name: CI

## Only run when:
##   - manually triggered
##   - PR's are (re)opened
##   - push to master (i.e. merge develop -> master)

on:
  push:
    branches:
      - master
  pull_request:
  workflow_dispatch:
    inputs:
      tag:
        description: "The tag to create (optional)"
        required: false

concurrency:
  group: ${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

jobs:
  ## rust format: Execute on every run
  rustfmt:
    name: Rust Format
    runs-on: ubuntu-latest
    steps:
      - name: Checkout the latest code
        id: git_checkout
        uses: actions/checkout@v3
      - name: Define Rust Toolchain
        id: define_rust_toolchain
        run: echo "RUST_TOOLCHAIN=$(cat ./rust-toolchain)" >> $GITHUB_ENV
      - name: Setup Rust Toolchain
        id: setup_rust_toolchain
        uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: ${{ env.RUST_TOOLCHAIN }}
          components: rustfmt
      - name: Rustfmt 
        id: rustfmt
        uses: actions-rust-lang/rustfmt@v1

  ## Release tests: Execute on every run
  release-tests:
    name: Release Tests
    uses: ./.github/workflows/stacks-blockchain-tests.yml

  ## Checked for leaked credentials: Execute on every run
  leaked-cred-test:
    name: Leaked Credential Test
    runs-on: ubuntu-latest
    steps:
      - name: Extract branch name
        id: extract_branch
        if: ${{ github.event_name != 'pull_request' }}
        run: echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV
      - name: Extract branch name
        id: extract_branch_pr
        if: ${{ github.event_name == 'pull_request' }}
        run: echo "BRANCH_NAME=$(echo ${GITHUB_HEAD_REF})" >> $GITHUB_ENV
      - name: Branch name
        run: echo running on branch ${{ env.BRANCH_NAME }}
      - name: Checkout the latest code
        id: git_checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: TruffleHog Scan
        id: trufflehog_check
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          base: ${{ env.BRANCH_NAME }}
          head: HEAD

  ###############################################
  ## Build Tagged Release
  ###############################################
  ## Build source binaries
  ## Only run if:
  ##    - Tag is provided
  ##    - OR
  ##        - Not the default branch
  ##        - AND
  ##        - Not a PR
  build-source:
    if: ${{ inputs.tag != '' || (github.ref != format('refs/heads/{0}', github.event.repository.default_branch) && !contains(github.ref, 'refs/pull')) }}
    name: Build Binaries
    uses: stacks-network/stacks-blockchain/.github/workflows/build-source-binary.yml@master
    needs:
      - rustfmt
      - release-tests
      - leaked-cred-test
    with:
      tag: ${{ inputs.tag }}
      parallel_jobs: 4
      arch: >-
        ["linux-glibc-x64", "linux-musl-x64", "linux-glibc-arm64", "linux-musl-arm64", "macos-x64", "macos-arm64", "windows-x64"]

  ## Create github release with binary archives
  ## Only run if:
  ##    - Tag is provided
  ##    - OR
  ##        - Not the default branch
  ##        - AND
  ##        - Not a PR
  github-release:
    if: ${{ inputs.tag != '' || (github.ref != format('refs/heads/{0}', github.event.repository.default_branch) && !contains(github.ref, 'refs/pull')) }}
    name: Github Release
    uses: stacks-network/stacks-blockchain/.github/workflows/github-release.yml@master
    needs: build-source
    with:
      tag: ${{ inputs.tag }}
      arch: >-
        ["linux-glibc-x64", "linux-musl-x64", "linux-glibc-arm64", "linux-musl-arm64", "macos-x64", "macos-arm64", "windows-x64"]
    secrets:
      GH_TOKEN: ${{ secrets.GH_TOKEN }}

  ## Create docker alpine images
  ## Only run if:
  ##    - Tag is provided
  ##    - OR
  ##      - Not the default branch
  ##      - AND
  ##      - Not a PR
  docker-alpine:
    if: ${{ inputs.tag != '' || (github.ref != format('refs/heads/{0}', github.event.repository.default_branch) && !contains(github.ref, 'refs/pull')) }}
    name: Docker Alpine (Binary)
    uses: stacks-network/stacks-blockchain/.github/workflows/image-build-alpine-binary.yml@master
    needs: github-release
    with:
      tag: ${{ inputs.tag }}
      docker_platforms: linux/arm64, linux/amd64, linux/amd64/v2, linux/amd64/v3
    secrets:
      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
      DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}

  ## Create docker debian images
  ## Only run if:
  ##    - Tag is provided
  ##    - OR
  ##        - Not the default branch
  ##        - AND
  ##        - Not a PR
  docker-debian:
    if: ${{ inputs.tag != '' || (github.ref != format('refs/heads/{0}', github.event.repository.default_branch) && !contains(github.ref, 'refs/pull')) }}
    name: Docker Debian (Binary)
    uses: stacks-network/stacks-blockchain/.github/workflows/image-build-debian-binary.yml@master
    needs: github-release
    with:
      tag: ${{ inputs.tag }}
      docker_platforms: linux/amd64, linux/amd64/v2, linux/amd64/v3
      linux_version: debian
      build_type: binary
    secrets:
      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
      DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}

  ###############################################
  ## Build Branch/PR
  ###############################################
  ## Create docker debian images
  ## Only run if:
  ##   - Tag is *not* provided
  build-branch:
    if: ${{ inputs.tag == '' }}
    name: Docker Debian (Source)
    uses: stacks-network/stacks-blockchain/.github/workflows/image-build-debian-source.yml@master
    needs:
      - rustfmt
      - leaked-cred-test
    with:
      docker_platforms: linux/amd64
      linux_version: debian
      build_type: source
    secrets:
      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
      DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}