when:
  - event: push
    branch: dev
steps:
  build-local:
    image: docker:24-dind
    privileged: true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    commands:
      - echo "Pulling base images to ensure latest layers..."
      - docker pull --quiet php:8.4-fpm-alpine3.23 || true
      - echo "Try to pull previous image to use as cache ..."
      - docker pull quay.io/marshyon/share-lt:latest || true
      - echo "Building image for testing (amd64 only for CI compatibility)..."
      - docker build --platform linux/amd64 --cache-from=quay.io/marshyon/share-lt:latest -t share-lt:test .
      - echo "Tagging test image as quay.io/marshyon/share-lt:v0.0.6..."
      - docker tag share-lt:test quay.io/marshyon/share-lt:v0.0.6
      - echo "Generating SBOM..."
      - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/syft:latest scan quay.io/marshyon/share-lt:v0.0.6 -o cyclonedx-json > sbom.json
  scan-vulnerabilities:
    image: aquasec/trivy:0.67.2
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    commands:
      - echo "Ensuring latest Trivy image is pulled..."
      - docker pull aquasec/trivy:latest || true
      - echo "Scanning for vulnerabilities via Docker daemon..."
      # Scan the image present in the Docker daemon; fail on CRITICAL severities
      - trivy image --exit-code 1 --severity CRITICAL --no-progress share-lt:test
      # Run a full scan without failing just for logs
      - trivy image --severity HIGH,MEDIUM,LOW --no-progress share-lt:test
      - echo "Generating vulnerability report..."
      - trivy image --format cyclonedx --output trivy-vuln-bom.json share-lt:test
      - echo "Vulnerability Summary:"
      - trivy image --format table share-lt:test | tee trivy-vuln-summary.txt
  publish:
    image: woodpeckerci/plugin-docker-buildx
    settings:
      registry: quay.io
      repo: quay.io/marshyon/share-lt
      platforms: linux/amd64
      tags:
        - v0.0.6
        - latest
      username:
        from_secret: QUAY_USERNAME
      password:
        from_secret: QUAY_PASSWORD
  upload-sbom:
    image: cgr.dev/chainguard/cosign:latest
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      COSIGN_REGISTRY_USERNAME:
        from_secret: QUAY_USERNAME
      COSIGN_REGISTRY_PASSWORD:
        from_secret: QUAY_PASSWORD
    commands:
      - cosign attach sbom --sbom sbom.json quay.io/marshyon/share-lt:v0.0.6 || echo "SBOM attach failed"
      - echo "Done - trivy report saved to workspace for manual review"