.github/workflows/ubi-rust-builder.yml

---
name: Build UBI Rust Builders
run-name: |
  Build UBI Rust Builders (attempt #${{ github.run_attempt }})

on:
  push:
    branches:
      - main
  schedule:
    - cron: '30 4 * * *'
  workflow_dispatch:

jobs:
  build:
    permissions:
      id-token: write
    strategy:
      fail-fast: false
      matrix:
        runner: ["ubuntu-latest", "ubicloud-standard-8-arm"]
        ubi-version: ["ubi8", "ubi9"]
    runs-on: ${{ matrix.runner }}
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          persist-credentials: false
      - name: Login to Stackable Harbor
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: oci.stackable.tech
          username: robot$sdp+github-action-build
          password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
      - name: Set up Cosign
        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
      - name: Determine Architecture
        run: |
          echo "TAG=$(git rev-parse --short HEAD)-$(arch)" >> "$GITHUB_ENV"
      - name: Build and push
        id: build-and-push
        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
        with:
          context: .
          file: ./${{ matrix.ubi-version }}-rust-builder/Dockerfile
          push: true
          tags: oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder:${{ env.TAG }}
      - name: Sign the published builder image
        shell: bash
        env:
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
        run: |
          # Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...)
          # This generates a signature and publishes it to the registry, next to the image
          # Uses the keyless signing flow with Github Actions as identity provider
          cosign sign -y "oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder@$DIGEST"
  create_manifest:
    permissions:
      id-token: write
    strategy:
      fail-fast: false
      matrix:
        ubi-version: ["ubi8", "ubi9"]
    runs-on: ubuntu-latest
    needs: ["build"]
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          persist-credentials: false
      - name: Login to Stackable Harbor
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: oci.stackable.tech
          username: robot$sdp+github-action-build
          password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
      - name: Set up Cosign
        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
      - name: Build Manifest List
        shell: bash
        run: |
          COMMIT_ID=$(git rev-parse --short HEAD)
          MANIFEST_LIST_NAME=oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder
          docker manifest create "$MANIFEST_LIST_NAME:latest" "$MANIFEST_LIST_NAME:$COMMIT_ID-x86_64" "$MANIFEST_LIST_NAME:$COMMIT_ID-aarch64"
          # `docker manifest push` directly returns the digest of the manifest list
          # As it is an experimental feature, this might change in the future
          # Further reading: https://docs.docker.com/reference/cli/docker/manifest/push/
          DIGEST=$(docker manifest push "$MANIFEST_LIST_NAME:latest")
          # Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...)
          # This generates a signature and publishes it to the registry, next to the image
          # Uses the keyless signing flow with Github Actions as identity provider
          cosign sign -y "$MANIFEST_LIST_NAME@$DIGEST"

  notify:
    name: Failure Notification
    needs: [build, create_manifest]
    runs-on: ubuntu-latest
    if: failure()
    steps:
      - uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
        with:
          channel-id: "C07UG6JH44F" # notifications-container-images
          payload: |
            {
              "text": "*${{ github.workflow }}* failed (attempt ${{ github.run_attempt }})",
              "attachments": [
                {
                  "pretext": "See the details below for a summary of which job(s) failed.",
                  "color": "#aa0000",
                  "fields": [
                    {
                      "title": "Build",
                      "short": true,
                      "value": "${{ needs.build.result }}"
                    },
                    {
                      "title": "Create Manifest",
                      "short": true,
                      "value": "${{ needs.create_manifest.result }}"
                    }
                  ],
                  "actions": [
                    {
                      "type": "button",
                      "text": "Go to workflow run",
                      "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}"
                    }
                  ]
                }
              ]
            }
        env:
          SLACK_BOT_TOKEN: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }}