# This action will push the sourcemapreader changes to ee
on:
  workflow_dispatch:
    inputs:
      skip_security_checks:
        description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false"
        required: false
        default: "false"
  push:
    branches:
      - dev
    paths:
      - "ee/sourcemap-reader/**"
      - "sourcemap-reader/**"
      - "!sourcemap-reader/.gitignore"
      - "!sourcemap-reader/*-dev.sh"

name: Build and Deploy sourcemap-reader EE

jobs:
  deploy:
    name: Deploy
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          # We need to diff with old commit
          # to see which workers got changed.
          fetch-depth: 2

      - uses: ./.github/composite-actions/update-keys
        with:
          assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }}
          assist_key: ${{ secrets.ASSIST_KEY }}
          domain_name: ${{ secrets.EE_DOMAIN_NAME }}
          jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }}
          jwt_secret: ${{ secrets.EE_JWT_SECRET }}
          jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }}
          jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }}
          license_key: ${{ secrets.EE_LICENSE_KEY }}
          minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }}
          minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }}
          pg_password: ${{ secrets.EE_PG_PASSWORD }}
          registry_url: ${{ secrets.OSS_REGISTRY_URL }}
        name: Update Keys

      - name: Docker login
        run: |
          docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}"

      - uses: azure/k8s-set-context@v1
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret.
        id: setcontext

      # Caching docker images
      - uses: satackey/action-docker-layer-caching@v0.0.11
        # Ignore the failure of a step and avoid terminating the job.
        continue-on-error: true

      - name: Building and Pushing sourcemaps-reader image
        id: build-image
        env:
          DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }}
          IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee
          ENVIRONMENT: staging
        run: |
          skip_security_checks=${{ github.event.inputs.skip_security_checks }}
          cd sourcemap-reader
          PUSH_IMAGE=0 bash -x ./build.sh
          [[ "x$skip_security_checks" == "xtrue" ]]  || {
            curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ 
            images=("sourcemaps-reader")
            for image in ${images[*]};do
              ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL"  --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG 
            done
            err_code=$?
            [[ $err_code -ne 0 ]] && {
              exit $err_code
            }
          } && {
            echo "Skipping Security Checks"
          }
          images=("sourcemaps-reader")
          for image in ${images[*]};do
            docker push $DOCKER_REPO/$image:$IMAGE_TAG 
          done
      - name: Creating old image input
        run: |
          #
          # Create yaml with existing image tags
          #
          kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\
          tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt

          echo > /tmp/image_override.yaml

          for line in `cat /tmp/image_tag.txt`;
          do
              image_array=($(echo "$line" | tr ':' '\n'))
              cat <<EOF >> /tmp/image_override.yaml
          ${image_array[0]}:
            image:
              tag: ${image_array[1]}
          EOF
          done

      - name: Deploy to kubernetes
        run: |
          cd scripts/helmcharts/

          # Update changed image tag
          sed -i "/sourcemaps-reader/{n;n;s/.*/    tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml
          sed -i "s/sourcemaps-reader/sourcemapreader/g" /tmp/image_override.yaml

          cat /tmp/image_override.yaml
          # Deploy command
          mkdir -p /tmp/charts
          mv openreplay/charts/{ingress-nginx,sourcemapreader,quickwit,connector} /tmp/charts/
          rm -rf  openreplay/charts/*
          mv /tmp/charts/* openreplay/charts/
          helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f -
        env:
          DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }}
          IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}
          ENVIRONMENT: staging

      - name: Alert slack
        if: ${{ failure() }}
        uses: rtCamp/action-slack-notify@v2
        env:
          SLACK_CHANNEL: ee
          SLACK_TITLE: "Failed ${{ github.workflow }}"
          SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff'
          SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }}
          SLACK_USERNAME: "OR Bot"
          SLACK_MESSAGE: "Build failed :bomb:"

    # - name: Debug Job
    #   # if: ${{ failure() }}
    #   uses: mxschmitt/action-tmate@v3
    #   env:
    #     DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }}
    #     IMAGE_TAG: ${{ github.sha }}-ee
    #     ENVIRONMENT: staging
    #    with:
    #      limit-access-to-actor: true