.github/workflows/push-buildpackage.yml

name: Push Buildpackage

on:
  release:
    types:
    - published

env:
  REGISTRIES_FILENAME: "registries.json"

jobs:
  push:
    name: Push
    runs-on: ubuntu-24.04
    env:
      GCR_REGISTRY: "gcr.io"
      GCR_PASSWORD: ${{ secrets.GCR_PUSH_BOT_JSON_KEY }}
      GCR_USERNAME: "_json_key"
      DOCKERHUB_REGISTRY: docker.io
      DOCKERHUB_USERNAME: ${{ secrets.PAKETO_BUILDPACKS_DOCKERHUB_USERNAME }}
      DOCKERHUB_PASSWORD: ${{ secrets.PAKETO_BUILDPACKS_DOCKERHUB_PASSWORD }}

    steps:

    - name: Checkout
      uses: actions/checkout@v4

    - name: Parse Event
      id: event
      run: |
        FULL_VERSION="$(jq -r '.release.tag_name' "${GITHUB_EVENT_PATH}" | sed s/^v//)"
        MINOR_VERSION="$(echo "${FULL_VERSION}" | awk -F '.' '{print $1 "." $2 }')"
        MAJOR_VERSION="$(echo "${FULL_VERSION}" | awk -F '.' '{print $1 }')"
        echo "tag_full=${FULL_VERSION}" >> "$GITHUB_OUTPUT"
        echo "tag_minor=${MINOR_VERSION}" >> "$GITHUB_OUTPUT"
        echo "tag_major=${MAJOR_VERSION}" >> "$GITHUB_OUTPUT"
        echo "download_tgz_file_url=$(jq -r '.release.assets[] | select(.name | endswith(".tgz")) | .url' "${GITHUB_EVENT_PATH}")" >> "$GITHUB_OUTPUT"
        echo "download_cnb_file_url=$(jq -r --arg tag_full "$FULL_VERSION" '.release.assets[] | select(.name | endswith($tag_full + ".cnb")) | .url' "${GITHUB_EVENT_PATH}")" >> "$GITHUB_OUTPUT"
        echo "download_sha256_file_url=$(jq -r '.release.assets[] | select(.name | endswith("index-digest.sha256")) | .url' "${GITHUB_EVENT_PATH}")" >> "$GITHUB_OUTPUT"

    - name: Download .cnb buildpack
      uses: paketo-buildpacks/github-config/actions/release/download-asset@main
      with:
        url: ${{ steps.event.outputs.download_cnb_file_url }}
        output: "/github/workspace/buildpackage.cnb"
        token: ${{ secrets.PAKETO_BOT_GITHUB_TOKEN }}

    - name: Download .tgz buildpack
      uses: paketo-buildpacks/github-config/actions/release/download-asset@main
      with:
        url: ${{ steps.event.outputs.download_tgz_file_url }}
        output: "/github/workspace/buildpack.tgz"
        token: ${{ secrets.PAKETO_BOT_GITHUB_TOKEN }}

    - name: Download .sha digest
      uses: paketo-buildpacks/github-config/actions/release/download-asset@main
      with:
        url: ${{ steps.event.outputs.download_sha256_file_url }}
        output: "/github/workspace/index-digest.sha256"
        token: ${{ secrets.PAKETO_BOT_GITHUB_TOKEN }}

    - name: Parse Configs
      id: parse_configs
      run: |
        push_to_dockerhub=true
        push_to_gcr=true

        if [[ -f $REGISTRIES_FILENAME ]]; then
          if jq 'has("dockerhub")' $REGISTRIES_FILENAME > /dev/null; then
            push_to_dockerhub=$(jq '.dockerhub' $REGISTRIES_FILENAME)
          fi
          if jq 'has("GCR")' $REGISTRIES_FILENAME > /dev/null; then
            push_to_gcr=$(jq '.GCR' $REGISTRIES_FILENAME)
          fi
        fi

        echo "push_to_dockerhub=${push_to_dockerhub}" >> "$GITHUB_OUTPUT"
        echo "push_to_gcr=${push_to_gcr}" >> "$GITHUB_OUTPUT"

    - name: Validate version
      run: |
        buidpackTomlVersion=$(sudo skopeo inspect "oci-archive:${GITHUB_WORKSPACE}/buildpackage.cnb" | jq -r '.Labels."io.buildpacks.buildpackage.metadata" | fromjson | .version')
        githubReleaseVersion="${{ steps.event.outputs.tag_full }}"
        if [[ "$buidpackTomlVersion" != "$githubReleaseVersion" ]]; then
          echo "Version in buildpack.toml ($buidpackTomlVersion) and github release ($githubReleaseVersion) are not identical"
          exit 1
        fi

    - name: Docker login docker.io
      uses: docker/login-action@v3
      with:
        username: ${{ env.DOCKERHUB_USERNAME }}
        password: ${{ env.DOCKERHUB_PASSWORD }}
        registry: ${{ env.DOCKERHUB_REGISTRY }}

    - name: Docker login gcr.io
      uses: docker/login-action@v3
      if: ${{ steps.parse_configs.outputs.push_to_gcr == 'true' }}
      with:
        username: ${{ env.GCR_USERNAME }}
        password: ${{ env.GCR_PASSWORD }}
        registry: ${{ env.GCR_REGISTRY }}

    - name: Push to DockerHub
      if: ${{  steps.parse_configs.outputs.push_to_dockerhub == 'true' }}
      id: push
      env:
        GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
      run: |
        IMAGE="${GITHUB_REPOSITORY_OWNER/-/}/${GITHUB_REPOSITORY#${GITHUB_REPOSITORY_OWNER}/}" # translates 'paketo-buildpacks/bundle-install' to 'paketobuildpacks/bundle-install'
        echo "${DOCKERHUB_PASSWORD}" | sudo skopeo login --username "${DOCKERHUB_USERNAME}" --password-stdin ${DOCKERHUB_REGISTRY}

        ./scripts/publish.sh \
          --buildpack-archive ./buildpack.tgz \
          --image-ref "${DOCKERHUB_REGISTRY}/${IMAGE}:${{ steps.event.outputs.tag_full }}"

        ## Validate that the digest pushed to registry matches with the one mentioned on the readme file
        pushed_image_index_digest=$(sudo skopeo inspect "docker://${DOCKERHUB_REGISTRY}/${IMAGE}:${{ steps.event.outputs.tag_full }}" | jq -r .Digest)

        if [ "$(cat ./index-digest.sha256)" != "$pushed_image_index_digest" ]; then
          echo "Image index digest pushed to registry does not match with the one mentioned on the readme file"
          exit 1;
        fi

        sudo skopeo copy "docker://${DOCKERHUB_REGISTRY}/${IMAGE}:${{ steps.event.outputs.tag_full }}" "docker://${DOCKERHUB_REGISTRY}/${IMAGE}:${{ steps.event.outputs.tag_minor }}" --multi-arch all
        sudo skopeo copy "docker://${DOCKERHUB_REGISTRY}/${IMAGE}:${{ steps.event.outputs.tag_full }}" "docker://${DOCKERHUB_REGISTRY}/${IMAGE}:${{ steps.event.outputs.tag_major }}" --multi-arch all
        sudo skopeo copy "docker://${DOCKERHUB_REGISTRY}/${IMAGE}:${{ steps.event.outputs.tag_full }}" "docker://${DOCKERHUB_REGISTRY}/${IMAGE}:latest" --multi-arch all
        echo "image=${IMAGE}" >> "$GITHUB_OUTPUT"
        echo "digest=$pushed_image_index_digest" >> "$GITHUB_OUTPUT"

    - name: Push to GCR
      if: ${{ steps.parse_configs.outputs.push_to_gcr == 'true' }}
      run: |
        echo "${GCR_PASSWORD}" | sudo skopeo login --username "${GCR_USERNAME}" --password-stdin "${GCR_REGISTRY}"

        sudo skopeo copy "docker://${DOCKERHUB_REGISTRY}/${{ steps.push.outputs.image }}" "docker://${GCR_REGISTRY}/${{ github.repository }}:${{ steps.event.outputs.tag_full }}" --multi-arch all
        sudo skopeo copy "docker://${DOCKERHUB_REGISTRY}/${{ steps.push.outputs.image }}" "docker://${GCR_REGISTRY}/${{ github.repository }}:${{ steps.event.outputs.tag_minor }}" --multi-arch all
        sudo skopeo copy "docker://${DOCKERHUB_REGISTRY}/${{ steps.push.outputs.image }}" "docker://${GCR_REGISTRY}/${{ github.repository }}:${{ steps.event.outputs.tag_major }}" --multi-arch all
        sudo skopeo copy "docker://${DOCKERHUB_REGISTRY}/${{ steps.push.outputs.image }}" "docker://${GCR_REGISTRY}/${{ github.repository }}:latest" --multi-arch all

    - name: Register with CNB Registry
      uses: docker://ghcr.io/buildpacks/actions/registry/request-add-entry:main
      with:
        id: ${{ github.repository }}
        version: ${{ steps.event.outputs.tag_full }}
        address: index.docker.io/${{ steps.push.outputs.image }}@${{ steps.push.outputs.digest }}
        token: ${{ secrets.PAKETO_BOT_GITHUB_TOKEN }}

  failure:
    name: Alert on Failure
    runs-on: ubuntu-22.04
    needs: [push]
    if: ${{ always() && needs.push.result == 'failure' }}
    steps:
    - name: File Failure Alert Issue
      uses: paketo-buildpacks/github-config/actions/issue/file@main
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        repo: ${{ github.repository }}
        label: "failure:push"
        comment_if_exists: true
        issue_title: "Failure: Push Buildpackage workflow"
        issue_body: |
          Push Buildpackage workflow [failed](https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}).
        comment_body: |
           Another failure occurred: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}