-extended
+  REGISTRY: ghcr.io
+  # Docs: github.com/docker/metadata-action/?tab=readme-ov-file#typesha
+  DOCKER_METADATA_PR_HEAD_SHA: true
+  # https://github.com/docker/metadata-action?tab=readme-ov-file#annotations
+  DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index  
   INPUT_FAIL_ON_ERROR: ${{ github.event.inputs.linkcheck_fail_on_error || 'true' }}
   INPUT_ISSUE_ON_ERROR: ${{ github.event.inputs.linkcheck_create_issue || 'false' }}
   MAVEN_VERSION: 3.9.8
@@ -73,6 +80,67 @@ jobs:
       uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd
       with:
         upload: ${{ github.ref_name == 'develop' && 'always' || 'never' }}
+    - if: github.repository == env.HOME_REPO
+      name: Container image QEMU setup for cross-arch builds
+      id: image_setup_qemu
+      uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
+    - if: github.repository == env.HOME_REPO
+      name: Container image buildx setup for cross-arch builds
+      id: image_setup_buildx
+      with:
+        platforms: linux/amd64
+      uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db
+    - if: github.repository == env.HOME_REPO
+      name: Container image login
+      id: image_login
+      uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - if: github.repository == env.HOME_REPO
+      name: Container image metadata and tag generation
+      id: image_metadata
+      uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
+      with:
+        images:
+          ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+        tags: |
+          type=sha,prefix=,suffix=,format=long
+          type=ref,event=branch
+          type=ref,event=tag
+          type=ref,event=pr
+        # flavor: |
+        #   latest=true
+        annotations: |
+          maintainers="Metaschema Community Admin <admin@metaschema.dev>"
+          org.opencontainers.image.authors="Metaschema Community Admin <admin@metaschema.dev>"
+          org.opencontainers.image.documentation="https://metaschema.dev"
+          org.opencontainers.image.source="https://github.com/metaschema-framework/oscal-cli"
+          org.opencontainers.image.vendor="Metaschema Community"
+          org.opencontainers.image.title="oscal-cli-extended"
+          org.opencontainers.image.description="Metaschema-powered CLI tool for processing OSCAL""
+          org.opencontainers.image.licenses="CC0-1.0"
+    - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/feature'))
+      name: Container image registry push
+      id: image_registry_push
+      uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+      with:
+        build-args: |
+          USE_PREBUILT_ZIP=yes        
+        push: true
+        tags: ${{ steps.image_metadata.outputs.tags }}
+        labels: ${{ steps.image_metadata.outputs.annotations }}
+        platforms: linux/amd64
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+    - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/feature'))
+      name: Container image push attestations
+      uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c
+      with:
+        subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+        subject-digest: ${{ steps.image_registry_push.outputs.digest }}
+        push-to-registry: false        
   build-website:
     name: Website
     runs-on: ubuntu-20.04

From 67a92769058a992e933f25d8868852612d779843 Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <aj@gsa.gov>
Date: Tue, 8 Oct 2024 21:00:21 -0400
Subject: [PATCH 5/6] [WIP] Override "home" repo in #22 for e2e testing

---
 .github/workflows/build.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c098f5b..93a980a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -25,8 +25,8 @@ on:
         type: boolean
 name: Build and Test
 env:
-  HOME_REPO: metaschema-framework/oscal-cli
-  IMAGE_NAME: metaschema-framework/oscal-cli-extended
+  HOME_REPO: aj-stein-gsa/oscal-cli
+  IMAGE_NAME: aj-stein-gsa/oscal-cli-extended
   REGISTRY: ghcr.io
   # Docs: github.com/docker/metadata-action/?tab=readme-ov-file#typesha
   DOCKER_METADATA_PR_HEAD_SHA: true
@@ -214,3 +214,5 @@ jobs:
       with:
         script: |
           core.setFailed('Link checker detected broken or invalid links, read attached report.')
+
+          
\ No newline at end of file

From 27e22a6a77afbdc3c78d432ac945081747cd4151 Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <aj@gsa.gov>
Date: Tue, 8 Oct 2024 22:50:44 -0400
Subject: [PATCH 6/6] [WIP] Debug path and file info for Docker COPY commands
 for #22

---
 .github/workflows/build.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 93a980a..fdd28d3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -121,6 +121,10 @@ jobs:
           org.opencontainers.image.title="oscal-cli-extended"
           org.opencontainers.image.description="Metaschema-powered CLI tool for processing OSCAL""
           org.opencontainers.image.licenses="CC0-1.0"
+    - run: |
+          pwd
+          ls -lha
+          find '.'
     - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/feature'))
       name: Container image registry push
       id: image_registry_push