name: Build and publish container non develop

on:
  push:
    branches:
      - "*"
      - '**'
      - "!develop"

env:
  DOCKER_HUB_ORGANIZATION: ${{ vars.DOCKER_HUB_ORGANIZATION }}
  DOCKER_HUB_REPOSITORY: obp-api

jobs:
  build:
    runs-on: ubuntu-latest
    services:
      # Label used to access the service container
      redis:
        # Docker Hub image
        image: redis
        ports:
          # Opens tcp port 6379 on the host and service container
          - 6379:6379
        # Set health checks to wait until redis has started
        options: >-
          --health-cmd "redis-cli ping"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    steps:
      - uses: actions/checkout@v4
      - name: Extract branch name
        shell: bash
        run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}"
      - name: Set up JDK 11
        uses: actions/setup-java@v4
        with:
          java-version: "11"
          distribution: "adopt"
          cache: maven
      - name: Build with Maven
        run: |
          set -o pipefail
          cp obp-api/src/main/resources/props/sample.props.template obp-api/src/main/resources/props/production.default.props
          echo connector=star > obp-api/src/main/resources/props/test.default.props
          echo starConnector_supported_types=mapped,internal >> obp-api/src/main/resources/props/test.default.props
          echo hostname=http://localhost:8016 >> obp-api/src/main/resources/props/test.default.props
          echo tests.port=8016 >> obp-api/src/main/resources/props/test.default.props
          echo End of minimum settings >> obp-api/src/main/resources/props/test.default.props
          echo payments_enabled=false >> obp-api/src/main/resources/props/test.default.props
          echo importer_secret=change_me >> obp-api/src/main/resources/props/test.default.props
          echo messageQueue.updateBankAccountsTransaction=false >> obp-api/src/main/resources/props/test.default.props
          echo messageQueue.createBankAccounts=false >> obp-api/src/main/resources/props/test.default.props
          echo allow_sandbox_account_creation=true >> obp-api/src/main/resources/props/test.default.props
          echo allow_sandbox_data_import=true >> obp-api/src/main/resources/props/test.default.props
          echo sandbox_data_import_secret=change_me >> obp-api/src/main/resources/props/test.default.props
          echo allow_account_deletion=true >> obp-api/src/main/resources/props/test.default.props
          echo allowed_internal_redirect_urls = /,/oauth/authorize >> obp-api/src/main/resources/props/test.default.props
          echo transactionRequests_enabled=true >> obp-api/src/main/resources/props/test.default.props
          echo transactionRequests_supported_types=SEPA,SANDBOX_TAN,FREE_FORM,COUNTERPARTY,ACCOUNT,SIMPLE >> obp-api/src/main/resources/props/test.default.props
          echo SIMPLE_OTP_INSTRUCTION_TRANSPORT=dummy >> obp-api/src/main/resources/props/test.default.props
          echo openredirects.hostname.whitlelist=http://127.0.0.1,http://localhost >> obp-api/src/main/resources/props/test.default.props
          echo remotedata.secret = foobarbaz >> obp-api/src/main/resources/props/test.default.props
          echo allow_public_views=true >> obp-api/src/main/resources/props/test.default.props

          echo SIMPLE_OTP_INSTRUCTION_TRANSPORT=dummy >> obp-api/src/main/resources/props/test.default.props
          echo ACCOUNT_OTP_INSTRUCTION_TRANSPORT=dummy >> obp-api/src/main/resources/props/test.default.props
          echo SEPA_OTP_INSTRUCTION_TRANSPORT=dummy >> obp-api/src/main/resources/props/test.default.props
          echo FREE_FORM_OTP_INSTRUCTION_TRANSPORT=dummy >> obp-api/src/main/resources/props/test.default.props
          echo COUNTERPARTY_OTP_INSTRUCTION_TRANSPORT=dummy >> obp-api/src/main/resources/props/test.default.props
          echo SEPA_CREDIT_TRANSFERS_OTP_INSTRUCTION_TRANSPORT=dummy >> obp-api/src/main/resources/props/test.default.props

          echo allow_oauth2_login=true >> obp-api/src/main/resources/props/test.default.props
          echo oauth2.jwk_set.url=https://www.googleapis.com/oauth2/v3/certs >> obp-api/src/main/resources/props/test.default.props

          echo ResetPasswordUrlEnabled=true >> obp-api/src/main/resources/props/test.default.props

          echo consents.allowed=true >> obp-api/src/main/resources/props/test.default.props
          MAVEN_OPTS="-Xmx3G -Xss2m" mvn clean package -Pprod 2>&1 | tee maven-build.log

      - name: Report failing tests (if any)
        if: always()
        run: |
          echo "Checking build log for failing tests via grep..."
          if [ ! -f maven-build.log ]; then
            echo "No maven-build.log found; skipping failure scan."
            exit 0
          fi
          if grep -n "\*\*\* FAILED \*\*\*" maven-build.log; then
            echo "Failing tests detected above."
            exit 1
          else
            echo "No failing tests detected in maven-build.log."
          fi

      - name: Upload Maven build log
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: maven-build-log
          if-no-files-found: ignore
          path: |
            maven-build.log

      - name: Upload test reports
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: test-reports
          if-no-files-found: ignore
          path: |
            obp-api/target/surefire-reports/**
            obp-commons/target/surefire-reports/**
            **/target/scalatest-reports/**
            **/target/site/surefire-report.html
            **/target/site/surefire-report/*

      - name: Save .war artifact
        run: |
          mkdir -p ./push
          cp obp-api/target/obp-api-1.*.war ./push/
      - uses: actions/upload-artifact@v4
        with:
          name: ${{ github.sha }}
          path: push/

      - name: Build the Docker image
        if: github.repository == 'OpenBankProject/OBP-API'
        run: |
          echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login -u "${{ secrets.DOCKER_HUB_USERNAME }}" --password-stdin docker.io
          docker build . --file .github/Dockerfile_PreBuild --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA  --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${GITHUB_REF##*/}
          docker build . --file .github/Dockerfile_PreBuild_OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA-OC  --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${GITHUB_REF##*/}-OC
          docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }} --all-tags
          echo docker done

      - uses: sigstore/cosign-installer@4d14d7f17e7112af04ea6108fbb4bfc714c00390

      - name: Write signing key to disk (only needed for `cosign sign --key`)
        if: github.repository == 'OpenBankProject/OBP-API'
        run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key

      - name: Sign container image
        if: github.repository == 'OpenBankProject/OBP-API'
        run: |
          cosign sign -y --key cosign.key \
            docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${GITHUB_REF##*/}
          cosign sign -y --key cosign.key \
                      docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${GITHUB_REF##*/}-OC
          cosign sign -y --key cosign.key \
                      docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA
        env:
          COSIGN_PASSWORD: "${{secrets.COSIGN_PASSWORD}}"