name: CI
on:
  push:
    branches:
      - master
    paths:
      - .github/workflows/ci.yml
      - cmd/**
      - internal/**
      - pkg/**
      - .dockerignore
      - .golangci.yml
      - Dockerfile
      - go.mod
      - go.sum
  pull_request:
    branches:
      - master
    paths:
      - .github/workflows/ci.yml
      - cmd/**
      - internal/**
      - pkg/**
      - .dockerignore
      - .golangci.yml
      - Dockerfile
      - go.mod
      - go.sum

jobs:
  verify:
    # Only run if it's a push event or if it's a PR from this repository
    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
    runs-on: ubuntu-latest
    env:
      DOCKER_BUILDKIT: "1"
    steps:
      - uses: actions/checkout@v2.3.4

      - name: Linting
        run: docker build --target lint .

      - name: Go mod tidy check
        run: docker build --target tidy .

      - name: Build test image
        run: docker build --target test -t test-container .

      - name: Run tests in test container
        run: |
          touch coverage.txt
          docker run --rm \
          -v "$(pwd)/coverage.txt:/tmp/gobuild/coverage.txt" \
          test-container

      - name: Code security analysis
        uses: snyk/actions/golang@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

      - name: Build final image
        run: docker build -t final-image .

      - name: Image security analysis
        uses: snyk/actions/docker@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: final-image

  publish:
    # Only run if it's a push event or if it's a PR from this repository
    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
    needs: [verify]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2.3.4

      - uses: docker/setup-qemu-action@v1
      - uses: docker/setup-buildx-action@v1

      - uses: docker/login-action@v1
        with:
          username: qmcgaw
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

      - name: Set variables
        id: vars
        env:
          EVENT_NAME: ${{ github.event_name }}
        run: |
          TAG=${GITHUB_REF#refs/tags/}
          echo ::set-output name=commit::$(git rev-parse --short HEAD)
          echo ::set-output name=created::$(date -u +%Y-%m-%dT%H:%M:%SZ)
          if [ "$TAG" != "$GITHUB_REF" ]; then
            echo ::set-output name=version::$TAG
            echo ::set-output name=platforms::linux/amd64,linux/386,linux/arm64,linux/arm/v6,linux/arm/v7,linux/ppc64le
          else
            echo ::set-output name=version::latest
            echo ::set-output name=platforms::linux/amd64,linux/386,linux/arm64,linux/arm/v6,linux/arm/v7,linux/ppc64le
          fi

      - name: Build and push final image
        uses: docker/build-push-action@v2.6.1
        with:
          platforms: ${{ steps.vars.outputs.platforms }}
          build-args: |
            CREATED=${{ steps.vars.outputs.created }}
            COMMIT=${{ steps.vars.outputs.commit }}
            VERSION=${{ steps.vars.outputs.version }}
          tags: |
            qmcgaw/gluetun:${{ steps.vars.outputs.version }}
            qmcgaw/private-internet-access:${{ steps.vars.outputs.version }}
          push: true