.github/workflows/ci.yml

name: CI

on:
  push:
    branches:
      - main
    tags:
      - "v[0-9]+.[0-9]+.[0-9]+*"
  pull_request:
    branches:
      - main

env:
  platforms: linux/amd64,linux/arm64

jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        image: ["3.17", "3.19", "3.20"]
        openssl_version: ["3.0.9"]
      fail-fast: false
    steps:
      - name: Checkout Repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

      - name: Setup QEMU
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
        with:
          platforms: arm64
        if: github.event_name != 'pull_request'

      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
        if: ${{ github.event_name != 'pull_request' }}

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images: |
            name=ghcr.io/nginxinc/alpine-fips
          tags: |
            type=edge
            type=ref,event=pr,suffix=-alpine${{ matrix.image }}
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{version}},suffix=-alpine${{ matrix.image }}
        env:
          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index

      - name: Build Docker image
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        id: build-push
        with:
          file: Dockerfile
          context: "."
          cache-from: type=gha,scope=alpine${{ matrix.image }}
          cache-to: type=gha,scope=alpine${{ matrix.image }},mode=max
          tags: ${{ steps.meta.outputs.tags }}
          load: ${{ github.event_name == 'pull_request' }}
          push: ${{ github.event_name != 'pull_request' }}
          platforms: ${{ github.event_name != 'pull_request' && env.platforms || '' }}
          annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }}
          target: alpine
          pull: true
          sbom: ${{ github.event_name != 'pull_request' }}
          provenance: ${{ github.event_name != 'pull_request' }}
          build-args: |
            BUILD_OS=alpine:${{ matrix.image }}
            OPENSSL_VERSION=${{ matrix.openssl_version }}

      - name: Run Grype vulnerability scanner
        uses: anchore/scan-action@f2ba85e044c8f5e5014c9a539328a9c78d3bfa49 # v5.2.1
        continue-on-error: true
        id: scan
        with:
          image: ghcr.io/nginxinc/alpine-fips:${{ steps.meta.outputs.version }}
          only-fixed: true
          add-cpes-if-none: true

      - name: Upload Anchore scan SARIF report
        uses: github/codeql-action/upload-sarif@9278e421667d5d90a2839487a482448c4ec7df4d # v3.27.2
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

      - name: Create/Update Draft
        uses: lucacome/draft-release@5d29432a46bff6c122cd4b07a1fb94e1bb158d34 # v1.1.1
        with:
          minor-label: "enhancement"
          major-label: "change"
          publish: ${{ startsWith(github.ref, 'refs/tags/') }}
          collapse-after: 20
        if: ${{ github.event_name != 'pull_request' }}