name: pulumi sdk containers build
on:
  repository_dispatch:
    types:
      - docker-build
env:
  VERSION: ${{ github.event.client_payload.ref }}
  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}

jobs:
  pulumi:
    name: pulumi image build
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
    steps:
      - uses: actions/checkout@v2
      - name: Build Pulumi Image
        uses: jaxxstorm/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22
        with:
          repository: pulumi/pulumi
          username: "pulumibot"
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
          dockerfile: docker/pulumi/Dockerfile
          additional-tags: v${{ env.VERSION }}
          tag-latest: true
          build-args: PULUMI_VERSION=v${{ env.VERSION }}
      - name: Build Pulumi GitHub Actions Image
        uses: jaxxstorm/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22
        with:
          repository: pulumi/actions
          username: "pulumibot"
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
          dockerfile: docker/actions/Dockerfile
          additional-tags: v${{ env.VERSION }}
          tag-latest: true
          build-args: PULUMI_VERSION=v${{ env.VERSION }}
  base:
    name: base sdk image build
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
    steps:
      - uses: actions/checkout@master
      - name: Build base image
        uses: jaxxstorm/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22
        with:
          repository: pulumi/pulumi-base
          buildkit: true
          username: "pulumibot"
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
          dockerfile: docker/base/Dockerfile
          additional-tags: ${{ env.VERSION }}
          tag-latest: true
          build-args: PULUMI_VERSION=${{ env.VERSION }}
      - uses: meeDamian/sync-readme@v1.0.6
        name: Sync readme to Docker Hub
        with:
          user: "pulumibot"
          pass: ${{ secrets.DOCKER_HUB_TOKEN }}
          slug: pulumi/pulumi-base
          readme: docker/README.md
          description: Pulumi CLI container - bring your own SDK
  base_os:
    name: os base sdk image build
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        os: [ "ubi", "debian" ]
    steps:
      - uses: actions/checkout@master
      - name: Build base image
        uses: jaxxstorm/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22
        with:
          repository: pulumi/pulumi-base
          buildkit: true
          username: "pulumibot"
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
          dockerfile: docker/base/Dockerfile.${{ matrix.os }}
          additional-tags: ${{ env.VERSION }}-${{ matrix.os }}
          tag-latest: false
          build-args: PULUMI_VERSION=${{ env.VERSION }}
  sdk:
    name: language sdk image
    runs-on: ubuntu-latest
    needs: base
    strategy:
      fail-fast: false
      matrix:
        sdk: [ "nodejs", "python", "dotnet", "go" ]
    steps:
      - uses: actions/checkout@master
      - name: Build image
        uses: jaxxstorm/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22
        with:
          repository: pulumi/pulumi-${{matrix.sdk}}
          buildkit: true
          username: "pulumibot"
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
          dockerfile: docker/${{ matrix.sdk }}/Dockerfile
          additional-tags: ${{ env.VERSION }}
          build-args: PULUMI_VERSION=${{ env.VERSION }}
          tag-latest: true
      - uses: meeDamian/sync-readme@v1.0.6
        name: Sync readme to Docker Hub
        with:
          user: "pulumibot"
          pass: ${{ secrets.DOCKER_HUB_TOKEN }}
          slug: pulumi/pulumi-${{matrix.sdk}}
          readme: docker/README.md
          description: Pulumi CLI container for ${{ matrix.sdk }}
  os_sdk:
    name: os language sdk image
    runs-on: ubuntu-latest
    needs: base_os
    strategy:
      fail-fast: false
      matrix:
        sdk: [ "nodejs", "python", "dotnet", "go" ]
        os: [ "ubi", "debian" ]
    steps:
      - uses: actions/checkout@master
      - name: Build image
        uses: jaxxstorm/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22
        with:
          repository: pulumi/pulumi-${{matrix.sdk}}
          buildkit: true
          username: "pulumibot"
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
          dockerfile: docker/${{ matrix.sdk }}/Dockerfile.${{ matrix.os }}
          additional-tags: ${{ env.VERSION }}-${{ matrix.os }}
          build-args: PULUMI_VERSION=${{ env.VERSION }}
          tag-latest: true
  image-scan:
    name: scan container images
    runs-on: ubuntu-latest
    needs: os_sdk
    strategy:
      matrix:
        image: [ "base", "nodejs", "python", "go" ]
        os: [ "ubi" ]
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check Docker images for vulnerabilities
        uses: snyk/actions/docker@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: pulumi/pulumi-${{matrix.image}}:${{ env.VERSION }}-${{ matrix.os }}
          args: --severity-threshold=high --file=docker/${{matrix.image}}/Dockerfile.${{ matrix.os }}