name: releaser
on:
  push:
    tags:
      - 'v*'

jobs:
  release-init-kyverno:
    permissions:
      contents: read
      packages: write
      id-token: write
    uses: ./.github/workflows/reuse.yaml
    with:
      publish_command: ko-publish-kyvernopre
      image_name: kyvernopre
      tag: release
      main: cmd/initContainer
    secrets:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}

  release-kyverno:
    permissions:
      contents: read
      packages: write
      id-token: write
    uses: ./.github/workflows/reuse.yaml
    with:
      publish_command: ko-publish-kyverno
      image_name: kyverno
      tag: release
      main: cmd/kyverno
    secrets:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}

  release-kyverno-cli:
    permissions:
      contents: read
      packages: write
      id-token: write
    uses: ./.github/workflows/reuse.yaml
    with:
      publish_command: ko-publish-cli
      image_name: kyverno-cli
      tag: release
      main: cmd/cli/kubectl-kyverno
    secrets:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}

  create-release:
    runs-on: ubuntu-latest
    needs:
      - release-init-kyverno
      - release-kyverno
      - release-kyverno-cli
    steps:
      - name: Set version
        id: version
        run: echo ::set-output name=version::${GITHUB_REF#refs/*/}

      - name: Checkout
        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # pin@v2.4.0
        with:
          fetch-depth: 0

      - name: Set up Go
        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # pin@v2.1.5
        with:
          go-version: ~1.18.6

      - name: Cache Go modules
        uses: actions/cache@fd5de65bc895cf536527842281bea11763fefd77 # pin@v3
        with:
          path: |
            ~/.cache/go-build
            ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-

      - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # pin@v1.0

      - name: Make Release
        env:
          VERSION: ${{ steps.version.outputs.version }}
        run: |
          rm -rf release
          mkdir release
          make release-notes > release/release-notes.out
          cat release/release-notes.out

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@5df302e5e9e4c66310a6b6493a8865b12c555af2 # pin@v2.8.0
        with:
          version: latest
          args: release --rm-dist --debug --release-notes=release/release-notes.out
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}


  push-and-sign-install-manifest:
    runs-on: ubuntu-latest
    permissions:
      contents: write # needed to write releases
      id-token: write # needed for keyless signing
      packages: write # needed for ghcr access  
    needs:
      - create-release
    steps:
      - name: Checkout
        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # pin@v2.4.0
        with:
          fetch-depth: 0

      - name: Set up Go
        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # pin@v2.1.5
        with:
          go-version: ~1.18.6

      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@1fa48bf916fa5ce5800190f8a0c9fdf7ae86559b # v0.35.0
        with:
          version: 0.35.0

      - name: Install Cosign
        uses: sigstore/cosign-installer@7cc35d7fdbe70d4278a0c96779081e6fac665f88 # v2.8.0
        with:
          cosign-release: 'v1.13.0'

      - name: Build yaml manifest
        run: make codegen-release

      - name: Upload yaml manifest
        uses: svenstaro/upload-release-action@133984371c30d34e38222a64855679a414cb7575 # pin@v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file: config/.release/install.yaml
          asset_name: install.yaml
          tag: ${{ github.ref }}
      
      - name: Push manifests to GHCR with Flux
        env:
          CR_PAT_ARTIFACTS:  ${{ secrets.CR_PAT_ARTIFACTS }}
        run: |
            set -e
            cd config/.release/ && \
            flux push artifact oci://ghcr.io/${{ github.repository_owner }}/manifests/kyverno:$(git rev-parse --short HEAD) \
              --path="." \
              --source="$(git config --get remote.origin.url)" \
              --revision="(git tag --points-at HEAD)/$(git rev-parse HEAD)"
              --creds flux:${CR_PAT_ARTIFACTS}
      
      - name: Sign manifests in GHCR with Cosign
        env:
          COSIGN_EXPERIMENTAL: 1
          CR_PAT_ARTIFACTS:  ${{ secrets.CR_PAT_ARTIFACTS }}
        run: |
            set -e
            cosign login --username ${GITHUB_ACTOR} --password ${CR_PAT_ARTIFACTS} ghcr.io
            cosign sign ghcr.io/${{ github.repository_owner }}/manifests/kyverno:$(git rev-parse --short HEAD)

  release-cli-via-krew:
    runs-on: ubuntu-latest
    needs:
      - create-release
    steps:
      - name: Checkout
        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # pin@v2.4.0

      - name: Unshallow
        run: git fetch --prune --unshallow

      - name: Check Tag
        id: check-tag
        run: |
          if [[ ${{ github.event.ref }} =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
              echo ::set-output name=match::true
          fi

      - name: Update new version in krew-index
        if: steps.check-tag.outputs.match == 'true'
        uses: rajatjindal/krew-release-bot@3320c0b546b5d2320613c46762bd3f73e2801bdc # pin@v0.0.38