release.yml

# yamllint disable rule:line-length rule:truthy
name: Release
# Generated by: gromit policy

# Distribution channels covered by this workflow
# - Ubuntu and Debian
# - RHEL and AL
# - docker hub
# - devenv ECR
# - Cloudsmith
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
on:
  # Trigger release every monday at midnight for master CI images
  schedule:
    - cron: "0 0 * * 1"
  pull_request:
    types: [opened, synchronize, reopened, labeled]
  push:
    branches:
      - master
      - release-**
    tags:
      - 'v*'
env:
  GOPRIVATE: github.com/TykTechnologies
  VARIATION: prod-variation
  DOCKER_BUILD_SUMMARY: false
  DOCKER_BUILD_RECORD_UPLOAD: false
  # startsWith covers pull_request_target too
  BASE_REF: ${{startsWith(github.event_name, 'pull_request') && github.base_ref || github.ref_name}}
jobs:
  dep-guard:
    if: github.event_name == 'pull_request'
    uses: TykTechnologies/github-actions/.github/workflows/dependency-guard.yml@d3fa20888fa2878e877e22bb7702141217290e7c # main
    permissions:
      contents: read
  goreleaser:
    needs:
      - dep-guard
    if: |
      !cancelled() &&
      (needs.dep-guard.result == 'success' || needs.dep-guard.result == 'skipped') &&
      github.event.pull_request.draft == false
    name: '${{ matrix.golang_cross }}'
    runs-on: ${{ vars.DEFAULT_RUNNER }}
    permissions:
      id-token: write # AWS OIDC JWT
      contents: read # actions/checkout
    strategy:
      fail-fast: false
      matrix:
        golang_cross:
          - 1.25-bullseye
        include:
          - golang_cross: 1.25-bullseye
            goreleaser: 'ci/goreleaser/goreleaser.yml'
            cgo: 1
            rpmvers: 'el/7 el/8 el/9 amazon/2 amazon/2023'
            debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy ubuntu/noble debian/jessie debian/buster debian/bullseye debian/bookworm debian/trixie'
    outputs:
      ee_tags: ${{ steps.ci_metadata_ee.outputs.tags }}
      fips_tags: ${{ steps.ci_metadata_fips.outputs.tags }}
      std_tags: ${{ steps.ci_metadata_std.outputs.tags }}
      commit_author: ${{ steps.set_outputs.outputs.commit_author}}
    steps:
      - name: Checkout of tyk
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 1
      - name: Set some outputs for later
        id: set_outputs
        shell: bash
        env:
          HEAD_REF: ${{github.head_ref}}
        run: |
          echo "commit_author=$(git show -s --format='%ae' HEAD)" >> $GITHUB_OUTPUT
          echo "branch=${HEAD_REF##*/}" >> $GITHUB_OUTPUT
      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
      - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3
      - name: Login to DockerHub
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login to Cloudsmith
        if: startsWith(github.ref, 'refs/tags')
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: docker.tyk.io
          username: ${{ secrets.CLOUDSMITH_USERNAME }}
          password: ${{ secrets.CLOUDSMITH_API_KEY }}
      - uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4
        with:
          role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk
          role-session-name: cipush
          aws-region: eu-central-1
          # Don't mask to pass it across job boundaries
          mask-aws-account-id: false
      - uses: aws-actions/amazon-ecr-login@f2e9fc6c2b355c1890b65e6f6f0e2ac3e6e22f78 # v2
        id: ecr
        if: ${{ matrix.golang_cross == '1.25-bullseye' }}
        with:
          mask-password: 'true'
      - uses: WarpBuilds/cache@f643a1ba29942d56621d07fc2d4284c7219868ad # v1
        with:
          path: |
            ~/.cache/go-build
            ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Build
        env:
          NFPM_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }}
          PKG_SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
          PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
        run: |
          echo '#!/bin/sh
          ci/bin/unlock-agent.sh
          git config --global url."https://${{ secrets.ORG_GH_TOKEN }}@github.com".insteadOf "https://github.com"
          git config --global --add safe.directory /go/src/github.com/TykTechnologies/tyk
          goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip=sign,docker' || '--skip=docker' }}' | tee /tmp/build.sh
          chmod +x /tmp/build.sh
          docker run --rm --privileged -e GITHUB_TOKEN=${{ github.token }} \
          -e GOPRIVATE=github.com/TykTechnologies                                \
          -e DEBVERS='${{ matrix.debvers }}'                               \
          -e RPMVERS='${{ matrix.rpmvers }}'                               \
          -e CGO_ENABLED=${{ matrix.cgo }}                                 \
          -e NFPM_PASSPHRASE="$NFPM_PASSPHRASE"                          \
          -e GPG_FINGERPRINT=12B5D62C28F57592D1575BD51ED14C59E37DAC20            \
          -e PKG_SIGNING_KEY="$PKG_SIGNING_KEY"                                  \
          -e PACKAGECLOUD_TOKEN=$PACKAGECLOUD_TOKEN                              \
          -v ${{github.workspace}}:/go/src/github.com/TykTechnologies/tyk \
          -v /var/run/docker.sock:/var/run/docker.sock                           \
          -v ~/.docker/config.json:/root/.docker/config.json                     \
          -e GOCACHE=/cache/go-build                                             \
          -e GOMODCACHE=/go/pkg/mod                                              \
          -v ~/go/pkg/mod:/go/pkg/mod                                            \
          -v ~/.cache/go-build:/cache/go-build                                   \
          -v /tmp/build.sh:/tmp/build.sh                                         \
          -w /go/src/github.com/TykTechnologies/tyk                      \
          tykio/golang-cross:${{ matrix.golang_cross }} /tmp/build.sh
      - name: Docker metadata for ee CI
        id: ci_metadata_ee
        if: ${{ matrix.golang_cross == '1.25-bullseye' }}
        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
        with:
          images: |
            ${{ steps.ecr.outputs.registry }}/tyk-ee
          flavor: |
            latest=false
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=sha,format=long
            type=semver,pattern={{major}},prefix=v
            type=semver,pattern={{major}}.{{minor}},prefix=v
            type=semver,pattern={{version}},prefix=v
      - name: push ee image to CI
        if: ${{ matrix.golang_cross == '1.25-bullseye' }}
        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
        with:
          context: "dist"
          platforms: linux/amd64,linux/arm64
          file: ci/Dockerfile.distroless
          provenance: mode=max
          sbom: true
          push: true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          tags: ${{ steps.ci_metadata_ee.outputs.tags }}
          labels: ${{ steps.ci_metadata_ee.outputs.labels }}
          build-args: |
            BUILD_PACKAGE_NAME=tyk-gateway-ee
            BASE_IMAGE=tykio/dhi-busybox:1.37-fips
            NONROOT_CHOWN=true
      - name: Docker metadata for ee tag push
        id: tag_metadata_ee
        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
        with:
          images: |
            docker.tyk.io/tyk-gateway/tyk-gateway-ee
            tykio/tyk-gateway-ee
          flavor: |
            latest=false
            prefix=v
          tags: |
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{version}}
          labels: |
            org.opencontainers.image.title=Tyk Gateway Enterprise Edition
            org.opencontainers.image.description=Tyk API Gateway Enterprise Edition written in Go, supporting REST, GraphQL, TCP and gRPC protocols
            org.opencontainers.image.vendor=tyk.io
            org.opencontainers.image.version=${{ github.ref_name }}
      - name: push ee image to prod
        if: ${{ matrix.golang_cross == '1.25-bullseye' }}
        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
        with:
          context: "dist"
          platforms: linux/amd64,linux/arm64
          file: ci/Dockerfile.distroless
          provenance: mode=max
          sbom: true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          push: ${{ startsWith(github.ref, 'refs/tags') }}
          tags: ${{ steps.tag_metadata_ee.outputs.tags }}
          labels: ${{ steps.tag_metadata_ee.outputs.labels }}
          build-args: |
            BUILD_PACKAGE_NAME=tyk-gateway-ee
            BASE_IMAGE=tykio/dhi-busybox:1.37-fips
            NONROOT_CHOWN=true
      - name: Attach base image VEX to ee
        if: ${{ matrix.golang_cross == '1.25-bullseye' && startsWith(github.ref, 'refs/tags') }}
        run: |
          # Install Docker Scout CLI
          curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/v1.20.4/install.sh -o /tmp/scout-install.sh && sh /tmp/scout-install.sh 2>/dev/null
          # Extract VEX from the DHI base image
          docker scout vex get --org tykio -o /tmp/ee-vex.json tykio/dhi-busybox:1.37-fips || true
          if [ -f /tmp/ee-vex.json ]; then
            cosign attest --yes --type openvex \
              --predicate /tmp/ee-vex.json \
              docker.tyk.io/tyk-gateway/tyk-gateway-ee:${{ github.ref_name }} || true
            cosign attest --yes --type openvex \
              --predicate /tmp/ee-vex.json \
              tykio/tyk-gateway-ee:${{ github.ref_name }} || true
          fi
      - name: Docker metadata for fips CI
        id: ci_metadata_fips
        if: ${{ matrix.golang_cross == '1.25-bullseye' }}
        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
        with:
          images: |
            ${{ steps.ecr.outputs.registry }}/tyk-fips
          flavor: |
            latest=false
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=sha,format=long
            type=semver,pattern={{major}},prefix=v
            type=semver,pattern={{major}}.{{minor}},prefix=v
            type=semver,pattern={{version}},prefix=v
      - name: push fips image to CI
        if: ${{ matrix.golang_cross == '1.25-bullseye' }}
        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
        with:
          context: "dist"
          platforms: linux/amd64,linux/arm64
          file: ci/Dockerfile.distroless
          provenance: mode=max
          sbom: true
          push: true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          tags: ${{ steps.ci_metadata_fips.outputs.tags }}
          labels: ${{ steps.ci_metadata_fips.outputs.labels }}
          build-args: |
            BUILD_PACKAGE_NAME=tyk-gateway-fips
            BASE_IMAGE=tykio/dhi-busybox:1.37-fips
            NONROOT_CHOWN=true
      - name: Docker metadata for fips tag push
        id: tag_metadata_fips
        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
        with:
          images: |
            tykio/tyk-gateway-fips
          flavor: |
            latest=false
            prefix=v
          tags: |
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{version}}
          labels: |
            org.opencontainers.image.title=Tyk Gateway Enterprise Edition FIPS
            org.opencontainers.image.description=Tyk API Gateway Enterprise Edition written in Go, supporting REST, GraphQL, TCP and gRPC protocols Built with FIPS 140-3 compliant cryptography
            org.opencontainers.image.vendor=tyk.io
            org.opencontainers.image.version=${{ github.ref_name }}
      - name: push fips image to prod
        if: ${{ matrix.golang_cross == '1.25-bullseye' }}
        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
        with:
          context: "dist"
          platforms: linux/amd64,linux/arm64
          file: ci/Dockerfile.distroless
          provenance: mode=max
          sbom: true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          push: ${{ startsWith(github.ref, 'refs/tags') }}
          tags: ${{ steps.tag_metadata_fips.outputs.tags }}
          labels: ${{ steps.tag_metadata_fips.outputs.labels }}
          build-args: |
            BUILD_PACKAGE_NAME=tyk-gateway-fips
            BASE_IMAGE=tykio/dhi-busybox:1.37-fips
            NONROOT_CHOWN=true
      - name: Attach base image VEX to fips
        if: ${{ matrix.golang_cross == '1.25-bullseye' && startsWith(github.ref, 'refs/tags') }}
        run: |
          # Install Docker Scout CLI
          curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/v1.20.4/install.sh -o /tmp/scout-install.sh && sh /tmp/scout-install.sh 2>/dev/null
          # Extract VEX from the DHI base image
          docker scout vex get --org tykio -o /tmp/fips-vex.json tykio/dhi-busybox:1.37-fips || true
          if [ -f /tmp/fips-vex.json ]; then
            cosign attest --yes --type openvex \
              --predicate /tmp/fips-vex.json \
              tykio/tyk-gateway-fips:${{ github.ref_name }} || true
          fi
      - name: Docker metadata for std CI
        id: ci_metadata_std
        if: ${{ matrix.golang_cross == '1.25-bullseye' }}
        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
        with:
          images: |
            ${{ steps.ecr.outputs.registry }}/tyk
          flavor: |
            latest=false
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=sha,format=long
            type=semver,pattern={{major}},prefix=v
            type=semver,pattern={{major}}.{{minor}},prefix=v
            type=semver,pattern={{version}},prefix=v
      - name: push std image to CI
        if: ${{ matrix.golang_cross == '1.25-bullseye' }}
        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
        with:
          context: "dist"
          platforms: linux/amd64,linux/arm64,linux/s390x
          file: ci/Dockerfile.distroless
          provenance: mode=max
          sbom: true
          push: true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          tags: ${{ steps.ci_metadata_std.outputs.tags }}
          labels: ${{ steps.ci_metadata_std.outputs.labels }}
          build-args: |
            BUILD_PACKAGE_NAME=tyk-gateway
      - name: Docker metadata for std tag push
        id: tag_metadata_std
        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
        with:
          images: |
            docker.tyk.io/tyk-gateway/tyk-gateway
            tykio/tyk-gateway
          flavor: |
            latest=false
            prefix=v
          tags: |
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{version}}
          labels: |
            org.opencontainers.image.title=Tyk Gateway
            org.opencontainers.image.description=Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols
            org.opencontainers.image.vendor=tyk.io
            org.opencontainers.image.version=${{ github.ref_name }}
      - name: push std image to prod
        if: ${{ matrix.golang_cross == '1.25-bullseye' }}
        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
        with:
          context: "dist"
          platforms: linux/amd64,linux/arm64,linux/s390x
          file: ci/Dockerfile.distroless
          provenance: mode=max
          sbom: true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          push: ${{ startsWith(github.ref, 'refs/tags') }}
          tags: ${{ steps.tag_metadata_std.outputs.tags }}
          labels: ${{ steps.tag_metadata_std.outputs.labels }}
          build-args: |
            BUILD_PACKAGE_NAME=tyk-gateway
      - name: save deb
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        if: ${{ matrix.golang_cross == '1.25-bullseye' }}
        with:
          name: deb
          retention-days: 1
          path: |
            dist/*.deb
            !dist/*PAYG*.deb
            !dist/*fips*.deb
      - name: save rpm
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        if: ${{ matrix.golang_cross == '1.25-bullseye' }}
        with:
          name: rpm
          retention-days: 1
          path: |
            dist/*.rpm
            !dist/*PAYG*.rpm
            !dist/*fips*.rpm
  resolve-dashboard-image:
    needs: goreleaser
    if: |
      !cancelled() &&
      needs.goreleaser.result == 'success' &&
      github.event.pull_request.draft == false
    runs-on: ${{ vars.DEFAULT_RUNNER }}
    permissions:
      id-token: write
      contents: read
    outputs:
      dashboard_image: ${{ steps.resolve.outputs.dashboard_image }}
      needs_build: ${{ steps.resolve.outputs.needs_build }}
      dashboard_branch: ${{ steps.resolve.outputs.dashboard_branch }}
      strategy: ${{ steps.resolve.outputs.strategy }}
    steps:
      - name: Checkout tyk repository
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 0
          persist-credentials: false
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Check for relevant package changes in PR
        id: check_changes
        shell: bash
        env:
          RELEVANT_PACKAGES: ${{ vars.DASHBOARD_DEPENDENCY_PACKAGES || 'pkg apidef lib common certs log config test user header' }}
        run: |
          echo "Checking PR for changes in packages: $RELEVANT_PACKAGES"
          echo "Comparing PR against base branch: ${{ env.BASE_REF }}"

          # Compare entire PR against base branch
          git fetch origin ${{ env.BASE_REF }} 2>/dev/null || true
          CHANGED_FILES=$(git diff --name-only origin/${{ env.BASE_REF }}...HEAD 2>/dev/null || echo "")

          echo "Changed files in PR:"
          echo "$CHANGED_FILES"

          # Check if any changed files are in relevant packages
          HAS_RELEVANT_CHANGES=false
          for pkg in $RELEVANT_PACKAGES; do
            if echo "$CHANGED_FILES" | grep -q "^${pkg}/"; then
              echo "✓ Found changes in package: $pkg"
              HAS_RELEVANT_CHANGES=true
            fi
          done

          if [ "$HAS_RELEVANT_CHANGES" = "true" ]; then
            echo "has_relevant_changes=true" >> $GITHUB_OUTPUT
            echo "📦 Relevant package changes in PR - will build dashboard"
          else
            echo "has_relevant_changes=false" >> $GITHUB_OUTPUT
            echo "ℹ️ No relevant package changes in PR"
          fi
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4
        with:
          role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk
          role-session-name: cipush
          aws-region: eu-central-1
          mask-aws-account-id: false
      - name: Login to Amazon ECR
        id: ecr
        uses: aws-actions/amazon-ecr-login@f2e9fc6c2b355c1890b65e6f6f0e2ac3e6e22f78 # v2
        with:
          mask-password: 'true'
      - name: Check if tyk-analytics branch exists
        id: check_branch
        shell: bash
        env:
          GITHUB_TOKEN: ${{ secrets.ORG_GH_TOKEN }}
          HEAD_REF: ${{ github.head_ref }}
        run: |
          if [ -z "$HEAD_REF" ]; then
            echo "Not a pull request, skipping branch check"
            echo "branch_exists=false" >> $GITHUB_OUTPUT
            exit 0
          fi

          BRANCH=${HEAD_REF##*/}
          echo "Checking for branch: $BRANCH in tyk-analytics"

          if git ls-remote --heads https://$GITHUB_TOKEN@github.com/TykTechnologies/tyk-analytics.git refs/heads/$BRANCH | grep -q .; then
            echo "✓ Branch '$BRANCH' exists in tyk-analytics"
            echo "branch_exists=true" >> $GITHUB_OUTPUT
            echo "branch=$BRANCH" >> $GITHUB_OUTPUT
          else
            echo "✗ Branch '$BRANCH' not found in tyk-analytics"
            echo "branch_exists=false" >> $GITHUB_OUTPUT
          fi
      - name: Check if ECR image exists for this PR
        id: check_ecr
        shell: bash
        env:
          REGISTRY: ${{ steps.ecr.outputs.registry }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
        run: |
          if [ -z "$PR_NUMBER" ]; then
            echo "Not a pull request, skipping ECR check"
            echo "image_exists=false" >> $GITHUB_OUTPUT
            exit 0
          fi

          IMAGE_TAG="tyk-${PR_NUMBER}"
          echo "Checking for ECR image: tyk-analytics:${IMAGE_TAG}"

          if aws ecr describe-images \
            --repository-name tyk-analytics \
            --image-ids imageTag=${IMAGE_TAG} \
            --region eu-central-1 2>/dev/null | grep -q imageId; then
            echo "✓ ECR image exists: ${IMAGE_TAG}"
            echo "image_exists=true" >> $GITHUB_OUTPUT
            echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT
          else
            echo "✗ ECR image not found: ${IMAGE_TAG}"
            echo "image_exists=false" >> $GITHUB_OUTPUT
          fi
      - name: Resolve dashboard image strategy
        id: resolve
        shell: bash
        env:
          REGISTRY: ${{ steps.ecr.outputs.registry }}
          BRANCH_EXISTS: ${{ steps.check_branch.outputs.branch_exists }}
          IMAGE_EXISTS: ${{ steps.check_ecr.outputs.image_exists }}
          BRANCH: ${{ steps.check_branch.outputs.branch }}
          IMAGE_TAG: ${{ steps.check_ecr.outputs.image_tag }}
          BASE_REF: ${{ env.BASE_REF }}
          COMMIT_SHA: ${{ github.sha }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          HAS_RELEVANT_CHANGES: ${{ steps.check_changes.outputs.has_relevant_changes }}
          ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }}
        run: |
          echo "=================================="
          echo "📊 Dashboard Image Resolution"
          echo "=================================="
          echo "PR number: $PR_NUMBER"
          echo "Base ref: $BASE_REF"
          echo "Branch exists: $BRANCH_EXISTS"
          echo "PR image exists: $IMAGE_EXISTS"
          echo "Branch name: $BRANCH"
          echo "PR image tag: $IMAGE_TAG"
          echo "Commit SHA: $COMMIT_SHA"
          echo "Has relevant changes in PR: $HAS_RELEVANT_CHANGES"
          echo "=================================="

          # For non-master base branches, check if the same branch exists in tyk-analytics
          if [ "$BASE_REF" != "master" ]; then
            if git ls-remote --exit-code --heads "https://x-access-token:${ORG_GH_TOKEN}@github.com/TykTechnologies/tyk-analytics.git" "refs/heads/$BASE_REF" > /dev/null 2>&1; then
              echo "📋 Strategy: Use release branch '$BASE_REF' from tyk-analytics"
              echo "    → Base branch exists in tyk-analytics, using it directly"
              echo "dashboard_image=${REGISTRY}/tyk-analytics:${BASE_REF}" >> $GITHUB_OUTPUT
              echo "needs_build=false" >> $GITHUB_OUTPUT
              echo "dashboard_branch=$BASE_REF" >> $GITHUB_OUTPUT
              echo "strategy=release-branch-match" >> $GITHUB_OUTPUT
            else
              echo "ℹ️ Strategy: Use gromit default (base branch '$BASE_REF' not found in tyk-analytics)"
              echo "    → Falling back to gromit default"
              echo "dashboard_image=" >> $GITHUB_OUTPUT
              echo "needs_build=false" >> $GITHUB_OUTPUT
              echo "dashboard_branch=" >> $GITHUB_OUTPUT
              echo "strategy=gromit-default" >> $GITHUB_OUTPUT
            fi

          # Strategy 1: Matching branch exists in tyk-analytics → use gromit
          elif [ "$BRANCH_EXISTS" = "true" ]; then
            echo "📋 Strategy: Use matching branch '$BRANCH' via gromit"
            echo "    → No override needed, gromit will handle it"
            echo "dashboard_image=" >> $GITHUB_OUTPUT
            echo "needs_build=false" >> $GITHUB_OUTPUT
            echo "dashboard_branch=$BRANCH" >> $GITHUB_OUTPUT
            echo "strategy=gromit-branch" >> $GITHUB_OUTPUT

          # Strategy 2a: PR has relevant changes → build new image
          elif [ "$HAS_RELEVANT_CHANGES" = "true" ]; then
            PR_IMAGE_TAG="tyk-${PR_NUMBER}"
            echo "🔨 Strategy: Build dashboard (PR has relevant package changes)"
            echo "    → Will update gateway ref to $COMMIT_SHA"
            echo "    → Will push to: ${REGISTRY}/tyk-analytics:${PR_IMAGE_TAG}"
            echo "dashboard_image=${REGISTRY}/tyk-analytics:${PR_IMAGE_TAG}" >> $GITHUB_OUTPUT
            echo "needs_build=true" >> $GITHUB_OUTPUT
            echo "dashboard_branch=$BASE_REF" >> $GITHUB_OUTPUT
            echo "strategy=build-required" >> $GITHUB_OUTPUT

          # Strategy 2b: PR image exists and no relevant changes → reuse existing image
          elif [ "$IMAGE_EXISTS" = "true" ]; then
            echo "🐳 Strategy: Reuse existing PR image (no relevant package changes in PR)"
            echo "    → Image: ${REGISTRY}/tyk-analytics:${IMAGE_TAG}"
            echo "dashboard_image=${REGISTRY}/tyk-analytics:${IMAGE_TAG}" >> $GITHUB_OUTPUT
            echo "needs_build=false" >> $GITHUB_OUTPUT
            echo "dashboard_branch=" >> $GITHUB_OUTPUT
            echo "strategy=reuse-pr-image" >> $GITHUB_OUTPUT

          # Strategy 3: Fallback to gromit default
          else
            echo "ℹ️ Strategy: Use gromit default"
            echo "    → No matching branch, no existing PR image, no relevant changes"
            echo "dashboard_image=" >> $GITHUB_OUTPUT
            echo "needs_build=false" >> $GITHUB_OUTPUT
            echo "dashboard_branch=" >> $GITHUB_OUTPUT
            echo "strategy=gromit-default" >> $GITHUB_OUTPUT
          fi

          echo "=================================="
          echo "✅ Resolution complete"
          echo "=================================="
  build-dashboard-image:
    needs: resolve-dashboard-image
    if: |
      !cancelled() &&
      needs.resolve-dashboard-image.result == 'success' &&
      needs.resolve-dashboard-image.outputs.needs_build == 'true'
    runs-on: ${{ vars.DEFAULT_RUNNER }}
    permissions:
      id-token: write
      contents: read
    outputs:
      dashboard_image: ${{ steps.output.outputs.image }}
    steps:
      - name: Checkout tyk-analytics
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          repository: TykTechnologies/tyk-analytics
          ref: ${{ needs.resolve-dashboard-image.outputs.dashboard_branch }}
          token: ${{ secrets.ORG_GH_TOKEN }}
          fetch-depth: 1
          submodules: true
      - name: Update gateway reference to PR branch
        shell: bash
        env:
          GATEWAY_BRANCH: ${{ github.head_ref }}
          ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }}
        run: |
          echo "📦 Updating tyk-gateway dependency to branch: $GATEWAY_BRANCH"

          # Configure git for go get
          git config --global url."https://${ORG_GH_TOKEN}@github.com".insteadOf "https://github.com"

          # Update dependency using branch name
          go get github.com/TykTechnologies/tyk@$GATEWAY_BRANCH

          # Update replace directive if present
          go mod edit -replace github.com/TykTechnologies/tyk=github.com/TykTechnologies/tyk@$GATEWAY_BRANCH

          go mod tidy

          echo "✅ Updated go.mod:"
          grep "github.com/TykTechnologies/tyk" go.mod
      - name: Fetch pre-built UI assets from S3
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_BINDATA_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_BINDATA_SECRET_ACCESS_KEY }}
          AWS_REGION: eu-central-1
          AWS_SESSION_TOKEN: ""
        run: |
          # Read the vendored commit SHA
          ASSETS_COMMIT=$(cat .assets_vendor | head -n 1 | tr -d '\n')

          echo "Fetching UI assets for commit: ${ASSETS_COMMIT}"
          aws s3 sync s3://tyk-dashboard-assets-ci/commits/${ASSETS_COMMIT}/ internal/uiassets/dist/

          if [ ! -f internal/uiassets/dist/_index.html ]; then
            echo "❌ Failed to fetch assets: _index.html not found"
            exit 1
          fi

          echo "✓ Assets fetched successfully to internal/uiassets/dist/"
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4
        with:
          role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk
          role-session-name: cipush
          aws-region: eu-central-1
      - name: Login to Amazon ECR
        id: ecr
        uses: aws-actions/amazon-ecr-login@f2e9fc6c2b355c1890b65e6f6f0e2ac3e6e22f78 # v2
        with:
          mask-password: 'true'
      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
      - uses: WarpBuilds/cache@f643a1ba29942d56621d07fc2d4284c7219868ad # v1
        with:
          path: |
            ~/.cache/go-build
            ~/go/pkg/mod
          key: ${{ runner.os }}-go-dashboard-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-dashboard-
      - name: Build dashboard packages for current architecture
        shell: bash
        env:
          ECR_REGISTRY: ${{ steps.ecr.outputs.registry }}
          IMAGE_TAG: tyk-${{ github.event.pull_request.number }}
          GOPRIVATE: github.com/TykTechnologies
          ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }}
        run: |
          # Detect current architecture
          ARCH=$(uname -m)
          case $ARCH in
            x86_64)
              GOARCH=amd64
              ;;
            aarch64)
              GOARCH=arm64
              ;;
            *)
              echo "Unsupported architecture: $ARCH"
              exit 1
              ;;
          esac

          echo "🔨 Building tyk-analytics packages for linux/$GOARCH"
          echo "   Target image: ${ECR_REGISTRY}/tyk-analytics:${IMAGE_TAG}"

          # Build using goreleaser for current platform only
          cat > /tmp/build-dashboard.sh <<'EOF'
          #!/bin/sh
          set -eax
          git config --global url."https://${ORG_GH_TOKEN}@github.com".insteadOf "https://github.com"
          git config --global --add safe.directory /go/src/github.com/TykTechnologies/tyk-analytics

          # Build packages for current platform (GOOS and GOARCH are set via docker -e)
          goreleaser release --clean -f ci/goreleaser/goreleaser.yml --snapshot --skip=sign,docker
          EOF

          chmod +x /tmp/build-dashboard.sh

          # Build in golang-cross container
          docker run --rm --privileged -e GITHUB_TOKEN=${ORG_GH_TOKEN} \
            -e GOPRIVATE=github.com/TykTechnologies \
            -e CGO_ENABLED=1 \
            -e GOOS=linux \
            -e GOARCH=$GOARCH \
            -v ${{ github.workspace }}:/go/src/github.com/TykTechnologies/tyk-analytics \
            -v ~/.cache/go-build:/cache/go-build \
            -v ~/go/pkg/mod:/go/pkg/mod \
            -e GOCACHE=/cache/go-build \
            -e GOMODCACHE=/go/pkg/mod \
            -v /tmp/build-dashboard.sh:/tmp/build-dashboard.sh \
            -w /go/src/github.com/TykTechnologies/tyk-analytics \
            tykio/golang-cross:1.25-bullseye /tmp/build-dashboard.sh

          echo "✅ Packages built successfully for $GOARCH"
      - name: Detect platform for Docker build
        id: platform
        shell: bash
        run: |
          ARCH=$(uname -m)
          case $ARCH in
            x86_64)
              PLATFORM=linux/amd64
              ;;
            aarch64)
              PLATFORM=linux/arm64
              ;;
            *)
              echo "Unsupported architecture: $ARCH"
              exit 1
              ;;
          esac
          echo "platform=$PLATFORM" >> $GITHUB_OUTPUT
          echo "Building for platform: $PLATFORM"
      - name: Build and push dashboard Docker image
        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
        with:
          context: dist
          file: ci/Dockerfile.distroless
          platforms: ${{ steps.platform.outputs.platform }}
          push: true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          tags: ${{ steps.ecr.outputs.registry }}/tyk-analytics:tyk-${{ github.event.pull_request.number }}
          labels: |
            org.opencontainers.image.title=Tyk Dashboard (Custom Build for PR)
            org.opencontainers.image.description=Built from ${{ needs.resolve-dashboard-image.outputs.dashboard_branch }} with gateway branch ${{ github.head_ref }}
            org.opencontainers.image.revision=${{ github.sha }}
            org.opencontainers.image.source=https://github.com/TykTechnologies/tyk-analytics
            tyk.gateway.branch=${{ github.head_ref }}
            tyk.gateway.pr=${{ github.event.pull_request.number }}
            tyk.dashboard.branch=${{ needs.resolve-dashboard-image.outputs.dashboard_branch }}
          build-args: |
            BUILD_PACKAGE_NAME=tyk-dashboard
      - name: Output image reference
        id: output
        shell: bash
        run: |
          IMAGE="${{ steps.ecr.outputs.registry }}/tyk-analytics:tyk-${{ github.event.pull_request.number }}"
          echo "image=$IMAGE" >> $GITHUB_OUTPUT
          echo "✅ Dashboard image built and pushed: $IMAGE"
  test-controller-api:
    needs:
      - goreleaser
    if: |
      !cancelled() &&
      needs.goreleaser.result == 'success' &&
      github.event.pull_request.draft == false
    runs-on: ${{ vars.DEFAULT_RUNNER }}
    outputs:
      envfiles: ${{ steps.params.outputs.envfiles }}
      pump: ${{ steps.params.outputs.pump }}
      sink: ${{ steps.params.outputs.sink }}
    steps:
      - name: Set test parameters
        uses: TykTechnologies/github-actions/.github/actions/tests/test-controller@42304edda365365e0a887cf018d8edc34b960b82 # main
        id: params
        with:
          variation: ${{ env.VARIATION }}
          base_ref: ${{ env.BASE_REF }}
          test_type: api
  api-tests:
    needs:
      - test-controller-api
      - goreleaser
      - resolve-dashboard-image
      - build-dashboard-image
    # build-dashboard-image may be skipped, so use !cancelled() to run regardless
    if: |
      !cancelled() &&
      needs.test-controller-api.result == 'success' &&
      needs.goreleaser.result == 'success' &&
      needs.resolve-dashboard-image.result == 'success' &&
      (needs.build-dashboard-image.result == 'success' || needs.build-dashboard-image.result == 'skipped')
    runs-on: ${{ vars.DEFAULT_RUNNER }}
    env:
      XUNIT_REPORT_PATH: ${{ github.workspace}}/test-results.xml
    permissions:
      id-token: write # This is required for requesting the Github JWT
      contents: read # This is required for actions/checkout
    strategy:
      fail-fast: false
      matrix:
        envfiles: ${{ fromJson(needs.test-controller-api.outputs.envfiles) }}
        pump: ${{ fromJson(needs.test-controller-api.outputs.pump) }}
        sink: ${{ fromJson(needs.test-controller-api.outputs.sink) }}
        exclude:
          - pump: tykio/tyk-pump-docker-pub:v1.8
            sink: $ECR/tyk-sink:master
          - pump: $ECR/tyk-pump:master
            sink: tykio/tyk-mdcb-docker:v2.4
    steps:
      - uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4
        with:
          role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk
          role-session-name: cipush
          aws-region: eu-central-1
      - id: ecr
        uses: aws-actions/amazon-ecr-login@f2e9fc6c2b355c1890b65e6f6f0e2ac3e6e22f78 # v2
        with:
          mask-password: 'true'
      - name: Setup tmate session only in debug mode
        uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3
        if: runner.debug == '1'
        with:
          detached: true
          limit-access-to-actor: true
          # Only ${{ github.actor }} has access
          # See https://github.com/mxschmitt/action-tmate#use-registered-public-ssh-keys
      - name: Fetch environment from tyk-pro
        uses: TykTechnologies/github-actions/.github/actions/tests/checkout-tyk-pro@42304edda365365e0a887cf018d8edc34b960b82 # main
        with:
          org_gh_token: ${{ github.token }}
      - name: Set up test environment
        uses: TykTechnologies/github-actions/.github/actions/tests/env-up@42304edda365365e0a887cf018d8edc34b960b82 # main
        timeout-minutes: 5
        id: env_up
        with:
          base_ref: ${{ env.BASE_REF }}
          tags: ${{ needs.goreleaser.outputs.ee_tags || needs.goreleaser.outputs.std_tags || format('{0}/tyk-ee:master', steps.ecr.outputs.registry) }}
          dashboard_image: ${{ needs.resolve-dashboard-image.outputs.dashboard_image }}
          github_token: ${{ secrets.ORG_GH_TOKEN }}
          TYK_DB_LICENSEKEY: ${{ secrets.DASH_LICENSE }}
          TYK_MDCB_LICENSE: ${{ secrets.MDCB_LICENSE }}
      - name: Choose test code branch
        uses: TykTechnologies/github-actions/.github/actions/tests/choose-test-branch@42304edda365365e0a887cf018d8edc34b960b82 # main
        with:
          test_folder: api
          org_gh_token: ${{ secrets.ORG_GH_TOKEN }}
      - name: Run API tests
        uses: TykTechnologies/github-actions/.github/actions/tests/api-tests@42304edda365365e0a887cf018d8edc34b960b82 # main
        timeout-minutes: 30
        id: test_execution
        with:
          user_api_secret: ${{ steps.env_up.outputs.USER_API_SECRET }}
      - name: Generate test reports and collect logs
        uses: TykTechnologies/github-actions/.github/actions/tests/reporting@42304edda365365e0a887cf018d8edc34b960b82 # main
        if: always() && (steps.test_execution.conclusion != 'skipped')
        with:
          report_xml: 'true'
          execution_status: ${{ steps.test_execution.outcome }}
  aggregator-ci-test:
    name: Aggregated CI Status
    runs-on: ${{ vars.DEFAULT_RUNNER }}
    # Dynamically determine which jobs to depend on based on repository configuration
    needs: [goreleaser, api-tests, dep-guard]
    if: ${{ always() && github.event_name == 'pull_request' }}
    steps:
      - name: Aggregate results
        run: |
          failed=()
          # Get the needs context as JSON once
          needs_json='${{ toJSON(needs) }}'

          # Loop through all jobs in the needs context
          for job in $(echo "$needs_json" | jq -r 'keys[]'); do
            job_result=$(echo "$needs_json" | jq -r --arg job "$job" '.[$job].result')

            if [[ "$job_result" != "success" ]]; then
              failed+=("$job")
            fi
          done

          if (( ${#failed[@]} )); then
            # Join the failed job names with commas
            failed_jobs=$(IFS=", "; echo "${failed[*]}")
            echo "❌ Failed jobs ----- : $failed_jobs"
            exit 1
          fi

          echo "✅ All required jobs succeeded"
  test-controller-distros:
    needs:
      - goreleaser
    if: |
      !cancelled() &&
      needs.goreleaser.result == 'success' &&
      github.event.pull_request.draft == false
    runs-on: ${{ vars.DEFAULT_RUNNER }}
    outputs:
      deb: ${{ steps.params.outputs.deb }}
      rpm: ${{ steps.params.outputs.rpm }}
    steps:
      - name: set params
        id: params
        shell: bash
        env:
          # startsWith covers pull_request_target too
          BASE_REF: ${{startsWith(github.event_name, 'pull_request') && github.base_ref || github.ref_name}}
        run: |
          set -eo pipefail
          curl -s --retry 5 --retry-delay 10 --fail-with-body "http://tui.internal.dev.tyk.technology/v2/$VARIATION/tyk/$BASE_REF/${{ github.event_name}}/api/Distros.gho" | tee -a "$GITHUB_OUTPUT"
          if ! [[ $VARIATION =~ prod ]];then
            echo "::warning file=.github/workflows/release.yml,line=24,col=1,endColumn=8::Using test variation"
          fi
  upgrade-deb:
    services:
      httpbin.org:
        image: kennethreitz/httpbin
    runs-on: ${{ vars.DEFAULT_RUNNER }}
    needs:
      - test-controller-distros
    if: |
      !cancelled() &&
      needs.test-controller-distros.result == 'success'
    strategy:
      fail-fast: true
      matrix:
        arch:
          - amd64
          - arm64
        distro: ${{ fromJson(needs.test-controller-distros.outputs.deb) }}
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 1
          sparse-checkout: ci
      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
        with:
          name: deb
      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
      - name: generate dockerfile
        run: |
          echo 'FROM ${{ matrix.distro }}
          ARG TARGETARCH
          COPY tyk-gateway*_${TARGETARCH}.deb /tyk-gateway.deb
          RUN apt-get update && apt-get install -y curl
          # TODO(security): curl|bash - consider fetching script and verifying checksum before execution
          RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-gateway/script.deb.sh | bash || echo "Repository setup failed, but continuing" # SECURITY: accepted risk, see TODO above
          RUN apt-get install -y tyk-gateway=3.0.8 || echo "Previous version not found, testing fresh install"
          RUN dpkg -i /tyk-gateway.deb

          RUN /opt/tyk-gateway/install/setup.sh --listenport=8080 --redishost=localhost --redisport=6379 --domain=""
          COPY ci/tests/api-functionality/data/api.json /opt/tyk-gateway/apps/
          CMD ["/opt/tyk-gateway/tyk", "--conf", "/opt/tyk-gateway/tyk.conf"]
          ' | tee Dockerfile
      - name: install on ${{ matrix.distro }}
        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
        with:
          context: "."
          platforms: linux/${{ matrix.arch }}
          build-args: |
            RHELARCH=${{ startsWith(matrix.arch, 'arm64') && 'aarch64' || 'x86_64' }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          file: Dockerfile
          push: false
          tags: test-${{ matrix.distro }}-${{ matrix.arch }}
          load: true
      - name: Test the built container image with api functionality test.
        run: |
          docker run -d -p8080:8080 --name=test --platform linux/${{ matrix.arch }} --network ${{ job.container.network }} --rm test-${{ matrix.distro }}-${{ matrix.arch }}
          sleep 2
          ./ci/tests/api-functionality/api_test.sh
          sleep 2
          docker stop test || true
  upgrade-rpm:
    services:
      httpbin.org:
        image: kennethreitz/httpbin
    runs-on: ${{ vars.DEFAULT_RUNNER }}
    needs:
      - test-controller-distros
    if: |
      !cancelled() &&
      needs.test-controller-distros.result == 'success'
    strategy:
      fail-fast: true
      matrix:
        arch:
          - amd64
          - arm64
        distro: ${{ fromJson(needs.test-controller-distros.outputs.rpm) }}
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 1
          sparse-checkout: ci
      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
        with:
          name: rpm
      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
      - name: generate dockerfile
        run: |
          echo 'FROM ${{ matrix.distro }}
          ARG RHELARCH
          COPY tyk-gateway*.${RHELARCH}.rpm /tyk-gateway.rpm
          RUN command -v curl || yum install -y curl
          RUN command -v useradd || yum install -y shadow-utils
          # TODO(security): curl|bash - consider fetching script and verifying checksum before execution
          RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-gateway/script.rpm.sh | bash || echo "Repository setup failed, but continuing" # SECURITY: accepted risk, see TODO above
          RUN yum install -y tyk-gateway-3.0.8-1 || echo "Previous version not found, testing fresh install"
          RUN curl https://keyserver.tyk.io/tyk.io.rpm.signing.key.2020 -o tyk-gateway.key && rpm --import tyk-gateway.key
          RUN rpm --checksig /tyk-gateway.rpm
          RUN rpm -Uvh --force /tyk-gateway.rpm

          RUN /opt/tyk-gateway/install/setup.sh --listenport=8080 --redishost=localhost --redisport=6379 --domain=""
          COPY ci/tests/api-functionality/data/api.json /opt/tyk-gateway/apps/
          CMD ["/opt/tyk-gateway/tyk", "--conf", "/opt/tyk-gateway/tyk.conf"]
          ' | tee Dockerfile
      - name: install on ${{ matrix.distro }}
        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
        with:
          context: "."
          platforms: linux/${{ matrix.arch }}
          build-args: |
            RHELARCH=${{ startsWith(matrix.arch, 'arm64') && 'aarch64' || 'x86_64' }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          file: Dockerfile
          push: false
          tags: test-${{ matrix.distro }}-${{ matrix.arch }}
          load: true
      - name: Test the built container image with api functionality test.
        run: "docker run -d -p8080:8080 --name=test --platform linux/${{ matrix.arch }} --network ${{ job.container.network }} --rm test-${{ matrix.distro }}-${{ matrix.arch }}\nsleep 2\n./ci/tests/api-functionality/api_test.sh\nsleep 2\ndocker stop test || true \n"
  release-tests:
    needs:
      - goreleaser
    if: |
      !cancelled() &&
      needs.goreleaser.result == 'success'
    permissions:
      id-token: write # This is required for requesting the JWT
      contents: read # This is required for actions/checkout
      actions: read # This is required for the report_logs job in the called workflow
    uses: ./.github/workflows/release-tests.yml
    secrets: inherit
  sbom:
    needs: goreleaser
    if: |
      !cancelled() &&
      needs.goreleaser.result == 'success'
    uses: TykTechnologies/github-actions/.github/workflows/sbom.yaml@42304edda365365e0a887cf018d8edc34b960b82 # main
    secrets:
      DEPDASH_URL: ${{ secrets.DEPDASH_URL }}
      DEPDASH_KEY: ${{ secrets.DEPDASH_KEY }}
      ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }}