cost-model/.github/workflows/build-and-publish-release.yml

name: Build and Publish Release

on:
  push:
    tags:
      - 'v[0-9]+.[0-9]+.[0-9]+'
  workflow_dispatch:
    inputs:
      release_version:
        description: "Version of the release"
        required: true

permissions: {}

concurrency:
  group: build-opencost
  cancel-in-progress: true

env:
  # Use docker.io for Docker Hub if empty
  REGISTRY: ghcr.io

jobs:
  build-and-publish-opencost:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write
    steps:
      - name: Get Version From Tag
        id: tag
        if: ${{ github.event_name }} == 'push'
        run: |
          echo "TRIGGERED_TAG=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV

      - name: Determine Version Number
        id: version_number
        env:
          RELEASE_VERSION: ${{ inputs.release_version }}
        run: |
          if [ -z "${TRIGGERED_TAG}" ];
          then
            version=$RELEASE_VERSION
          else
            version=$TRIGGERED_TAG
          fi
          if [[ ${version:0:1} == "v" ]];
          then
            echo "RELEASE_VERSION=${version:1}" >> $GITHUB_OUTPUT
          else
            echo "RELEASE_VERSION=$version" >> $GITHUB_OUTPUT
          fi

      - name: Show Input Values
        env:
          RELEASE_VERSION: ${{ inputs.release_version }}
        run: |
          echo "release version: $RELEASE_VERSION"

      - name: Make Branch Name
        id: branch
        env:
          RELEASE_VERSION: ${{ steps.version_number.outputs.RELEASE_VERSION }}
        run: |
          echo "BRANCH_NAME=v${RELEASE_VERSION%.*}" >> $GITHUB_OUTPUT

      - name: Checkout Repo
        uses: actions/checkout@v6.0.2
        with:
          ref: '${{ steps.branch.outputs.BRANCH_NAME }}'

      - name: Set SHA
        id: sha
        run: |
          echo "OC_SHORTHASH=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

      - name: Set OpenCost Image Tags
        id: tags
        env:
          REPO_OWNER: ${{ github.repository_owner }}
          RELEASE_VERSION: ${{ steps.version_number.outputs.RELEASE_VERSION }}
          OC_SHORTHASH: ${{ steps.sha.outputs.OC_SHORTHASH }}
        run: |
          echo "IMAGE_TAG=ghcr.io/$REPO_OWNER/opencost:$OC_SHORTHASH" >> $GITHUB_OUTPUT
          echo "IMAGE_TAG_LATEST=ghcr.io/$REPO_OWNER/opencost:latest" >> $GITHUB_OUTPUT
          echo "IMAGE_TAG_VERSION=ghcr.io/$REPO_OWNER/opencost:$RELEASE_VERSION" >> $GITHUB_OUTPUT

      - name: Build and publish container
        uses: ./.github/actions/build-container 
        with:
          actor: ${{ github.actor }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          image_tag: ${{ steps.tags.outputs.IMAGE_TAG }}
          release_version: ${{ steps.version_number.outputs.RELEASE_VERSION }}

      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/login-action@v4
        with:
            registry: ${{ env.REGISTRY }}
            username: ${{ github.actor }}
            password: ${{ secrets.GITHUB_TOKEN }}

      - name: Install crane
        uses: imjasonh/setup-crane@v0.5

      - name: Copy tags
        env:
          IMAGE_TAG: ${{ steps.tags.outputs.IMAGE_TAG }}
          IMAGE_TAG_LATEST: ${{ steps.tags.outputs.IMAGE_TAG_LATEST }}
          IMAGE_TAG_VERSION: ${{ steps.tags.outputs.IMAGE_TAG_VERSION }}
        run: |
          crane copy "$IMAGE_TAG" "$IMAGE_TAG_LATEST"
          crane copy "$IMAGE_TAG" "$IMAGE_TAG_VERSION"

      - name: Sign image and attest SLSA provenance
        # Only sign tag-triggered releases; workflow_dispatch runs produce a
        # non-tag GITHUB_REF, so the Fulcio certificate identity would not
        # match the `refs/tags/vX.Y.Z` pattern documented in SECURITY.md.
        if: github.event_name == 'push'
        uses: ./.github/actions/sign-image
        with:
          image: ${{ steps.tags.outputs.IMAGE_TAG_VERSION }}
          workflow-path: .github/workflows/build-and-publish-release.yml
          run-started-at: ${{ github.run_started_at }}