#
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

timeout: 3600s

steps:
  - name: gcr.io/cloud-builders/git
    dir: "go/src/sigstore"
    args:
      - "clone"
      - "https://github.com/${_TOOL_ORG}/${_TOOL_REPO}"

  - name: gcr.io/cloud-builders/git
    entrypoint: "bash"
    dir: "go/src/sigstore/cosign"
    args:
      - '-c'
      - |
        git fetch
        echo "Checking out ${_GIT_TAG}"
        git checkout ${_GIT_TAG}

  - name: 'gcr.io/projectsigstore/cosign:v2.2.3-dev@sha256:0d795fa145b03026b7bc2a35e33068cdb75e1c1f974e604c17408bf7bd174967'
    dir: "go/src/sigstore/cosign"
    env:
      - TUF_ROOT=/tmp
    args:
      - 'verify'
      - 'ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405'
      - '--certificate-oidc-issuer'
      - "https://token.actions.githubusercontent.com"
      - '--certificate-identity'
      - "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.21.8-0"

  # maybe we can build our own image and use that to be more in a safe side
  - name: ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405
    entrypoint: /bin/sh
    dir: "go/src/sigstore/cosign"
    env:
      - "GOPATH=/workspace/go"
      - "GOBIN=/workspace/bin"
      - PROJECT_ID=${PROJECT_ID}
      - KEY_LOCATION=${_KEY_LOCATION}
      - KEY_RING=${_KEY_RING}
      - KEY_NAME=${_KEY_NAME}
      - KEY_VERSION=${_KEY_VERSION}
      - GIT_TAG=${_GIT_TAG}
      - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
      - COSIGN_YES=true
      - KO_PREFIX=gcr.io/${PROJECT_ID}
    secretEnv:
      - GITHUB_TOKEN
    args:
      - '-c'
      - |
        gcloud auth configure-docker \
        && make release

  - name: ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405
    entrypoint: 'bash'
    dir: "go/src/sigstore/cosign"
    env:
      - "GOPATH=/workspace/go"
      - "GOBIN=/workspace/bin"
      - PROJECT_ID=${PROJECT_ID}
      - KEY_LOCATION=${_KEY_LOCATION}
      - KEY_RING=${_KEY_RING}
      - KEY_NAME=${_KEY_NAME}
      - KEY_VERSION=${_KEY_VERSION}
      - GIT_TAG=${_GIT_TAG}
      - KO_PREFIX=gcr.io/${PROJECT_ID}
      - COSIGN_YES=true
      - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
      - GITHUB_USER=${_GITHUB_USER}
    secretEnv:
      - GITHUB_TOKEN
    args:
      - '-c'
      - |
        echo $$GITHUB_TOKEN | docker login ghcr.io -u $$GITHUB_USER --password-stdin \
        && make sign-release-images && make copy-signed-release-to-ghcr || true

availableSecrets:
  secretManager:
    - versionName: projects/${PROJECT_NUMBER}/secrets/GITHUB_TOKEN/versions/latest
      env: GITHUB_TOKEN

artifacts:
  objects:
    location: 'gs://${_STORAGE_LOCATION}/${_GIT_TAG}'
    paths:
      - "go/src/sigstore/cosign/dist/*"
      - "go/src/sigstore/cosign/release/release-cosign.pub"

options:
  machineType: E2_HIGHCPU_32

tags:
  - cosign-release
  - ${_GIT_TAG}
  - ${_TOOL_ORG}
  - ${_TOOL_REPO}

substitutions:
  _GIT_TAG: 'v1.23.45'
  _TOOL_ORG: 'honk'
  _TOOL_REPO: 'honk-repo'
  _STORAGE_LOCATION: 'honk'
  _KEY_RING: 'honk-ring'
  _KEY_NAME: 'honk-crypto'
  _KEY_VERSION: '1'
  _KEY_LOCATION: 'global'
  _GITHUB_USER: 'placeholder'