# This action will push the crons changes to aws
on:
  workflow_dispatch:
    inputs:
      skip_security_checks:
        description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false"
        required: false
        default: "false"
  push:
    branches:
      - dev
      - api-*
    paths:
      - "ee/api/**"
      - "api/**"
      - "!api/.gitignore"
      - "!api/app.py"
      - "!api/app_alerts.py"
      - "!api/*-dev.sh"
      - "!api/requirements.txt"
      - "!api/requirements-alerts.txt"
      - "!ee/api/.gitignore"
      - "!ee/api/app.py"
      - "!ee/api/app_alerts.py"
      - "!ee/api/*-dev.sh"
      - "!ee/api/requirements.txt"
      - "!ee/api/requirements-crons.txt"

name: Build and Deploy Crons EE

jobs:
  deploy:
    name: Deploy
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          # We need to diff with old commit
          # to see which workers got changed.
          fetch-depth: 2

      - uses: ./.github/composite-actions/update-keys
        with:
          assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }}
          assist_key: ${{ secrets.ASSIST_KEY }}
          domain_name: ${{ secrets.EE_DOMAIN_NAME }}
          jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }}
          jwt_secret: ${{ secrets.EE_JWT_SECRET }}
          jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }}
          jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }}
          license_key: ${{ secrets.EE_LICENSE_KEY }}
          minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }}
          minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }}
          pg_password: ${{ secrets.EE_PG_PASSWORD }}
          registry_url: ${{ secrets.OSS_REGISTRY_URL }}
        name: Update Keys

      - name: Docker login
        run: |
          docker login ${{ secrets.EE_REGISTRY_URL }} -u ${{ secrets.EE_DOCKER_USERNAME }} -p "${{ secrets.EE_REGISTRY_TOKEN }}"

      - uses: azure/k8s-set-context@v1
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret.
        id: setcontext

      # Caching docker images
      - uses: satackey/action-docker-layer-caching@v0.0.11
        # Ignore the failure of a step and avoid terminating the job.
        continue-on-error: true

      - name: Building and Pushing api image
        id: build-image
        env:
          DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }}
          IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee
          ENVIRONMENT: staging
        run: |
          skip_security_checks=${{ github.event.inputs.skip_security_checks }}
          cd api
          PUSH_IMAGE=0 bash -x ./build_crons.sh ee
          [[ "x$skip_security_checks" == "xtrue" ]]  || {
            curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ 
            images=("crons")
            for image in ${images[*]};do
              ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL"  --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG 
            done
            err_code=$?
            [[ $err_code -ne 0 ]] && {
              exit $err_code
            }
          } && {
            echo "Skipping Security Checks"
          }
          images=("crons")
          for image in ${images[*]};do
            docker push $DOCKER_REPO/$image:$IMAGE_TAG 
          done
      - name: Creating old image input
        env:
          # We're not passing -ee flag, because helm will add that.
          IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}
        run: |
          cd scripts/helmcharts/
          cat <<EOF>/tmp/image_override.yaml
          image: &image
            tag: "${IMAGE_TAG}"
          utilities:
            apiCrons:
              assiststats:
                image: *image
              report:
                image: *image
              sessionsCleaner:
                image: *image
              projectsStats:
                image: *image
              fixProjectsStats:
                image: *image
          EOF

      - name: Deploy to kubernetes
        run: |
          cd scripts/helmcharts/

          cat /tmp/image_override.yaml
          # Deploy command
          mkdir -p /tmp/charts
          mv openreplay/charts/{ingress-nginx,utilities,quickwit,connector,assist-api} /tmp/charts/
          rm -rf  openreplay/charts/*
          mv /tmp/charts/* openreplay/charts/
          helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks --kube-version=$k_version | kubectl apply -f -
        env:
          DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }}
          ENVIRONMENT: staging

      - name: Alert slack
        if: ${{ failure() }}
        uses: rtCamp/action-slack-notify@v2
        env:
          SLACK_CHANNEL: ee
          SLACK_TITLE: "Failed ${{ github.workflow }}"
          SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff'
          SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }}
          SLACK_USERNAME: "OR Bot"
          SLACK_MESSAGE: "Build failed :bomb:"

    # - name: Debug Job
    #   # if: ${{ failure() }}
    #   uses: mxschmitt/action-tmate@v3
    #   env:
    #     DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }}
    #     IMAGE_TAG: ${{ github.sha }}-ee
    #     ENVIRONMENT: staging
    #    with:
    #      iimit-access-to-actor: true