.github/workflows/production.yml

---
name: Try build and start of production container

on: [pull_request]

jobs:
  build:
    strategy:
      max-parallel: 4
      matrix:
        os: [ubuntu-latest]
        python-version: ["3.11"]

    runs-on: ${{ matrix.os }}

    name: Production container tests

    services:
      registry:
        image: registry:2
        ports:
          - 5000:5000

    steps:
      - uses: actions/checkout@v4
        name: Get sources

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          driver-opts: network=host

      - name: Set build target branch
        run: |
          if [[ ${{ github.event.pull_request.base.ref }} == master ]]; then
            BRANCH=master
          else
            BRANCH=develop
          fi
          echo "BUILD_BRANCH=$BRANCH" >> $GITHUB_ENV

      - name: Build
        uses: docker/build-push-action@v4
        with:
          context: .
          push: true
          file: ./dockerfiles/Dockerfile
          tags: localhost:5000/metadata-submitter:latest
          cache-from: localhost:5000/metadata-submitter:latest
          cache-to: type=local,dest=/tmp/.buildx-cache
          build-args: |
            BRANCH=${{ env.BUILD_BRANCH }}

      - name: Run production container
        run: docker run --rm -p 5430:5430 --name ms -d -t localhost:5000/metadata-submitter:latest

      - name: Wait for production container to get ready
        run: .github/workflows/wait_container.sh ms "Listening at"

      - name: See that the static response is delivered
        run: curl -s -4 http://localhost:5430/

      - name: Verify that the correct content is delivered, database is down
        run: curl -s -4 http://localhost:5430/health | grep -q -F '{"status":"Down"}'

      - name: Verify that we do not get a 404 when we ask for nonexistant path
        run: curl -s -4 --head http://localhost:5430/notfound.ico | head -1 | grep -q -v -F ' 404 '

      - name: Shut down submitter service
        run: docker kill ms && sleep 20

      - name: Create TLS keys and certificates
        run: ./scripts/tls/tls_helper.sh

      - name: Start production container with TLS
        run: |
          docker run --rm -p 5430:5430 -d --name mss \
            -v $PWD/config:/config \
            -e SERVE_KEY=/config/key \
            -e SERVE_CERT=/config/cert \
            -e SERVE_CA=/config/cacert \
            localhost:5000/metadata-submitter:latest

      - name: Wait for secure production container to get ready
        run: .github/workflows/wait_container.sh mss "Listening at"

      - name: See that the static response is delivered
        run: curl -s -4 --cacert ./config/cacert https://localhost:5430/

      - name: Verify that the correct content is delivered (TLS), database is down
        run: curl -s -4 --cacert ./config/cacert https://localhost:5430/health | grep -q -F '{"status":"Down"}'

      - name: Verify that we do not get a 404 when we ask for nonexistant path (TLS)
        run: curl -s -4 --head --cacert ./config/cacert https://localhost:5430/notfound.ico | head -1 | grep -q -v -F ' 404 '