coder/.github/workflows/dogfood.yaml

name: dogfood

on:
  push:
    branches:
      - main
    paths:
      - "dogfood/**"
      - ".github/workflows/dogfood.yaml"
      - "flake.lock"
      - "flake.nix"
  pull_request:
    paths:
      - "dogfood/**"
      - ".github/workflows/dogfood.yaml"
      - "flake.lock"
      - "flake.nix"
  workflow_dispatch:

permissions:
  # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
  id-token: write

jobs:
  build_image:
    if: github.actor != 'dependabot[bot]' # Skip Dependabot PRs
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || 'ubuntu-latest' }}
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Setup Nix
        uses: nixbuild/nix-quick-install-action@63ca48f939ee3b8d835f4126562537df0fee5b91 # v32
        with:
          # Pinning to 2.28 here, as Nix gets a "error: [json.exception.type_error.302] type must be array, but is string"
          # on version 2.29 and above.
          nix_version: "2.28.4"

      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
        with:
          # restore and save a cache using this key
          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
          # if there's no cache hit, restore a cache by this prefix
          restore-prefixes-first-match: nix-${{ runner.os }}-
          # collect garbage until Nix store size (in bytes) is at most this number
          # before trying to save a new cache
          # 1G = 1073741824
          gc-max-store-size-linux: 5G
          # do purge caches
          purge: true
          # purge all versions of the cache
          purge-prefixes: nix-${{ runner.os }}-
          # created more than this number of seconds ago relative to the start of the `Post Restore` phase
          purge-created: 0
          # except the version with the `primary-key`, if it exists
          purge-primary-key: never

      - name: Get branch name
        id: branch-name
        uses: tj-actions/branch-names@5250492686b253f06fa55861556d1027b067aeb5 # v9.0.2

      - name: "Branch name to Docker tag name"
        id: docker-tag-name
        run: |
          tag=${{ steps.branch-name.outputs.current_branch }}
          # Replace / with --, e.g. user/feature => user--feature.
          tag=${tag//\//--}
          echo "tag=${tag}" >> $GITHUB_OUTPUT

      - name: Set up Depot CLI
        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Login to DockerHub
        if: github.ref == 'refs/heads/main'
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

      - name: Build and push Non-Nix image
        uses: depot/build-push-action@2583627a84956d07561420dcc1d0eb1f2af3fac0 # v1.15.0
        with:
          project: b4q6ltmpzh
          token: ${{ secrets.DEPOT_TOKEN }}
          buildx-fallback: true
          context: "{{defaultContext}}:dogfood/coder"
          pull: true
          save: true
          push: ${{ github.ref == 'refs/heads/main' }}
          tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:latest"

      - name: Build Nix image
        run: nix build .#dev_image

      - name: Push Nix image
        if: github.ref == 'refs/heads/main'
        run: |
          docker load -i result

          CURRENT_SYSTEM=$(nix eval --impure --raw --expr 'builtins.currentSystem')

          docker image tag codercom/oss-dogfood-nix:latest-$CURRENT_SYSTEM codercom/oss-dogfood-nix:${{ steps.docker-tag-name.outputs.tag }}
          docker image push codercom/oss-dogfood-nix:${{ steps.docker-tag-name.outputs.tag }}

          docker image tag codercom/oss-dogfood-nix:latest-$CURRENT_SYSTEM codercom/oss-dogfood-nix:latest
          docker image push codercom/oss-dogfood-nix:latest

  deploy_template:
    needs: build_image
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Setup Terraform
        uses: ./.github/actions/setup-tf

      - name: Authenticate to Google Cloud
        uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12
        with:
          workload_identity_provider: projects/573722524737/locations/global/workloadIdentityPools/github/providers/github
          service_account: coder-ci@coder-dogfood.iam.gserviceaccount.com

      - name: Terraform init and validate
        run: |
          pushd dogfood/
          terraform init
          terraform validate
          popd
          pushd dogfood/coder
          terraform init
          terraform validate
          popd
          pushd dogfood/coder-envbuilder
          terraform init
          terraform validate
          popd

      - name: Get short commit SHA
        if: github.ref == 'refs/heads/main'
        id: vars
        run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

      - name: Get latest commit title
        if: github.ref == 'refs/heads/main'
        id: message
        run: echo "pr_title=$(git log --format=%s -n 1 ${{ github.sha }})" >> $GITHUB_OUTPUT

      - name: "Push template"
        if: github.ref == 'refs/heads/main'
        run: |
          cd dogfood
          terraform apply -auto-approve
        env:
          # Consumed by coderd provider
          CODER_URL: https://dev.coder.com
          CODER_SESSION_TOKEN: ${{ secrets.CODER_SESSION_TOKEN }}
          # Template source & details
          TF_VAR_CODER_TEMPLATE_NAME: ${{ secrets.CODER_TEMPLATE_NAME }}
          TF_VAR_CODER_TEMPLATE_VERSION: ${{ steps.vars.outputs.sha_short }}
          TF_VAR_CODER_TEMPLATE_DIR: ./coder
          TF_VAR_CODER_TEMPLATE_MESSAGE: ${{ steps.message.outputs.pr_title }}
          TF_LOG: info