main.yml

name: CI

on: [push, pull_request]

jobs:
  test:
    env:
      MIX_ENV: test
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v2

      - uses: erlef/setup-beam@v1
        with:
          otp-version: 27.2
          elixir-version: 1.18.1

      - run: mix deps.get
      - run: mix format --check-formatted
      - run: mix deps.unlock --check-unused
      - run: MIX_ENV=test mix compile --warnings-as-errors
      - run: mix test

  docker:
    name: Docker (${{ matrix.platform }})
    runs-on: ${{ matrix.runner }}

    permissions:
      contents: 'read'
      id-token: 'write'

    strategy:
      matrix:
        include:
          - platform: linux/amd64
            runner: ubuntu-24.04
          - platform: linux/arm64
            runner: ubuntu-24.04-arm

    env:
      IMAGE_NAME: 'diff'
      PROJECT_ID: 'hexpm-prod'
      SERVICE_ACCOUNT: ${{ secrets.GCLOUD_SERVICE_ACCOUNT }}
      WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCLOUD_WORKFLOW_IDENTITY_POOL_PROVIDER }}

    steps:
      - uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Google auth
        id: auth
        uses: 'google-github-actions/auth@v2'
        if: ${{ github.event_name != 'pull_request' && env.SERVICE_ACCOUNT != '' }}
        with:
          token_format: 'access_token'
          project_id: ${{ env.PROJECT_ID }}
          service_account: ${{ env.SERVICE_ACCOUNT }}
          workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }}

      - name: Docker Auth
        id: docker-auth
        uses: 'docker/login-action@v3'
        if: ${{ github.event_name != 'pull_request' && env.SERVICE_ACCOUNT != '' }}
        with:
          registry: gcr.io
          username: 'oauth2accesstoken'
          password: '${{ steps.auth.outputs.access_token }}'

      - name: Build and push by digest
        id: build
        uses: docker/build-push-action@v6
        with:
          platforms: ${{ matrix.platform }}
          outputs: type=image,name=gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' && env.SERVICE_ACCOUNT != '' }}
          cache-from: type=gha,scope=${{ matrix.runner }}
          cache-to: type=gha,scope=${{ matrix.runner }},mode=max

      - name: Export digest
        if: ${{ github.event_name != 'pull_request' && env.SERVICE_ACCOUNT != '' }}
        run: |
          mkdir -p /tmp/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"

      - name: Upload digest
        if: ${{ github.event_name != 'pull_request' && env.SERVICE_ACCOUNT != '' }}
        uses: actions/upload-artifact@v4
        with:
          name: digests-${{ matrix.runner }}
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1

  docker-merge:
    name: Docker Merge
    runs-on: ubuntu-24.04
    if: ${{ github.event_name != 'pull_request' && github.repository == 'hexpm/diff' }}
    needs: docker
    permissions:
      contents: 'read'
      id-token: 'write'
    env:
      IMAGE_NAME: 'diff'
      PROJECT_ID: 'hexpm-prod'
      SERVICE_ACCOUNT: ${{ secrets.GCLOUD_SERVICE_ACCOUNT }}
      WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCLOUD_WORKFLOW_IDENTITY_POOL_PROVIDER }}
    steps:
      - name: Set short git commit SHA
        run: echo "COMMIT_SHORT_SHA=${GITHUB_SHA::7}" >> $GITHUB_ENV
      - name: Download digests
        uses: actions/download-artifact@v4
        with:
          path: /tmp/digests
          pattern: digests-*
          merge-multiple: true
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Google auth
        id: auth
        uses: 'google-github-actions/auth@v2'
        with:
          token_format: 'access_token'
          project_id: ${{ env.PROJECT_ID }}
          service_account: ${{ env.SERVICE_ACCOUNT }}
          workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }}
      - name: Docker Auth
        uses: 'docker/login-action@v3'
        with:
          registry: gcr.io
          username: 'oauth2accesstoken'
          password: '${{ steps.auth.outputs.access_token }}'
      - name: Create manifest list and push
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create \
            -t gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE_NAME }}:${{ env.COMMIT_SHORT_SHA }} \
            $(printf 'gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)