name: Build and Push Image
on:
  push:
    branches:
      - master

jobs:
  build:
    name: Build and push image
    runs-on: ubuntu-latest
    container: catthehacker/ubuntu:act-latest
    if: gitea.ref == 'refs/heads/master'

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Create Kubeconfig
        run: |
          mkdir $HOME/.kube
          echo "${{ secrets.KUBEC_CONFIG_BUILDX_NEW }}" > $HOME/.kube/config

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          driver: kubernetes
          driver-opts: |
            namespace=gitea-runner
            qemu.install=true

      - name: Login to Docker Registry
        uses: docker/login-action@v3
        with:
          registry: git.aridgwayweb.com
          username: armistace
          password: ${{ secrets.REG_PASSWORD }}

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          platforms: linux/amd64,linux/arm64
          tags: |
            git.aridgwayweb.com/armistace/pr-reviewer:latest

      - name: Trivy Scan
        run: |
          TRIVY_VERSION=$(curl -s https://api.github.com/repos/aquasecurity/trivy/releases/latest | grep '"tag_name"' | cut -d'"' -f4)
          wget -qO /tmp/trivy.tar.gz "https://github.com/aquasecurity/trivy/releases/download/${TRIVY_VERSION}/trivy_${TRIVY_VERSION#v}_Linux-64bit.tar.gz"
          tar xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy
          chmod +x /usr/local/bin/trivy
          trivy image --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --severity HIGH,CRITICAL git.aridgwayweb.com/armistace/pr-reviewer:latest

      - name: Deploy
        run: |
          echo "Installing Kubectl"
          apt-get update
          apt-get install -y apt-transport-https ca-certificates curl gnupg
          curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.33/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
          chmod 644 /etc/apt/keyrings/kubernetes-apt-keyring.gpg
          echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.33/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list
          chmod 644 /etc/apt/sources.list.d/kubernetes.list
          apt-get update
          apt-get install kubectl
          kubectl delete namespace pr-reviewer --ignore-not-found
          kubectl create namespace pr-reviewer
          kubectl create secret docker-registry regcred --docker-server=${{ vars.DOCKER_SERVER }} --docker-username=${{ vars.DOCKER_USERNAME }} --docker-password='${{ secrets.DOCKER_PASSWORD }}' --docker-email=${{ vars.DOCKER_EMAIL }} --namespace=pr-reviewer
          kubectl create secret generic pr-reviewer-env \
            --from-literal=LLM_PROVIDER=ollama \
            --from-literal=LLM_MODEL=${{ vars.OLLAMA_MODEL }} \
            --from-literal=LLM_BASE_URL=http://${{ vars.OLLAMA_SERVER }} \
            --from-literal=LOG_LEVEL=INFO \
            --from-literal=TOTAL_FLOW_TIMEOUT=600 \
            --from-literal=PER_CREW_TIMEOUT=300 \
            --from-literal=ACCESS_GITEA_URL=${{ vars.ACCESS_GITEA_URL }} \
            --from-literal=ACCESS_GITEA_TOKEN=${{ secrets.ACCESS_GITEA_TOKEN }} \
            --from-literal=ACCESS_GITEA_SECRET=${{ secrets.ACCESS_GITEA_SECRET }} \
            --namespace=pr-reviewer
          kubectl apply -f kube/pr-reviewer_deployment.yaml && kubectl apply -f kube/pr-reviewer_service.yaml