docker-compose/.github/workflows/ci.yml

name: ci

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

on:
  push:
    branches:
      - 'main'
    tags:
      - 'v*'
  pull_request:
  workflow_dispatch:
    inputs:
      debug_enabled:
        description: 'To run with tmate enter "debug_enabled"'
        required: false
        default: "false"

permissions:
  contents: read # to fetch code (actions/checkout)

jobs:
  validate:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        target:
          - lint
          - validate-go-mod
          - validate-headers
          - validate-docs
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Run
        run: |
          make ${{ matrix.target }}

  binary:
    uses: docker/github-builder/.github/workflows/bake.yml@v1
    permissions:
      contents: read # same as global permission
      id-token: write # for signing attestation(s) with GitHub OIDC Token
    with:
      runner: amd64
      artifact-name: compose
      artifact-upload: true
      cache: true
      cache-scope: binary
      target: release
      output: local
      sbom: true
      sign: ${{ github.event_name != 'pull_request' }}

  binary-finalize:
    runs-on: ubuntu-latest
    needs:
      - binary
    steps:
      -
        name: Download artifacts
        uses: actions/download-artifact@v7
        with:
          path: /tmp/compose-output
          name: ${{ needs.binary.outputs.artifact-name }}
      -
        name: Rename provenance and sbom
        run: |
          for pdir in /tmp/compose-output/*/; do
            (
              cd "$pdir"
              binname=$(find . -name 'docker-compose-*')
              filename=$(basename "${binname%.exe}")
              mv "provenance.json" "${filename}.provenance.json"
              mv "sbom-binary.spdx.json" "${filename}.sbom.json"
              find . -name 'sbom*.json' -exec rm {} \;
              if [ -f "provenance.sigstore.json" ]; then
                mv "provenance.sigstore.json" "${filename}.sigstore.json"
              fi
            )
          done
          mkdir -p "./bin/release"
          mv /tmp/compose-output/**/* "./bin/release/"
      -
        name: Create checksum file
        working-directory: ./bin/release
        run: |
          find . -type f -print0 | sort -z | xargs -r0 shasum -a 256 -b | sed 's# \*\./# *#' > $RUNNER_TEMP/checksums.txt
          shasum -a 256 -U -c $RUNNER_TEMP/checksums.txt
          mv $RUNNER_TEMP/checksums.txt .
          cat checksums.txt | while read sum file; do
            if [[ "${file#\*}" == docker-compose-* && "${file#\*}" != *.provenance.json && "${file#\*}" != *.sbom.json && "${file#\*}" != *.sigstore.json ]]; then
              echo "$sum $file" > ${file#\*}.sha256
            fi
          done
      -
        name: Upload artifacts
        uses: actions/upload-artifact@v6
        with:
          name: release
          path: ./bin/release/*
          if-no-files-found: error

  bin-image-test:
    if: github.event_name == 'pull_request'
    uses: docker/github-builder/.github/workflows/bake.yml@v1
    with:
      runner: amd64
      target: image-cross
      cache: true
      cache-scope: bin-image-test
      output: image
      push: false
      sbom: true
      set-meta-labels: true
      meta-images: |
        compose-bin
      meta-tags: |
        type=ref,event=pr
      meta-bake-target: meta-helper

  test:
    runs-on: ubuntu-latest
    steps:
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Test
        uses: docker/bake-action@v6
        with:
          targets: test
          set: |
            *.cache-from=type=gha,scope=test
            *.cache-to=type=gha,scope=test
      -
        name: Gather coverage data
        uses: actions/upload-artifact@v4
        with:
          name: coverage-data-unit
          path: bin/coverage/unit/
          if-no-files-found: error
      - 
        name: Unit Test Summary
        uses: test-summary/action@v2
        with:
          paths: bin/coverage/unit/report.xml       
        if: always()

  e2e:
    runs-on: ubuntu-latest
    name: e2e (${{ matrix.mode }}, ${{ matrix.channel }})
    strategy:
      fail-fast: false
      matrix:
        include:
          # current stable
          - mode: plugin
            engine: 29
            channel: stable
          - mode: standalone
            engine: 29
            channel: stable

          # old stable (latest major - 1)
          - mode: plugin
            engine: 28
            channel: oldstable
          - mode: standalone
            engine: 28
            channel: oldstable
    steps:
      - name: Prepare
        run: |
          mode=${{ matrix.mode }}
          engine=${{ matrix.engine }}
          echo "MODE_ENGINE_PAIR=${mode}-${engine}" >> $GITHUB_ENV

      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Docker ${{ matrix.engine }}
        run: |
          sudo systemctl stop docker.service
          sudo apt-get purge docker-ce docker-ce-cli containerd.io docker-compose-plugin docker-ce-rootless-extras docker-buildx-plugin
          sudo apt-get install curl
          curl -fsSL https://test.docker.com -o get-docker.sh
          sudo sh ./get-docker.sh --version ${{ matrix.engine }}

      - name: Check Docker Version
        run: docker --version

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Set up Docker Model
        run: |
          sudo apt-get install docker-model-plugin
          docker model version

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version-file: '.go-version'
          check-latest: true
          cache: true

      - name: Build example provider
        run: make example-provider

      - name: Build
        uses: docker/bake-action@v6
        with:
          source: .
          targets: binary-with-coverage
          set: |
            *.cache-from=type=gha,scope=binary-linux-amd64
            *.cache-from=type=gha,scope=binary-e2e-${{ matrix.mode }}
            *.cache-to=type=gha,scope=binary-e2e-${{ matrix.mode }},mode=max
        env:
          BUILD_TAGS: e2e

      - name: Setup tmate session
        if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled }}
        uses: mxschmitt/action-tmate@8b4e4ac71822ed7e0ad5fb3d1c33483e9e8fb270 # v3.11
        with:
          limit-access-to-actor: true
          github-token: ${{ secrets.GITHUB_TOKEN }}

      - name: Test plugin mode
        if: ${{ matrix.mode == 'plugin' }}
        run: |
          rm -rf ./bin/coverage/e2e
          mkdir -p ./bin/coverage/e2e
          make e2e-compose GOCOVERDIR=bin/coverage/e2e TEST_FLAGS="-v"

      - name: Gather coverage data
        if: ${{ matrix.mode == 'plugin' }}
        uses: actions/upload-artifact@v4
        with:
          name: coverage-data-e2e-${{ env.MODE_ENGINE_PAIR }}
          path: bin/coverage/e2e/
          if-no-files-found: error

      - name: Test standalone mode
        if: ${{ matrix.mode == 'standalone' }}
        run: |
          rm -f /usr/local/bin/docker-compose
          cp bin/build/docker-compose /usr/local/bin
          make e2e-compose-standalone

      - name: e2e Test Summary
        uses: test-summary/action@v2
        with:
          paths: /tmp/report/report.xml       
        if: always()

  coverage:
    runs-on: ubuntu-latest
    needs:
      - test
      - e2e
    steps:
      # codecov won't process the report without the source code available
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version-file: '.go-version'
          check-latest: true
      - name: Download unit test coverage
        uses: actions/download-artifact@v4
        with:
          name: coverage-data-unit
          path: coverage/unit
          merge-multiple: true
      - name: Download E2E test coverage
        uses: actions/download-artifact@v4
        with:
          pattern: coverage-data-e2e-*
          path: coverage/e2e
          merge-multiple: true
      - name: Merge coverage reports
        run: |
          go tool covdata textfmt -i=./coverage/unit,./coverage/e2e -o ./coverage.txt
      - name: Store coverage report in GitHub Actions
        uses: actions/upload-artifact@v4
        with:
          name: go-covdata-txt
          path: ./coverage.txt
          if-no-files-found: error
      - name: Upload coverage to Codecov
        uses: codecov/codecov-action@v5
        with:
          files: ./coverage.txt

  release:
    permissions:
      contents: write # to create a release (ncipollo/release-action)
    runs-on: ubuntu-latest
    needs:
      - binary-finalize
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Download artifacts
        uses: actions/download-artifact@v7
        with:
          path: ./bin/release
          name: release
      -
        name: List artifacts
        run: |
          tree -nh ./bin/release
      -
        name: Check artifacts
        run: |
          find bin/release -type f -exec file -e ascii -- {} +
      -
        name: GitHub Release
        if: startsWith(github.ref, 'refs/tags/v')
        uses: ncipollo/release-action@58ae73b360456532aafd58ee170c045abbeaee37 # v1.10.0
        with:
          artifacts: ./bin/release/*
          generateReleaseNotes: true
          draft: true
          token: ${{ secrets.GITHUB_TOKEN }}