name: Weekly Rebuild (CVE Updates)

on:
  schedule:
    # Rebuild weekly to pick up Wolfi security patches
    - cron: '0 6 * * 1'
  push:
    paths:
      - '.gitea/workflows/rebuild.yaml'

permissions:
  contents: read

env:
  IMAGE_NAME: base-distro

jobs:
  rebuild:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - config: apko/base.yaml
            variant: base
          - config: apko/build.yaml
            variant: build
          - config: apko/dotnet-runtime.yaml
            variant: dotnet-runtime
          - config: apko/dotnet-sdk.yaml
            variant: dotnet-sdk
          - config: apko/flutter-sdk.yaml
            variant: flutter-sdk
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Install apko
        run: |
          APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
          APKO_VERSION=$(curl -fsSL "https://api.github.com/repos/chainguard-dev/apko/releases/latest" | jq -r '.tag_name')
          APKO_VERSION_NUM="${APKO_VERSION#v}"
          curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/${APKO_VERSION}/apko_${APKO_VERSION_NUM}_linux_${APKO_ARCH}.tar.gz" \
            -o /tmp/apko.tar.gz
          tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
          rm /tmp/apko.tar.gz

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Registry
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}

      - name: Determine upstream version
        id: version
        run: |
          VARIANT="${{ matrix.variant }}"

          case "$VARIANT" in
            base|build)
              UPSTREAM=$(apko resolve ${{ matrix.config }} 2>&1 | grep -oP 'glibc-\K[0-9]+\.[0-9]+' | head -1 || echo "0.0")
              if [ "$UPSTREAM" = "" ] || [ "$UPSTREAM" = "0.0" ]; then
                UPSTREAM=$(apko resolve ${{ matrix.config }} 2>&1 | grep -oP 'glibc \(\K[0-9]+\.[0-9]+' | head -1 || echo "2.42")
              fi
              ;;
            dotnet-runtime)
              UPSTREAM=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \
                | jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-runtime"] | sort_by(. | split(".") | map(tonumber)) | last')
              ;;
            dotnet-sdk)
              UPSTREAM=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \
                | jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-sdk"] | sort_by(. | split(".") | map(tonumber)) | last')
              ;;
            flutter-sdk)
              UPSTREAM=$(curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json" \
                | jq -r '.current_release.stable as $hash | .releases[] | select(.hash == $hash and .channel == "stable") | .version')
              ;;
          esac

          echo "upstream=${UPSTREAM}" >> "$GITHUB_OUTPUT"
          echo "Upstream version for ${VARIANT}: ${UPSTREAM}"

          REPO_NAME="${{ env.IMAGE_NAME }}"
          REGISTRY_URL="${{ secrets.REGISTRY_URL }}"
          NAMESPACE=$(echo "$REGISTRY_URL" | sed 's|.*://||; s|.*\.io/||; s|/$||')

          EXISTING_TAGS=$(curl -s "https://hub.docker.com/v2/repositories/${NAMESPACE}/${REPO_NAME}/tags?page_size=100&name=${VARIANT}-${UPSTREAM}." \
            | jq -r '.results[]?.name // empty' 2>/dev/null || echo "")

          MAX_BUILD=0
          for tag in $EXISTING_TAGS; do
            BUILD_NUM=$(echo "$tag" | grep -oP "\.\K[0-9]+$" || echo "0")
            if [ "$BUILD_NUM" -gt "$MAX_BUILD" ] 2>/dev/null; then
              MAX_BUILD=$BUILD_NUM
            fi
          done

          NEXT_BUILD=$((MAX_BUILD + 1))
          VERSION_TAG="${VARIANT}-${UPSTREAM}.${NEXT_BUILD}"
          echo "version_tag=${VERSION_TAG}" >> "$GITHUB_OUTPUT"
          echo "Next version tag: ${VERSION_TAG}"

      - name: Build apko image tarball
        run: |
          apko build ${{ matrix.config }} \
            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest \
            /tmp/image.tar
          echo 'FROM scratch' > /tmp/Dockerfile
          echo 'ADD image.tar /' >> /tmp/Dockerfile

      - name: Build and push with buildx (SBOM + provenance)
        uses: docker/build-push-action@v5
        with:
          context: /tmp
          file: /tmp/Dockerfile
          push: true
          sbom: true
          provenance: mode=max
          tags: |
            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }}

      - name: Install Docker Scout
        run: |
          curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
          sh install-scout.sh

      - name: Docker Scout CVE Scan
        run: |
          docker pull ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
          docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest --only-severity critical,high