name: '[SRP] Secure Release Pipeline Report'
on:
  schedule:
    - cron: '0 7 * * *'
  workflow_dispatch:

env:
  BAC_SRP_ENDPOINT: https://apigw.vmware.com/v1/s1/api/helix-beta
  BAC_SRP_CLIENT_ID: ${{ secrets.BAC_SRP_CLIENT_ID }}
  BAC_SRP_CLIENT_SECRET: ${{ secrets.BAC_SRP_CLIENT_SECRET }}

jobs:
  report:
    runs-on: ubuntu-latest
    steps:
      - id: install-tool
        name: Install and configure SRP Tool
        run: |
          curl -SsLfo /tmp/srp-cli.tgz https://srp-cli.s3.amazonaws.com/srp-cli-latest.tgz
          sudo tar xf /tmp/srp-cli.tgz -C /usr/local/bin/
          srp config --srp-endpoint ${BAC_SRP_ENDPOINT}
          srp config auth --client-id=${BAC_SRP_CLIENT_ID} --client-secret=${BAC_SRP_CLIENT_SECRET}
      - uses: actions/checkout@v3
        name: Checkout Repository
        with:
          # No full history required
          fetch-depth: 1
          submodules: true
      - id: build-report
        name: Build SRP report
        run: |
          export SRP_UID="uid.obj.build.github(instance='github.com',namespace='${GITHUB_REPOSITORY}',ref='${GITHUB_REF}',action='${GITHUB_ACTION}',build_id='${GITHUB_RUN_ID}_${GITHUB_RUN_ATTEMPT}')"
          srp provenance source --verbose --scm-type git \
            --name "bac-containers" --path . --saveto ./source-provenance.json \
            --comp-uid "${SRP_UID}" --build-number "${GITHUB_RUN_ID}" \
            --version "1.0" --all-ephemeral true --build-type release
          echo "uid=${SRP_UID}" >> $GITHUB_OUTPUT
      - name: Archive SRP report
        uses: actions/upload-artifact@v3
        with:
          name: source-provenance
          path: source-provenance.json
      - id: submit-report
        name: Submit SRP report
        run: |
          srp metadata submit --verbose --path ./source-provenance.json --uid "uid.mtd.provenance_2_5.fragment(obj_uid=${{ steps.build-report.outputs.uid }},revision='')"