.github/workflows/publish.yml

name: Publish
run-name: Publish ${{ inputs.publish_type }}

on:
  workflow_dispatch:
    inputs:
      publish_type:
        description: "Publish Options"
        default: "Initial Publish"
        type: choice
        options:
          - Initial Publish
          - Redeploy
          - Dry Run
      version:
        description: 'Version to publish (default: latest release)'
        required: true
        type: string
        default: latest

jobs:
  setup:
    name: Setup
    runs-on: ubuntu-24.04
    outputs:
      release-version: ${{ steps.version-output.outputs.version }}
    steps:
      - name: Version output
        id: version-output
        run: |
          if [[ "${{ inputs.version }}" == "latest" || "${{ inputs.version }}" == "" ]]; then
            VERSION=$(curl  "https://api.github.com/repos/bitwarden/directory-connector/releases" | jq -c '.[] | select(.tag_name) | .tag_name' | head -1 | grep -ohE '20[0-9]{2}\.([1-9]|1[0-2])\.[0-9]+')
            echo "Latest Released Version: $VERSION"
            echo "version=$VERSION" >> $GITHUB_OUTPUT
          else
            echo "Release Version: ${{ inputs.version }}"
            echo "version=${{ inputs.version }}" >> $GITHUB_OUTPUT
          fi

  publish-docker:
    name: Publish Docker images
    runs-on: ubuntu-24.04
    needs: setup
    env:
      _AZ_REGISTRY: bitwardenprod.azurecr.io
      _PROJECT_NAME: key-connector
      _RELEASE_VERSION: ${{ needs.setup.outputs.release-version }}
    permissions:
      id-token: write
      packages: write
    steps:
      - name: Install Cosign
        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1

      - name: Log in to Azure
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

      - name: Log in to ACR
        run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}

      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Pull image
        run: docker pull $_AZ_REGISTRY/$_PROJECT_NAME:dev

      - name: Tag version and latest
        run: |
          if [[ "${{ inputs.publish_type }}" == "Dry Run" ]]; then
            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:dev ghcr.io/bitwarden/$_PROJECT_NAME:dryrun
          else
            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:dev $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_VERSION
            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:dev $_AZ_REGISTRY/$_PROJECT_NAME:latest

            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:dev ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_VERSION
            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:dev ghcr.io/bitwarden/$_PROJECT_NAME:latest
          fi

      - name: Push release version and latest image to ACR
        if: ${{ inputs.publish_type != 'Dry Run' }}
        run: |
          docker push $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_VERSION
          docker push $_AZ_REGISTRY/$_PROJECT_NAME:latest

      - name: Push release version and latest image
        if: ${{ inputs.publish_type != 'Dry Run' }}
        run: |
          docker push ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_VERSION
          docker push ghcr.io/bitwarden/$_PROJECT_NAME:latest

      - name: Sign image with Cosign
        run: |
          cosign sign --yes ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_VERSION
          cosign sign --yes ghcr.io/bitwarden/$_PROJECT_NAME:latest

      - name: Verify the signed image with Cosign
        run: |
          cosign verify \
            --certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \
            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
            ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_VERSION

          cosign verify \
            --certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \
            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
            ghcr.io/bitwarden/$_PROJECT_NAME:latest

      - name: Log out of Docker
        run: |
          docker logout ghcr.io
          docker logout $_AZ_REGISTRY