.github/workflows/release.yml

---
name: Release
run-name: Release - ${{ github.event.inputs.release_type }}

on:
  workflow_dispatch:
    inputs:
      release_type:
        description: 'Release Options'
        default: 'Initial Release'
        type: choice
        options:
          - Initial Release
          - Redeploy
          - Dry Run

jobs:
  setup:
    name: Setup
    runs-on: ubuntu-22.04
    outputs:
      release_version: ${{ steps.version.outputs.version }}
      branch-name: ${{ steps.branch.outputs.branch-name }}
    steps:
      - name: Branch check
        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
        run: |
          if [[ "$GITHUB_REF" != "refs/heads/rc" ]] && [[ "$GITHUB_REF" != "refs/heads/hotfix-rc" ]]; then
            echo "==================================="
            echo "[!] Can only release from the 'rc' or 'hotfix-rc' branches"
            echo "==================================="
            exit 1
          fi

      - name: Checkout repo
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Check Release Version
        id: version
        uses: bitwarden/gh-actions/release-version-check@main
        with:
          release-type: ${{ github.event.inputs.release_type }}
          project-type: dotnet
          file: src/KeyConnector/KeyConnector.csproj

      - name: Get branch name
        id: branch
        run: |
          BRANCH_NAME=$(basename ${{ github.ref }})
          echo "branch-name=$BRANCH_NAME" >> $GITHUB_OUTPUT

  release-github:
    name: Create GitHub Release
    if: ${{ github.event.inputs.release_type != 'Dry Run' }}
    runs-on: ubuntu-22.04
    needs: setup
    steps:
      - name: Create release
        uses: ncipollo/release-action@6c75be85e571768fa31b40abf38de58ba0397db5 # v1.13.0
        with:
          commit: ${{ github.sha }}
          tag: "v${{ needs.setup.outputs.release_version }}"
          name: "Version ${{ needs.setup.outputs.release_version }}"
          body: "<insert release notes here>"
          token: ${{ secrets.GITHUB_TOKEN }}
          draft: true

  release-docker:
    name: Build Docker images
    runs-on: ubuntu-22.04
    needs:
      - setup
      - release-github
    env:
      _AZ_REGISTRY: bitwardenprod.azurecr.io
      _PROJECT_NAME: key-connector
      _RELEASE_VERSION: ${{ needs.setup.outputs.release_version }}
      _BRANCH_NAME: ${{ needs.setup.outputs.branch-name }}
      _RELEASE_OPTION: ${{ github.event.inputs.release_type }}
    steps:
      - name: Print environment
        run: |
          whoami
          docker --version
          echo "GitHub ref: $GITHUB_REF"
          echo "GitHub event: $GITHUB_EVENT"
          echo "Github Release Option: $_RELEASE_OPTION"

      - name: Login to Azure - Prod Subscription
        uses: Azure/login@de95379fe4dadc2defb305917eaa7e5dde727294 # v1.5.1
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

      - name: Login to Azure ACR
        run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}

      - name: Setup DCT
        id: setup-dct
        uses: bitwarden/gh-actions/setup-docker-trust@main
        with:
          azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
          azure-keyvault-name: "bitwarden-ci"

      - name: Pull image
        run: |
          if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then
            docker pull $_AZ_REGISTRY/$_PROJECT_NAME:dev
          else
            docker pull $_AZ_REGISTRY/$_PROJECT_NAME:$_BRANCH_NAME
          fi

      - name: Tag version and latest
        run: |
          if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then
            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:dev bitwarden/$_PROJECT_NAME:dryrun
          else
            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:$_BRANCH_NAME $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_VERSION
            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:$_BRANCH_NAME $_AZ_REGISTRY/$_PROJECT_NAME:latest

            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:$_BRANCH_NAME bitwarden/$_PROJECT_NAME:$_RELEASE_VERSION
            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:$_BRANCH_NAME bitwarden/$_PROJECT_NAME:latest
          fi

      - name: Push release version and latest image to ACR
        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
        run: |
          docker push $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_VERSION
          docker push $_AZ_REGISTRY/$_PROJECT_NAME:latest

      - name: Push release version and latest image to Docker Hub
        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
        env:
          DOCKER_CONTENT_TRUST: 1
          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }}
        run: |
          docker push bitwarden/$_PROJECT_NAME:$_RELEASE_VERSION
          docker push bitwarden/$_PROJECT_NAME:latest

      - name: Log out of Docker
        run: docker logout


  check-failures:
    name: Check for failures
    if: always()
    runs-on: ubuntu-22.04
    needs:
      - release-docker
      - release-github
      - setup
    steps:
      - name: Check if any job failed
        if: |
          github.ref == 'refs/heads/master'
          || github.ref == 'refs/heads/rc'
          || github.ref == 'refs/heads/hotfix'
        env:
          RELEASE_DOCKER_STATUS: ${{ needs.release-docker.result }}
          RELEASE_GITHUB_STATUS: ${{ needs.release-github.result }}
          SETUP_STATUS: ${{ needs.setup.result }}
        run: |
          if [ "$RELEASE_DOCKER_STATUS" = "failure" ]; then
            exit 1
          elif [ "$RELEASE_GITHUB_STATUS" = "failure" ]; then
            exit 1
          elif [ "$SETUP_STATUS" = "failure" ]; then
            exit 1
          fi

      - name: Login to Azure - CI subscription
        uses: Azure/login@de95379fe4dadc2defb305917eaa7e5dde727294 # v1.5.1
        if: failure()
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        if: failure()
        with:
          keyvault: "bitwarden-ci"
          secrets: "devops-alerts-slack-webhook-url"

      - name: Notify Slack on failure
        uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0
        if: failure()
        env:
          SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
        with:
          status: ${{ job.status }}