name: Docker Scout Analysis

on:
  pull_request:
    branches: ["**"]

permissions:
  contents: read
  pull-requests: write

env:
  IMAGE_NAME: base-distro

jobs:
  scout:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - config: apko/base.yaml
            variant: base
          - config: apko/build.yaml
            variant: build
          - config: apko/dotnet-runtime.yaml
            variant: dotnet-runtime
          - config: apko/dotnet-sdk.yaml
            variant: dotnet-sdk
          - config: apko/flutter-sdk.yaml
            variant: flutter-sdk
    steps:
      - name: Login to Docker Registry
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}

      - name: Check if latest image exists
        id: should_run
        run: |
          if docker manifest inspect ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest > /dev/null 2>&1; then
            echo "run=true" >> $GITHUB_OUTPUT
            echo "${{ matrix.variant }}-latest found, Scout compare will run"
          else
            echo "run=false" >> $GITHUB_OUTPUT
            echo "No ${{ matrix.variant }}-latest found, skipping"
          fi

      - name: Checkout code
        if: steps.should_run.outputs.run == 'true'
        uses: actions/checkout@v3

      - name: Install apko
        if: steps.should_run.outputs.run == 'true'
        run: |
          APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
          APKO_VERSION=$(curl -fsSL "https://api.github.com/repos/chainguard-dev/apko/releases/latest" | jq -r '.tag_name')
          APKO_VERSION_NUM="${APKO_VERSION#v}"
          curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/${APKO_VERSION}/apko_${APKO_VERSION_NUM}_linux_${APKO_ARCH}.tar.gz" \
            -o /tmp/apko.tar.gz
          tar xzf /tmp/apko.tar.gz -C /usr/local/bin apko
          rm /tmp/apko.tar.gz

      - name: Build image locally
        if: steps.should_run.outputs.run == 'true'
        run: |
          apko build ${{ matrix.config }} ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-pr-${{ github.event.pull_request.number }} ${{ matrix.variant }}.tar
          docker load < ${{ matrix.variant }}.tar

      - name: Install Docker Scout
        if: steps.should_run.outputs.run == 'true'
        run: |
          curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
          sh install-scout.sh

      - name: Docker Scout Compare
        if: steps.should_run.outputs.run == 'true'
        run: |
          docker scout compare ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-pr-${{ github.event.pull_request.number }} --to ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest --ignore-unchanged --only-severity critical,high