name: Prober Workflow

on:
  workflow_call:
    inputs:
      sigstore:
        description: 'Which Sigstore instance to use for signing'
        required: true
        type: string

jobs:
  probe:
    runs-on: ubuntu-latest
    permissions:
      attestations: write
      id-token: write

    steps:
      - name: Request OIDC Token
        run: |
          curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \
            -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
            -H "Accept: application/json; api-version=2.0" \
            -H "Content-Type: application/json" \
            --silent | jq -r '.value' | jq -R 'split(".") | .[0],.[1] | @base64d | fromjson'

      - name: Create artifact
        run: |
          date > artifact

      - name: Attest build provenance
        uses: actions/attest-build-provenance@v3
        env:
          INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }}
        with:
          subject-path: artifact

      - name: Verify build artifact
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER"

      - name: Upload build artifact
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          path: "artifact"

      - name: Report attestation prober success
        if: ${{ success() }}
        uses: masci/datadog@a3f481d2ed0f4e1edde2be2f564b94719d6d4bc2 # v1.9.3
        with:
          api-key: "${{ secrets.DATADOG_API_KEY }}"
          service-checks: |
            - check: "attestation-integration.actions.prober"
              status: 0
              host_name: github.com
              tags:
                - "catalog_service:${{ secrets.CATALOG_SERVICE }}"
                - "service:${{ secrets.CATALOG_SERVICE }}"
                - "stamp:${{ secrets.STAMP }}"
                - "env:production"
                - "repo:${{ github.repository }}"
                - "team:${{ secrets.TEAM }}"
                - "sigstore:${{ inputs.sigstore }}"

      - name: Report attestation prober failure
        if: ${{ failure() }}
        uses: masci/datadog@a3f481d2ed0f4e1edde2be2f564b94719d6d4bc2 # v1.9.3
        with:
          api-key: "${{ secrets.DATADOG_API_KEY }}"
          service-checks: |
            - check: "attestation-integration.actions.prober"
              message: "${{ github.repository_owner }} failed prober check"
              status: 2
              host_name: github.com
              tags:
                - "catalog_service:${{ secrets.CATALOG_SERVICE }}"
                - "service:${{ secrets.CATALOG_SERVICE }}"
                - "stamp:${{ secrets.STAMP }}"
                - "env:production"
                - "repo:${{ github.repository }}"
                - "team:${{ secrets.TEAM }}"
                - "sigstore:${{ inputs.sigstore }}"