name: Build images (DockerHub)

on:
  release:
    types:
      - published
  push:
    branches:
      - '[0-9]+.[0-9]+'
      - 'trunk'
    paths:
      - 'Dockerfiles/**'
      - 'build.json'
      - '!**/README.md'
      - '!Dockerfiles/*/rhel/*'
      - '!Dockerfiles/*/windows/*'
      - '.github/workflows/images_build.yml'
  schedule:
    - cron:  '50 02 * * *'
  workflow_dispatch:

defaults:
  run:
    shell: bash

permissions:
   contents: read

env:
  TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
  AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }}

  DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
  LATEST_BRANCH: ${{ github.event.repository.default_branch }}
  TRUNK_GIT_BRANCH: "refs/heads/trunk"
  IMAGES_PREFIX: "zabbix-"

  BASE_BUILD_NAME: "build-base"
  BASE_CACHE_FILE_NAME: "base_image_metadata.json"
  BUILD_CACHE_FILE_NAME: "base_build_image_metadata.json"

  MATRIX_FILE: "build.json"
  DOCKERFILES_DIRECTORY: "./Dockerfiles"

  OIDC_ISSUER: "https://token.actions.githubusercontent.com"
  IDENTITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/"

  DOCKER_REGISTRY_TEST: "ghcr.io"
  DOCKER_REPOSITORY_TEST: "zabbix"

jobs:
  init_build:
    name: Initialize build
    runs-on: ubuntu-latest
    permissions:
      contents: read
    outputs:
      os: ${{ steps.os.outputs.list }}
      database: ${{ steps.database.outputs.list }}
      components: ${{ steps.components.outputs.list }}
      is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }}
      current_branch: ${{ steps.branch_info.outputs.current_branch }}
      sha_short: ${{ steps.branch_info.outputs.sha_short }}
    steps:
      - name: Block egress traffic
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            github.com:443
            objects.githubusercontent.com:443

      - name: Checkout repository
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
          fetch-depth: 1
          sparse-checkout: ${{ env.MATRIX_FILE }}

      - name: Check ${{ env.MATRIX_FILE }} file
        id: build_exists
        env:
          MATRIX_FILE: ${{ env.MATRIX_FILE }}
        run: |
            if [[ ! -f "$MATRIX_FILE" ]]; then
                echo "::error::File $MATRIX_FILE is missing"
                exit 1
            fi

      - name: Prepare Operating System list
        id: os
        env:
          MATRIX_FILE: ${{ env.MATRIX_FILE }}
        run: |
            os_list=$(jq -r '.["os-linux"] |  keys | map(select(. != "rhel")) | [ .[] | tostring ] | @json' "$MATRIX_FILE")

            echo "::group::Operating System List"
            echo "$os_list"
            echo "::endgroup::"

            echo "list=$os_list" >> $GITHUB_OUTPUT

      - name: Prepare Database engine list
        id: database
        env:
          MATRIX_FILE: ${{ env.MATRIX_FILE }}
        run: |
            database_list=$(jq -r '[.components | values[].base ] | sort | unique | del(.. | select ( . == "" ) ) | @json' "$MATRIX_FILE")

            echo "::group::Database List"
            echo "$database_list"
            echo "::endgroup::"

            echo "list=$database_list" >> $GITHUB_OUTPUT

      - name: Prepare Zabbix component list
        id: components
        env:
          MATRIX_FILE: ${{ env.MATRIX_FILE }}
        run: |
            component_list=$(jq -r '.components | keys | @json' "$MATRIX_FILE")

            echo "::group::Zabbix Component List"
            echo "$component_list"
            echo "::endgroup::"

            echo "list=$component_list" >> $GITHUB_OUTPUT

      - name: Get branch info
        id: branch_info
        env:
          LATEST_BRANCH: ${{ env.LATEST_BRANCH }}
          github_ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || github.ref }}
        run: |
            result=false
            sha_short=$(git rev-parse --short HEAD)

            if [[ "$github_ref" == "refs/tags/"* ]]; then
                github_ref=${github_ref%.*}
            fi

            github_ref=${github_ref##*/}

            if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then
                result=true
            fi

            echo "::group::Branch data"
            echo "is_default_branch - $result"
            echo "current_branch - $github_ref"
            echo "sha_short - $sha_short"
            echo "::endgroup::"

            echo "is_default_branch=$result" >> $GITHUB_OUTPUT
            echo "current_branch=$github_ref" >> $GITHUB_OUTPUT
            echo "sha_short=$sha_short" >> $GITHUB_OUTPUT

  build_base:
    timeout-minutes: 30
    name: Build base on ${{ matrix.os }}
    needs: init_build
    strategy:
      fail-fast: false
      matrix:
        os: ${{ fromJson(needs.init_build.outputs.os) }}

    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      packages: write
    steps:
      - name: Block egress traffic
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            abqix.mm.fcix.net:80
            api.github.com:443
            archive.ubuntu.com:443
            archive.ubuntu.com:80
            atl.mirrors.knownhost.com:443
            atl.mirrors.knownhost.com:80
            auth.docker.io:443
            bungi.mm.fcix.net:443
            bungi.mm.fcix.net:80
            cdn03.quay.io:443
            centos-distro.1gservers.com:80
            centos-distro.cavecreek.net:80
            centos-stream-distro.1gservers.com:443
            centos-stream-distro.1gservers.com:80
            centos.hivelocity.net:80
            centos.mirror.constant.com:80
            centos.mirror.shastacoe.net:80
            coresite.mm.fcix.net:80
            d2lzkl7pfhq30w.cloudfront.net:443
            dfw.mirror.rackspace.com:443
            dfw.mirror.rackspace.com:80
            distro.ibiblio.org:80
            dl-cdn.alpinelinux.org:443
            download.cf.centos.org:443
            download.cf.centos.org:80
            epel.gb.ssimn.org:443
            epel.mirror.constant.com:443
            epel.mirror.constant.com:80
            epel.stl.us.ssimn.org:443
            epel.stl.us.ssimn.org:80
            fedora.nyherji.is:443
            fedora.nyherji.is:80
            forksystems.mm.fcix.net:443
            forksystems.mm.fcix.net:80
            ftp-nyc.osuosl.org:443
            ftp-nyc.osuosl.org:80
            ftp-osl.osuosl.org:443
            ftp-osl.osuosl.org:80
            ftp.agdsn.de:443
            ftp.agdsn.de:80
            ftp.fau.de:443
            ftp.fau.de:80
            ftp.halifax.rwth-aachen.de:443
            ftp.halifax.rwth-aachen.de:80
            ftp.osuosl.org:80
            ftp.plusline.net:443
            ftp.plusline.net:80
            ftp.uni-stuttgart.de:80
            ftpmirror.your.org:80
            fulcio.sigstore.dev:443
            ghcr.io:443
            github.com:443
            iad.mirror.rackspace.com:443
            iad.mirror.rackspace.com:80
            ima.mm.fcix.net:80
            index.docker.io:443
            ix-denver.mm.fcix.net:443
            ix-denver.mm.fcix.net:80
            la.mirrors.clouvider.net:80
            lesnet.mm.fcix.net:443
            lesnet.mm.fcix.net:80
            level66.mm.fcix.net:80
            linux-mirrors.fnal.gov:80
            linux.cc.lehigh.edu:80
            linux.mirrors.es.net:80
            mirror-mci.yuki.net.uk:443
            mirror-mci.yuki.net.uk:80
            mirror.23m.com:443
            mirror.23m.com:80
            mirror.arizona.edu:443
            mirror.arizona.edu:80
            mirror.ash.fastserv.com:80
            mirror.centos.iad1.serverforge.org:80
            mirror.chpc.utah.edu:80
            mirror.clarkson.edu:80
            mirror.cogentco.com:80
            mirror.dal.nexril.net:443
            mirror.dal.nexril.net:80
            mirror.datto.com:80
            mirror.de.leaseweb.net:443
            mirror.de.leaseweb.net:80
            mirror.dogado.de:443
            mirror.dogado.de:80
            mirror.ette.biz:80
            mirror.facebook.net:443
            mirror.facebook.net:80
            mirror.fcix.net:443
            mirror.fcix.net:80
            mirror.genesishosting.com:80
            mirror.grid.uchicago.edu:80
            mirror.hoobly.com:443
            mirror.hoobly.com:80
            mirror.imt-systems.com:443
            mirror.imt-systems.com:80
            mirror.keystealth.org:80
            mirror.lstn.net:443
            mirror.lstn.net:80
            mirror.math.princeton.edu:443
            mirror.math.princeton.edu:80
            mirror.metrocast.net:443
            mirror.metrocast.net:80
            mirror.netcologne.de:443
            mirror.netcologne.de:80
            mirror.netzwerge.de:443
            mirror.netzwerge.de:80
            mirror.nodesdirect.com:80
            mirror.pilotfiber.com:443
            mirror.pilotfiber.com:80
            mirror.rackspace.com:443
            mirror.rackspace.com:80
            mirror.scaleuptech.com:443
            mirror.scaleuptech.com:80
            mirror.servaxnet.com:443
            mirror.servaxnet.com:80
            mirror.sfo12.us.leaseweb.net:443
            mirror.sfo12.us.leaseweb.net:80
            mirror.siena.edu:80
            mirror.steadfastnet.com:80
            mirror.stream.centos.org:443
            mirror.stream.centos.org:80
            mirror.team-cymru.com:443
            mirror.team-cymru.com:80
            mirror.umd.edu:443
            mirror.umd.edu:80
            mirror.us-midwest-1.nexcess.net:80
            mirror.us.oneandone.net:80
            mirror.vacares.com:80
            mirror.vtti.vt.edu:80
            mirror.wdc2.us.leaseweb.net:80
            mirror.web-ster.com:80
            mirror1.hs-esslingen.de:443
            mirror1.hs-esslingen.de:80
            mirrorlist.centos.org:80
            mirrors.advancedhosters.com:80
            mirrors.centos.org:443
            mirrors.cmich.edu:80
            mirrors.fedoraproject.org:443
            mirrors.fedoraproject.org:80
            mirrors.iu13.net:443
            mirrors.iu13.net:80
            mirrors.liquidweb.com:80
            mirrors.lug.mtu.edu:443
            mirrors.lug.mtu.edu:80
            mirrors.maine.edu:80
            mirrors.mit.edu:443
            mirrors.mit.edu:80
            mirrors.ocf.berkeley.edu:443
            mirrors.ocf.berkeley.edu:80
            mirrors.oit.uci.edu:80
            mirrors.raystedman.org:80
            mirrors.rcs.alaska.edu:80
            mirrors.sonic.net:443
            mirrors.sonic.net:80
            mirrors.syringanetworks.net:80
            mirrors.tscak.com:80
            mirrors.unifiedlayer.com:80
            mirrors.vcea.wsu.edu:80
            mirrors.wcupa.edu:443
            mirrors.wcupa.edu:80
            mirrors.xmission.com:80
            mirrors.xtom.com:80
            mirrors.xtom.de:443
            mirrors.xtom.de:80
            mnvoip.mm.fcix.net:80
            na.edge.kernel.org:443
            nc-centos-mirror.iwebfusion.net:80
            nnenix.mm.fcix.net:443
            nnenix.mm.fcix.net:80
            nocix.mm.fcix.net:443
            nocix.mm.fcix.net:80
            nyc.mirrors.clouvider.net:80
            oauth2.sigstore.dev:443
            objects.githubusercontent.com:443
            ohioix.mm.fcix.net:443
            ohioix.mm.fcix.net:80
            opencolo.mm.fcix.net:443
            opencolo.mm.fcix.net:80
            or-mirror.iwebfusion.net:80
            packages.oit.ncsu.edu:80
            paducahix.mm.fcix.net:80
            pkg-containers.githubusercontent.com:443
            ports.ubuntu.com:443
            ports.ubuntu.com:80
            production.cloudflare.docker.com:443
            pubmirror1.math.uh.edu:443
            pubmirror1.math.uh.edu:80
            pubmirror2.math.uh.edu:80
            pubmirror3.math.uh.edu:443
            pubmirror3.math.uh.edu:80
            quay.io:443
            registry-1.docker.io:443
            rekor.sigstore.dev:443
            repo.ialab.dsu.edu:443
            repo.ialab.dsu.edu:80
            repo1.sea.innoscale.net:80
            repos.eggycrew.com:443
            repos.eggycrew.com:80
            ridgewireless.mm.fcix.net:443
            ridgewireless.mm.fcix.net:80
            scientificlinux.physik.uni-muenchen.de:443
            scientificlinux.physik.uni-muenchen.de:80
            security.ubuntu.com:443
            security.ubuntu.com:80
            southfront.mm.fcix.net:443
            southfront.mm.fcix.net:80
            tuf-repo-cdn.sigstore.dev:443
            tx-mirror.tier.net:80
            us.mirrors.virtono.com:80
            uvermont.mm.fcix.net:443
            uvermont.mm.fcix.net:80
            volico.mm.fcix.net:443
            volico.mm.fcix.net:80
            www.gtlib.gatech.edu:80
            yum.oracle.com:443
            ziply.mm.fcix.net:443
            ziply.mm.fcix.net:80
            dl.google.com:443
            keyserver.ubuntu.com:11371

      - name: Checkout repository
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
          fetch-depth: 1

      - name: Install cosign
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
        with:
          cosign-release: 'v2.2.3'

      - name: Check cosign version
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        run: cosign version

      - name: Set up QEMU
        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
        with:
          image: tonistiigi/binfmt:latest
          platforms: all

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
        with:
          driver-opts: image=moby/buildkit:master

      - name: Prepare Platform list
        id: platform
        env:
          MATRIX_OS: ${{ matrix.os }}
          MATRIX_FILE: ${{ env.MATRIX_FILE }}
        run: |
            platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS | join(\",\")" "$MATRIX_FILE")
            platform_list="${platform_list%,}"

            echo "::group::Platform List"
            echo "$platform_list"
            echo "::endgroup::"

            echo "list=$platform_list" >> $GITHUB_OUTPUT

      - name: Generate tags
        id: meta
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images: |
              ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
              ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
          context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
          tags: |
            type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
            type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }}
            type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest
            type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}-latest
            type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest
            type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}-
            type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' || contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}
          flavor: |
            latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }}

      - name: Prepare cache data
        id: cache_data
        env:
          IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
          PUBLISH_IMAGES: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        run: |
            cache_from=()
            cache_to=()

            cache_from+=("type=gha,scope=${IMAGE_TAG}")
            #cache_from+=("type=registry,ref=${IMAGE_TAG}")

            cache_to+=("type=gha,mode=max,scope=${IMAGE_TAG}")

            echo "::group::Cache from data"
            echo "${cache_from[*]}"
            echo "::endgroup::"

            echo "::group::Cache to data"
            echo "${cache_to[*]}"
            echo "::endgroup::"

            cache_from=$(printf '%s\n' "${cache_from[@]}")
            cache_to=$(printf '%s\n' "${cache_to[@]}")

            echo 'cache_from<<EOF' >> "$GITHUB_OUTPUT"
            echo "$cache_from" >> "$GITHUB_OUTPUT"
            echo 'EOF' >> "$GITHUB_OUTPUT"
            echo 'cache_to<<EOF' >> "$GITHUB_OUTPUT"
            echo "$cache_to" >> "$GITHUB_OUTPUT"
            echo 'EOF' >> "$GITHUB_OUTPUT"

      - name: Login to DockerHub
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Login to ${{ env.DOCKER_REGISTRY_TEST }}
        if: ${{ env.AUTO_PUSH_IMAGES != 'true' }}
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          registry: ${{ env.DOCKER_REGISTRY_TEST }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and publish image
        id: docker_build
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
        with:
          context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }}
          file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }}
          platforms: ${{ steps.platform.outputs.list }}
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: |
            org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
            org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
          cache-from: ${{ steps.cache_data.outputs.cache_from }}
          cache-to: ${{ steps.cache_data.outputs.cache_to }}

      - name: Sign the images with GitHub OIDC Token
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        env:
          DIGEST: ${{ steps.docker_build.outputs.digest }}
          TAGS: ${{ steps.meta.outputs.tags }}
        run: |
            images=""
            for tag in ${TAGS}; do
                images+="${tag}@${DIGEST} "
            done

            echo "::group::Images to sign"
            echo "$images"
            echo "::endgroup::"

            echo "::group::Signing"
            echo "cosign sign --yes $images"
            cosign sign --yes ${images}
            echo "::endgroup::"

      - name: Image metadata
        env:
          CACHE_FILE_NAME: ${{ env.BASE_CACHE_FILE_NAME }}
          METADATA: ${{ steps.docker_build.outputs.metadata }}
        run: |
            echo "::group::Image metadata"
            echo "${METADATA}"
            echo "::endgroup::"
            echo "::group::Cache file name"
            echo "${CACHE_FILE_NAME}"
            echo "::endgroup::"

            echo "${METADATA}" > "$CACHE_FILE_NAME"

      - name: Cache image metadata
        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
        with:
          path: ${{ env.BASE_CACHE_FILE_NAME }}
          key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}

  build_base_database:
    timeout-minutes: 180
    needs: [ "build_base", "init_build"]
    name: Build ${{ matrix.build }} base on ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        build: ${{ fromJson(needs.init_build.outputs.database) }}
        os: ${{ fromJson(needs.init_build.outputs.os) }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      packages: write
    steps:
      - name: Block egress traffic
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            auth.docker.io:443
            git.zabbix.com:443
            github.com:443
            go.googlesource.com:443
            go.mongodb.org:443
            golang.org:443
            google.golang.org:443
            gopkg.in:443
            ghcr.io:443
            index.docker.io:443
            noto-website.storage.googleapis.com:443
            production.cloudflare.docker.com:443
            proxy.golang.org:443
            registry-1.docker.io:443
            storage.googleapis.com:443
            fulcio.sigstore.dev:443
            oauth2.sigstore.dev:443
            objects.githubusercontent.com:443
            tuf-repo-cdn.sigstore.dev:443
            rekor.sigstore.dev:443
            pkg-containers.githubusercontent.com:443

      - name: Checkout repository
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
          fetch-depth: 1

      - name: Install cosign
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
        with:
          cosign-release: 'v2.2.3'

      - name: Check cosign version
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        run: cosign version

      - name: Set up QEMU
        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
        with:
          image: tonistiigi/binfmt:latest
          platforms: all

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
        with:
          driver-opts: image=moby/buildkit:master

      - name: Prepare Platform list
        id: platform
        env:
          MATRIX_OS: ${{ matrix.os }}
          MATRIX_FILE: ${{ env.MATRIX_FILE }}
        run: |
            platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS | join(\",\")" "$MATRIX_FILE")
            platform_list="${platform_list%,}"

            echo "::group::Platform List"
            echo "$platform_list"
            echo "::endgroup::"

            echo "list=$platform_list" >> $GITHUB_OUTPUT

      - name: Generate tags
        id: meta
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images: |
              ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
              ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
          context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
          tags: |
            type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
            type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }}
            type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest
            type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) }},event=branch,suffix=-${{ matrix.os }}-latest
            type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest
            type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}-
            type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' || contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}
          flavor: |
            latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }}

      - name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }}
        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
        with:
          path: ${{ env.BASE_CACHE_FILE_NAME }}
          key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}

      - name: Process ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} image metadata
        id: base_build
        env:
          CACHE_FILE_NAME: ${{ env.BASE_CACHE_FILE_NAME }}
        run: |
            echo "::group::Base image metadata"
            cat "${CACHE_FILE_NAME}"
            echo "::endgroup::"

            IMAGE_DIGEST=$(jq -r '."containerimage.digest"' "${CACHE_FILE_NAME}")
            IMAGE_NAME=$(jq -r '."image.name"' "${CACHE_FILE_NAME}" | cut -d: -f1)

            echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT

      - name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} cosign
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        env:
         BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
         OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
         IDENTITY_REGEX: ${{ env.IDENTITY_REGEX }}
        run: |
            echo "::group::Image sign data"
            echo "OIDC issuer=$OIDC_ISSUER"
            echo "Identity=$IDENTITY_REGEX"
            echo "Image to verify=$BASE_IMAGE"
            echo "::endgroup::"

            echo "::group::Verify signature"
            cosign verify \
                    --certificate-oidc-issuer-regexp "$OIDC_ISSUER" \
                    --certificate-identity-regexp "$IDENTITY_REGEX" \
                "$BASE_IMAGE"
            echo "::endgroup::"

      - name: Prepare cache data
        id: cache_data
        env:
          BASE_IMAGE_TAG: ${{ steps.base_build.outputs.base_build_image }}
          IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
          PUBLISH_IMAGES: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        run: |
            cache_from=()
            cache_to=()

            cache_from+=("type=gha,scope=${BASE_IMAGE_TAG}")
            cache_from+=("type=registry,ref=${BASE_IMAGE_TAG}")
            cache_from+=("type=gha,scope=${IMAGE_TAG}")
            cache_from+=("type=registry,ref=${IMAGE_TAG}")

            cache_to+=("type=gha,mode=max,scope=${IMAGE_TAG}")

            echo "::group::Cache from data"
            echo "${cache_from[*]}"
            echo "::endgroup::"

            echo "::group::Cache to data"
            echo "${cache_to[*]}"
            echo "::endgroup::"

            cache_from=$(printf '%s\n' "${cache_from[@]}")
            cache_to=$(printf '%s\n' "${cache_to[@]}")

            echo 'cache_from<<EOF' >> "$GITHUB_OUTPUT"
            echo "$cache_from" >> "$GITHUB_OUTPUT"
            echo 'EOF' >> "$GITHUB_OUTPUT"
            echo 'cache_to<<EOF' >> "$GITHUB_OUTPUT"
            echo "$cache_to" >> "$GITHUB_OUTPUT"
            echo 'EOF' >> "$GITHUB_OUTPUT"

      - name: Login to DockerHub
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Login to ${{ env.DOCKER_REGISTRY_TEST }}
        if: ${{ env.AUTO_PUSH_IMAGES != 'true' }}
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          registry: ${{ env.DOCKER_REGISTRY_TEST }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build ${{ matrix.build }}/${{ matrix.os }} and push
        id: docker_build
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
        with:
          context: ${{ format('{0}/{1}/{2}/', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
          file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
          platforms: ${{ steps.platform.outputs.list }}
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
          labels: |
            org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
            org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}

      - name: Sign the images with GitHub OIDC Token
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        env:
          DIGEST: ${{ steps.docker_build.outputs.digest }}
          TAGS: ${{ steps.meta.outputs.tags }}
        run: |
            images=""
            for tag in ${TAGS}; do
                images+="${tag}@${DIGEST} "
            done

            echo "::group::Images to sign"
            echo "$images"
            echo "::endgroup::"

            echo "::group::Signing"
            echo "cosign sign --yes $images"
            cosign sign --yes ${images}
            echo "::endgroup::"

      - name: Image metadata
        env:
          CACHE_FILE_NAME: ${{ env.BUILD_CACHE_FILE_NAME }}
          METADATA: ${{ steps.docker_build.outputs.metadata }}
        run: |
            echo "::group::Image metadata"
            echo "${METADATA}"
            echo "::endgroup::"
            echo "::group::Cache file name"
            echo "${CACHE_FILE_NAME}"
            echo "::endgroup::"

            echo "${METADATA}" > "$CACHE_FILE_NAME"

      - name: Cache image metadata
        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
        with:
          path: ${{ env.BUILD_CACHE_FILE_NAME }}
          key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }}

  build_images:
    timeout-minutes: 90
    needs: [ "build_base_database", "init_build"]
    name: Build ${{ matrix.build }} on ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        build: ${{ fromJson(needs.init_build.outputs.components) }}
        os: ${{ fromJson(needs.init_build.outputs.os) }}

    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      packages: write
    steps:
      - name: Block egress traffic
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            abqix.mm.fcix.net:80
            api.github.com:443
            archive.ubuntu.com:443
            archive.ubuntu.com:80
            atl.mirrors.knownhost.com:443
            atl.mirrors.knownhost.com:80
            auth.docker.io:443
            bungi.mm.fcix.net:443
            bungi.mm.fcix.net:80
            cdn03.quay.io:443
            centos-distro.1gservers.com:80
            centos-distro.cavecreek.net:80
            centos-stream-distro.1gservers.com:443
            centos-stream-distro.1gservers.com:80
            centos.hivelocity.net:80
            centos.mirror.constant.com:80
            centos.mirror.shastacoe.net:80
            coresite.mm.fcix.net:80
            d2lzkl7pfhq30w.cloudfront.net:443
            deb.debian.org:80
            dfw.mirror.rackspace.com:443
            dfw.mirror.rackspace.com:80
            distro.ibiblio.org:80
            dl-cdn.alpinelinux.org:443
            download.cf.centos.org:443
            download.cf.centos.org:80
            epel.gb.ssimn.org:443
            epel.mirror.constant.com:443
            epel.mirror.constant.com:80
            epel.stl.us.ssimn.org:443
            epel.stl.us.ssimn.org:80
            fedora.nyherji.is:443
            fedora.nyherji.is:80
            forksystems.mm.fcix.net:443
            forksystems.mm.fcix.net:80
            ftp-nyc.osuosl.org:443
            ftp-nyc.osuosl.org:80
            ftp-osl.osuosl.org:443
            ftp-osl.osuosl.org:80
            ftp.agdsn.de:443
            ftp.agdsn.de:80
            ftp.fau.de:443
            ftp.fau.de:80
            ftp.halifax.rwth-aachen.de:443
            ftp.halifax.rwth-aachen.de:80
            ftp.osuosl.org:80
            ftp.plusline.net:443
            ftp.plusline.net:80
            ftp.uni-stuttgart.de:80
            ftpmirror.your.org:80
            fulcio.sigstore.dev:443
            ghcr.io:443
            github.com:443
            iad.mirror.rackspace.com:443
            iad.mirror.rackspace.com:80
            ima.mm.fcix.net:80
            index.docker.io:443
            ix-denver.mm.fcix.net:443
            ix-denver.mm.fcix.net:80
            keyserver.ubuntu.com:11371
            la.mirrors.clouvider.net:80
            lesnet.mm.fcix.net:443
            lesnet.mm.fcix.net:80
            level66.mm.fcix.net:80
            linux-mirrors.fnal.gov:80
            linux.cc.lehigh.edu:80
            linux.mirrors.es.net:80
            mirror-mci.yuki.net.uk:443
            mirror-mci.yuki.net.uk:80
            mirror.23m.com:443
            mirror.23m.com:80
            mirror.arizona.edu:443
            mirror.arizona.edu:80
            mirror.ash.fastserv.com:80
            mirror.centos.iad1.serverforge.org:80
            mirror.chpc.utah.edu:80
            mirror.clarkson.edu:80
            mirror.cogentco.com:80
            mirror.dal.nexril.net:443
            mirror.dal.nexril.net:80
            mirror.datto.com:80
            mirror.de.leaseweb.net:443
            mirror.de.leaseweb.net:80
            mirror.dogado.de:443
            mirror.dogado.de:80
            mirror.ette.biz:80
            mirror.facebook.net:443
            mirror.facebook.net:80
            mirror.fcix.net:443
            mirror.fcix.net:80
            mirror.genesishosting.com:80
            mirror.grid.uchicago.edu:80
            mirror.hoobly.com:443
            mirror.hoobly.com:80
            mirror.imt-systems.com:443
            mirror.imt-systems.com:80
            mirror.keystealth.org:80
            mirror.lstn.net:443
            mirror.lstn.net:80
            mirror.math.princeton.edu:443
            mirror.math.princeton.edu:80
            mirror.metrocast.net:443
            mirror.metrocast.net:80
            mirror.netcologne.de:443
            mirror.netcologne.de:80
            mirror.netzwerge.de:443
            mirror.netzwerge.de:80
            mirror.nodesdirect.com:80
            mirror.pilotfiber.com:443
            mirror.pilotfiber.com:80
            mirror.rackspace.com:443
            mirror.rackspace.com:80
            mirror.scaleuptech.com:443
            mirror.scaleuptech.com:80
            mirror.servaxnet.com:443
            mirror.servaxnet.com:80
            mirror.sfo12.us.leaseweb.net:443
            mirror.sfo12.us.leaseweb.net:80
            mirror.siena.edu:80
            mirror.steadfastnet.com:80
            mirror.stream.centos.org:443
            mirror.stream.centos.org:80
            mirror.team-cymru.com:443
            mirror.team-cymru.com:80
            mirror.umd.edu:443
            mirror.umd.edu:80
            mirror.us-midwest-1.nexcess.net:80
            mirror.us.oneandone.net:80
            mirror.vacares.com:80
            mirror.vtti.vt.edu:80
            mirror.wdc2.us.leaseweb.net:80
            mirror.web-ster.com:80
            mirror1.hs-esslingen.de:443
            mirror1.hs-esslingen.de:80
            mirrorlist.centos.org:80
            mirrors.advancedhosters.com:80
            mirrors.centos.org:443
            mirrors.cmich.edu:80
            mirrors.fedoraproject.org:443
            mirrors.fedoraproject.org:80
            mirrors.iu13.net:443
            mirrors.iu13.net:80
            mirrors.liquidweb.com:80
            mirrors.lug.mtu.edu:443
            mirrors.lug.mtu.edu:80
            mirrors.maine.edu:80
            mirrors.mit.edu:443
            mirrors.mit.edu:80
            mirrors.ocf.berkeley.edu:443
            mirrors.ocf.berkeley.edu:80
            mirrors.oit.uci.edu:80
            mirrors.raystedman.org:80
            mirrors.rcs.alaska.edu:80
            mirrors.sonic.net:443
            mirrors.sonic.net:80
            mirrors.syringanetworks.net:80
            mirrors.tscak.com:80
            mirrors.unifiedlayer.com:80
            mirrors.vcea.wsu.edu:80
            mirrors.wcupa.edu:443
            mirrors.wcupa.edu:80
            mirrors.xmission.com:80
            mirrors.xtom.com:80
            mirrors.xtom.de:443
            mirrors.xtom.de:80
            mnvoip.mm.fcix.net:80
            na.edge.kernel.org:443
            nc-centos-mirror.iwebfusion.net:80
            nginx.org:443
            nginx.org:80
            nnenix.mm.fcix.net:443
            nnenix.mm.fcix.net:80
            nocix.mm.fcix.net:443
            nocix.mm.fcix.net:80
            nyc.mirrors.clouvider.net:80
            oauth2.sigstore.dev:443
            objects.githubusercontent.com:443
            ohioix.mm.fcix.net:443
            ohioix.mm.fcix.net:80
            opencolo.mm.fcix.net:443
            opencolo.mm.fcix.net:80
            or-mirror.iwebfusion.net:80
            packages.oit.ncsu.edu:80
            paducahix.mm.fcix.net:80
            pkg-containers.githubusercontent.com:443
            ports.ubuntu.com:443
            ports.ubuntu.com:80
            production.cloudflare.docker.com:443
            pubmirror1.math.uh.edu:443
            pubmirror1.math.uh.edu:80
            pubmirror2.math.uh.edu:80
            pubmirror3.math.uh.edu:443
            pubmirror3.math.uh.edu:80
            quay.io:443
            registry-1.docker.io:443
            rekor.sigstore.dev:443
            repo.ialab.dsu.edu:443
            repo.ialab.dsu.edu:80
            repo1.sea.innoscale.net:80
            repos.eggycrew.com:443
            repos.eggycrew.com:80
            ridgewireless.mm.fcix.net:443
            ridgewireless.mm.fcix.net:80
            scientificlinux.physik.uni-muenchen.de:443
            scientificlinux.physik.uni-muenchen.de:80
            security.ubuntu.com:443
            security.ubuntu.com:80
            southfront.mm.fcix.net:443
            southfront.mm.fcix.net:80
            tuf-repo-cdn.sigstore.dev:443
            tx-mirror.tier.net:80
            us.mirrors.virtono.com:80
            uvermont.mm.fcix.net:443
            uvermont.mm.fcix.net:80
            volico.mm.fcix.net:443
            volico.mm.fcix.net:80
            www.gtlib.gatech.edu:80
            yum.oracle.com:443
            ziply.mm.fcix.net:443
            ziply.mm.fcix.net:80
            ha.pool.sks-keyservers.net:11371
            keyserver.ubuntu.com:80
            p80.pool.sks-keyservers.net:80
            pgp.mit.edu:11371

      - name: Checkout repository
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
          fetch-depth: 1

      - name: Install cosign
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
        with:
          cosign-release: 'v2.2.3'

      - name: Check cosign version
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        run: cosign version

      - name: Set up QEMU
        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
        with:
          image: tonistiigi/binfmt:latest
          platforms: all

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
        with:
          driver-opts: image=moby/buildkit:master

      - name: Prepare Platform list
        id: platform
        env:
          MATRIX_OS: ${{ matrix.os }}
          MATRIX_BUILD: ${{ matrix.build }}
          MATRIX_FILE: ${{ env.MATRIX_FILE }}
        run: |
            # Chromium on Alpine is available only on linux/amd64, linux/arm64 platforms
            if ([ "$MATRIX_OS" == "alpine" ] || [ "$MATRIX_OS" == "centos" ]) && [ "$MATRIX_BUILD" == "web-service" ]; then
                platform_list="linux/amd64,linux/arm64"
            # Chromium on Ubuntu is not available on s390x platform
            elif [ "$MATRIX_OS" == "ubuntu" ] && [ "$MATRIX_BUILD" == "web-service" ]; then
                platform_list="linux/amd64,linux/arm/v7,linux/arm64"
            else
                platform_list=$(jq -r ".[\"os-linux\"].\"$MATRIX_OS\" | join(\",\")" "$MATRIX_FILE")
            fi

            # Build only Agent and Agent2 on 386
            if [ "$MATRIX_BUILD" != "agent"* ]; then
                platform_list="${platform_list#linux/386,}"
            fi

            platform_list="${platform_list%,}"

            echo "::group::Platform List"
            echo "$platform_list"
            echo "::endgroup::"

            echo "list=$platform_list" >> $GITHUB_OUTPUT

      - name: Detect Build Base Image
        id: build_base_image
        env:
          MATRIX_BUILD: ${{ matrix.build }}
          MATRIX_FILE: ${{ env.MATRIX_FILE }}
        run: |
            BUILD_BASE=$(jq -r ".components.\"$MATRIX_BUILD\".base" "$MATRIX_FILE")

            echo "::group::Base Build Image"
            echo "$BUILD_BASE"
            echo "::endgroup::"

            echo "build_base=${BUILD_BASE}" >> $GITHUB_OUTPUT

      - name: Generate tags
        id: meta
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images:  |
              ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
              ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
          context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
          tags: |
            type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
            type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }}
            type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest
            type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}-latest
            type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest
            type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}-
            type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' || contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}
          flavor: |
            latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }}

      - name: Download metadata of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }}
        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
        if: ${{ matrix.build != 'snmptraps' }}
        with:
          path: ${{ env.BUILD_CACHE_FILE_NAME }}
          key: ${{ steps.build_base_image.outputs.build_base }}-${{ matrix.os }}-${{ github.run_id }}

      - name: Process ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} image metadata
        id: base_build
        if: ${{ matrix.build != 'snmptraps' }}
        env:
          CACHE_FILE_NAME: ${{ env.BUILD_CACHE_FILE_NAME }}
        run: |
            echo "::group::Base build image metadata"
            cat "${CACHE_FILE_NAME}"
            echo "::endgroup::"

            IMAGE_DIGEST=$(jq -r '."containerimage.digest"' "${CACHE_FILE_NAME}")
            IMAGE_NAME=$(jq -r '."image.name"' "${CACHE_FILE_NAME}" | cut -d: -f1)

            echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT

      - name: Verify ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} cosign
        if: ${{ matrix.build != 'snmptraps' && env.AUTO_PUSH_IMAGES == 'true' }}
        env:
         BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
         OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
         IDENTITY_REGEX: ${{ env.IDENTITY_REGEX }}
        run: |
            echo "::group::Image sign data"
            echo "OIDC issuer=${OIDC_ISSUER}"
            echo "Identity=${IDENTITY_REGEX}"
            echo "Image to verify=${BASE_IMAGE}"
            echo "::endgroup::"

            echo "::group::Verify signature"
            cosign verify \
                    --certificate-oidc-issuer-regexp "${OIDC_ISSUER}" \
                    --certificate-identity-regexp "${IDENTITY_REGEX}" \
                "${BASE_IMAGE}"
            echo "::endgroup::"

      - name: Prepare cache data
        if: ${{ matrix.build != 'snmptraps' }}
        id: cache_data
        env:
          BASE_IMAGE_TAG: ${{ steps.base_build.outputs.base_build_image }}
        run: |
            cache_from=()
            cache_to=()

            cache_from+=("type=registry,ref=${BASE_IMAGE_TAG}")

            echo "::group::Cache from data"
            echo "${cache_from[*]}"
            echo "::endgroup::"

            cache_from=$(printf '%s\n' "${cache_from[@]}")

            echo 'cache_from<<EOF' >> "$GITHUB_OUTPUT"
            echo "$cache_from" >> "$GITHUB_OUTPUT"
            echo 'EOF' >> "$GITHUB_OUTPUT"

      - name: Login to DockerHub
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Build and push image
        id: docker_build
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
        with:
          context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
          file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
          platforms: ${{ steps.platform.outputs.list }}
          push: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
          tags: ${{ steps.meta.outputs.tags }}
          build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
          labels: |
            org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
            org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}

      - name: Sign the images with GitHub OIDC Token
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        env:
          DIGEST: ${{ steps.docker_build.outputs.digest }}
          TAGS: ${{ steps.meta.outputs.tags }}
        run: |
            images=""
            for tag in ${TAGS}; do
                images+="${tag}@${DIGEST} "
            done

            echo "::group::Images to sign"
            echo "$images"
            echo "::endgroup::"

            echo "::group::Signing"
            echo "cosign sign --yes $images"
            cosign sign --yes ${images}
            echo "::endgroup::"

      - name: Image metadata
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
        env:
          METADATA: ${{ steps.docker_build.outputs.metadata }}
        run: |
            echo "::group::Image metadata"
            echo "${METADATA}"
            echo "::endgroup::"