build.yml

name: Build

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  release:
    types: [published]

jobs:
  check-access:
    runs-on: ubuntu-latest
    outputs:
      has-token-access: ${{ steps.check.outputs.has-token-access }}
    steps:
      - id: check
        run: |
          echo "has-token-access=$(if [[ '${{ github.event.pull_request.head.repo.fork }}' != 'true' && '${{ github.actor }}' != 'dependabot[bot]' ]]; then echo 'true'; else echo 'false'; fi)" >> $GITHUB_OUTPUT

  dotnet-tests:
    needs: check-access
    runs-on: ubuntu-latest
    if: github.event_name != 'pull_request' || !contains( github.event.pull_request.labels.*.name, 'USE-PUBLIC-IMAGES')
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run DotNet Tests
        run: |
          dotnet test --collect:"XPlat Code Coverage"

      - name: Generate code coverage
        run: |
          dotnet tool install --global dotnet-reportgenerator-globaltool
          reportgenerator \
            "-reports:test/coverage/projects/**/coverage.opencover.xml" \
            "-targetdir:coveragereport" \
            -reporttypes:lcov

      - name: Upload code coverage
        if: github.event_name == 'pull_request' && needs.check-access.outputs.has-token-access == 'true'
        uses: ./.github/actions/coverage-report
        with:
          lcov-file: coveragereport/lcov.info
          title: DotNet Code Coverage Report

  rust-tests:
    needs: check-access
    runs-on: ubuntu-latest
    timeout-minutes: 10
    if: github.event_name != 'pull_request' || !contains( github.event.pull_request.labels.*.name, 'USE-PUBLIC-IMAGES')
    env:
      CARGO_TERM_COLOR: always
    steps:
      - uses: actions/checkout@v4

      - uses: moonrepo/setup-rust@v1

      - name: Install cargo-llvm-cov
        uses: taiki-e/install-action@cargo-llvm-cov

      - name: Generate code coverage
        run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info

      - name: Upload code coverage
        if: github.event_name == 'pull_request' && needs.check-access.outputs.has-token-access == 'true'
        uses: ./.github/actions/coverage-report
        with:
          lcov-file: lcov.info
          title: Rust Code Coverage Report

  build-router:
    needs: check-access
    if: github.event_name != 'pull_request' || !contains( github.event.pull_request.labels.*.name, 'USE-PUBLIC-IMAGES')
    env:
      PUBLIC_REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-router${{ github.event_name == 'pull_request' && '-dev' || '' }}
      PRIVATE_REGISTRY_IMAGE: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.us-east-2.amazonaws.com/lambda-dispatch-router
    strategy:
      matrix:
        include:
          - arch: amd64
            runner: ubuntu-latest
            platform: linux/amd64
            build_arch: linux-x64
          - arch: arm64
            runner: [self-hosted, arm64]
            platform: linux/arm64
            build_arch: linux-arm64
    runs-on: ${{ matrix.runner }}
    permissions:
      contents: read
      id-token: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run the certs script
        run: |
          ./certs.sh

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.PUBLIC_REGISTRY_IMAGE }}
            ${{ env.PRIVATE_REGISTRY_IMAGE }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Set up values to identify image build
        id: image-ids
        run: |
          echo "BUILD_TIME=$(date)" >> $GITHUB_OUTPUT
          echo "GIT_HASH=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

      - name: Configure AWS Credentials
        if: needs.check-access.outputs.has-token-access == 'true'
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-session-name: lambda-dispatch-ghpublic-build
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole
          aws-region: us-east-1

      - name: Login to ECR Public
        if: needs.check-access.outputs.has-token-access == 'true'
        id: login-ecr-public
        uses: aws-actions/amazon-ecr-login@v2
        with:
          registry-type: public

      - name: Configure AWS Credentials
        if: needs.check-access.outputs.has-token-access == 'true'
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-session-name: lambda-dispatch-ghpublic-build
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole
          aws-region: us-east-2

      - name: Login to ECR Private
        if: needs.check-access.outputs.has-token-access == 'true'
        id: login-ecr-private
        uses: aws-actions/amazon-ecr-login@v2
        with:
          registry-type: private

      - name: Build Router Private
        id: build-private
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./DockerfileRouter
          build-args: |
            BUILD_ARCH=${{ matrix.build_arch }}
            BUILD_TIME=${{ steps.image-ids.outputs.BUILD_TIME }}
            GIT_HASH=${{ steps.image-ids.outputs.GIT_HASH }}
          platforms: ${{ matrix.platform }}
          outputs: |
            type=image,name=${{ env.PRIVATE_REGISTRY_IMAGE }},push-by-digest=${{ needs.check-access.outputs.has-token-access == 'true' }},name-canonical=true,push=${{ needs.check-access.outputs.has-token-access == 'true' }}

      - name: Build Router Public
        id: build-public
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./DockerfileRouter
          build-args: |
            BUILD_ARCH=${{ matrix.build_arch }}
            BUILD_TIME=${{ steps.image-ids.outputs.BUILD_TIME }}
            GIT_HASH=${{ steps.image-ids.outputs.GIT_HASH }}
          platforms: ${{ matrix.platform }}
          outputs: |
            type=image,name=${{ env.PUBLIC_REGISTRY_IMAGE }},push-by-digest=${{ needs.check-access.outputs.has-token-access == 'true' }},name-canonical=true,push=${{ needs.check-access.outputs.has-token-access == 'true' }}

      - name: Debug metadata
        run: |
          echo "steps.build-private.outputs.metadata: ${{ steps.build-private.outputs.metadata }}"
          echo "steps.build-public.outputs.metadata: ${{ steps.build-public.outputs.metadata }}"

      - name: Export digest
        run: |
          mkdir -p /tmp/digests-router/public /tmp/digests-router/private
          rm -rf /tmp/digests-router/public/* /tmp/digests-router/private/* || true
          digest="${{ steps.build-private.outputs.digest }}"
          touch "/tmp/digests-router/private/${digest#sha256:}"
          digest="${{ steps.build-public.outputs.digest }}"
          touch "/tmp/digests-router/public/${digest#sha256:}"

      - name: Upload digest
        if: needs.check-access.outputs.has-token-access == 'true'
        uses: actions/upload-artifact@v4
        with:
          name: digests-router-${{ matrix.arch }}
          path: /tmp/digests-router/*
          if-no-files-found: error
          retention-days: 1

  merge-router:
    if: needs.check-access.outputs.has-token-access == 'true' && (github.event_name != 'pull_request' || !contains( github.event.pull_request.labels.*.name, 'USE-PUBLIC-IMAGES'))
    env:
      PUBLIC_REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-router${{ github.event_name == 'pull_request' && '-dev' || '' }}
      PRIVATE_REGISTRY_IMAGE: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.us-east-2.amazonaws.com/lambda-dispatch-router
    runs-on: ubuntu-latest
    needs:
      - check-access
      - build-router
    permissions:
      contents: read
      id-token: write
    steps:
      - name: Clear digests
        run: |
          mkdir -p /tmp/digests-router/public /tmp/digests-router/private
          rm -rf /tmp/digests-router/public/* /tmp/digests-router/private/* || true

      - name: Download AMD64 digests
        uses: actions/download-artifact@v4
        with:
          name: digests-router-amd64
          path: /tmp/digests-router-amd64

      - name: Download ARM64 digests
        uses: actions/download-artifact@v4
        with:
          name: digests-router-arm64
          path: /tmp/digests-router-arm64

      - name: Merge digests
        run: |
          # Copy files from platform-specific folders to the main folder
          cp -r /tmp/digests-router-amd64/public/* /tmp/digests-router/public/ || true
          cp -r /tmp/digests-router-amd64/private/* /tmp/digests-router/private/ || true
          cp -r /tmp/digests-router-arm64/public/* /tmp/digests-router/public/ || true
          cp -r /tmp/digests-router-arm64/private/* /tmp/digests-router/private/ || true

          # List files to verify
          echo "Public digests:"
          ls -la /tmp/digests-router/public/ || true
          echo "Private digests:"
          ls -la /tmp/digests-router/private/ || true

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Docker meta public
        id: meta-public
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.PUBLIC_REGISTRY_IMAGE }}
          tags: |
            enable=${{ github.event_name == 'release' }},type=raw,value=latest
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
          labels: |
            org.opencontainers.image.source=${{ github.event.repository.html_url }}
            org.opencontainers.image.revision=${{ github.sha }}

      - name: Docker meta private
        id: meta-private
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.PRIVATE_REGISTRY_IMAGE }}
          tags: |
            enable=${{ github.event_name == 'release' }},type=raw,value=latest
            type=ref,event=branch
            type=semver,pattern={{version}}
            type=ref,event=pr
            type=ref,event=pr,suffix=-{{sha}}
          labels: |
            org.opencontainers.image.source=${{ github.event.repository.html_url }}
            org.opencontainers.image.revision=${{ github.sha }}

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-session-name: lambda-dispatch-ghpublic-build
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole
          aws-region: us-east-1

      - name: Login to ECR Public
        id: login-ecr-public
        uses: aws-actions/amazon-ecr-login@v2
        with:
          registry-type: public

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-session-name: lambda-dispatch-ghpublic-build
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole
          aws-region: us-east-2

      - name: Login to ECR Private
        id: login-ecr-private
        uses: aws-actions/amazon-ecr-login@v2
        with:
          registry-type: private

      - name: Set DOCKER_METADATA_OUTPUT_JSON environment variable public
        run: echo "DOCKER_METADATA_OUTPUT_JSON=$(echo '${{ toJson(steps.meta-public.outputs) }}' | tr '\n' ' ')" >> $GITHUB_ENV
      - name: Create manifest list and push to Public ECR
        working-directory: /tmp/digests-router/public
        run: |
          docker buildx imagetools create $((jq -r '.json' | jq -cr '.tags | map("-t " + .) | join(" ")') <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf '${{ env.PUBLIC_REGISTRY_IMAGE }}@sha256:%s ' *)

      - name: Set DOCKER_METADATA_OUTPUT_JSON environment variable private
        run: echo "DOCKER_METADATA_OUTPUT_JSON=$(echo '${{ toJson(steps.meta-private.outputs) }}' | tr '\n' ' ')" >> $GITHUB_ENV
      - name: Create manifest list and push to Private ECR
        working-directory: /tmp/digests-router/private
        run: |
          docker buildx imagetools create $((jq -r '.json' | jq -cr '.tags | map("-t " + .) | join(" ")') <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf '${{ env.PRIVATE_REGISTRY_IMAGE }}@sha256:%s ' *)

      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ env.PUBLIC_REGISTRY_IMAGE }}:${{ steps.meta-public.outputs.version }}
          docker buildx imagetools inspect ${{ env.PRIVATE_REGISTRY_IMAGE }}:${{ steps.meta-private.outputs.version }}

  build-extension:
    needs: check-access
    if: github.event_name != 'pull_request' || !contains( github.event.pull_request.labels.*.name, 'USE-PUBLIC-IMAGES')
    env:
      REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-extension${{ github.event_name == 'pull_request' && '-dev' || '' }}
    strategy:
      matrix:
        include:
          - arch: x86_64
            runner: ubuntu-latest
            platform: linux/amd64
            build_arch: linux-x64
            rust_target: x86_64-unknown-linux-musl
          - arch: aarch64
            runner: ubuntu-latest
            platform: linux/arm64
            build_arch: linux-arm64
            rust_target: aarch64-unknown-linux-musl
    permissions:
      contents: read
      id-token: write
    runs-on: ${{ matrix.runner }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Install gcc musl cross-compiler
        uses: ./.github/actions/setup-gcc-musl-cross
        with:
          arch: ${{ matrix.arch }}

      - uses: moonrepo/setup-rust@v1
        with:
          targets: ${{ matrix.rust_target }}
          cache-target: release

      - name: Build extension
        env:
          CC: ${{ matrix.arch }}-linux-musl-gcc
        run: |
          cargo build --release --target ${{ matrix.rust_target }}

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_IMAGE }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Configure AWS Credentials
        if: needs.check-access.outputs.has-token-access == 'true'
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-session-name: lambda-dispatch-ghpublic-build
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole
          aws-region: us-east-1

      - name: Login to ECR Public
        if: needs.check-access.outputs.has-token-access == 'true'
        id: login-ecr-public
        uses: aws-actions/amazon-ecr-login@v2
        with:
          registry-type: public

      - name: Build Lambda
        id: build
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./DockerfileExtensionCross
          build-args: |
            ARCH=${{ matrix.arch }}
            TARGET_PLATFORM=${{ matrix.platform }}
          platforms: ${{ matrix.platform }}
          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=${{ needs.check-access.outputs.has-token-access == 'true' }},name-canonical=true,push=${{ needs.check-access.outputs.has-token-access == 'true' }}

      - name: Export digest
        run: |
          mkdir -p /tmp/digests
          rm /tmp/digests/* || true
          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"

      - name: Upload digest
        if: needs.check-access.outputs.has-token-access == 'true'
        uses: actions/upload-artifact@v4
        with:
          name: digests-extension-${{ matrix.arch }}
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1

  merge-extension:
    if: needs.check-access.outputs.has-token-access == 'true' && (github.event_name != 'pull_request' || !contains( github.event.pull_request.labels.*.name, 'USE-PUBLIC-IMAGES'))
    env:
      REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-extension${{ github.event_name == 'pull_request' && '-dev' || '' }}
    runs-on: ubuntu-latest
    needs:
      - check-access
      - build-extension
    permissions:
      contents: read
      id-token: write
    steps:
      - name: Clear digests
        run: |
          mkdir -p /tmp/digests
          rm -rf /tmp/digests/* || true

      - name: Download x86_64 digests
        uses: actions/download-artifact@v4
        with:
          name: digests-extension-x86_64
          path: /tmp/digests-x86_64

      - name: Download aarch64 digests
        uses: actions/download-artifact@v4
        with:
          name: digests-extension-aarch64
          path: /tmp/digests-aarch64

      - name: Merge digests
        run: |
          # Copy files from platform-specific folders to the main folder
          cp -r /tmp/digests-x86_64/* /tmp/digests/ || true
          cp -r /tmp/digests-aarch64/* /tmp/digests/ || true

          # List files to verify
          echo "Extension digests:"
          ls -la /tmp/digests/ || true
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_IMAGE }}
          tags: |
            enable=${{ github.event_name == 'release' }},type=raw,value=latest
            type=ref,event=branch
            type=semver,pattern={{version}}
            type=ref,event=pr
            type=ref,event=pr,suffix=-{{sha}}
          labels: |
            org.opencontainers.image.source=${{ github.event.repository.html_url }}
            org.opencontainers.image.revision=${{ github.sha }}

      - name: Set DOCKER_METADATA_OUTPUT_JSON environment variable
        run: echo "DOCKER_METADATA_OUTPUT_JSON=$(echo '${{ toJson(steps.meta.outputs) }}' | tr '\n' ' ')" >> $GITHUB_ENV

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-session-name: lambda-dispatch-ghpublic-build
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole
          aws-region: us-east-1
      - name: Login to ECR Public
        id: login-ecr-public
        uses: aws-actions/amazon-ecr-login@v2
        with:
          registry-type: public

      - name: Create manifest list and push
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create $((jq -r '.json' | jq -cr '.tags | map("-t " + .) | join(" ")') <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)

      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}

  build-demoapp:
    needs:
      - check-access
      - merge-extension
    runs-on: ubuntu-latest
    if: github.event_name != 'pull_request' || !contains( github.event.pull_request.labels.*.name, 'USE-PUBLIC-IMAGES')
    env:
      PUBLIC_REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-demo-app${{ github.event_name == 'pull_request' && '-dev' || '' }}
      PRIVATE_REGISTRY_IMAGE: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.us-east-2.amazonaws.com/lambda-dispatch-demo-app
    permissions:
      contents: read
      id-token: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.PUBLIC_REGISTRY_IMAGE }}
            ${{ env.PRIVATE_REGISTRY_IMAGE }}
          tags: |
            enable=${{ github.event_name == 'release' }},type=raw,value=latest
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
          labels: |
            org.opencontainers.image.source=${{ github.event.repository.html_url }}
            org.opencontainers.image.revision=${{ github.sha }}

      - name: Get Git SHA
        id: git-sha
        run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

      - name: Compute Versions
        id: version
        run: |
          if [ -n "${{ github.event.pull_request.number }}" ]; then
            IMAGE_TAG="pr-${{ github.event.pull_request.number }}"
            echo "imageTag=pr-${{ github.event.pull_request.number }}-${{ steps.git-sha.outputs.sha_short }}" >> $GITHUB_OUTPUT
            echo "PR_SUFFIX=-pr-"${{ github.event.pull_request.number }} >> $GITHUB_ENV
          else
            TAG_OR_BRANCH=$(echo $GITHUB_REF | sed -e 's|refs/tags/v||' -e 's|refs/heads/||')
            IMAGE_TAG="${TAG_OR_BRANCH}"
            echo "imageTag=${TAG_OR_BRANCH}" >> $GITHUB_OUTPUT
            echo "PR_SUFFIX=" >> $GITHUB_ENV
          fi
          echo "imageTagArm64=${IMAGE_TAG}-arm64" >> $GITHUB_OUTPUT
          echo "imageTagAmd64=${IMAGE_TAG}-amd64" >> $GITHUB_OUTPUT

      - name: Swap in tagged image name in the Dockerfile
        run: |
          sed -i "s|FROM lambda-dispatch-extension|FROM public.ecr.aws/pwrdrvr/lambda-dispatch-extension${{ github.event_name == 'pull_request' && '-dev' || '' }}:${{ steps.version.outputs.imageTag }}|g" ./DockerfileLambdaDemoApp

      - name: Configure AWS Credentials
        if: needs.check-access.outputs.has-token-access == 'true'
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-session-name: lambda-dispatch-ghpublic-build
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole
          aws-region: us-east-1

      - name: Login to ECR Public
        if: needs.check-access.outputs.has-token-access == 'true'
        id: login-ecr-public
        uses: aws-actions/amazon-ecr-login@v2
        with:
          registry-type: public

      - name: Configure AWS Credentials
        if: needs.check-access.outputs.has-token-access == 'true'
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-session-name: lambda-dispatch-ghpublic-build
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole
          aws-region: us-east-2

      - name: Login to ECR Private
        if: needs.check-access.outputs.has-token-access == 'true'
        id: login-ecr-private
        uses: aws-actions/amazon-ecr-login@v2
        with:
          registry-type: private

      - name: Build and push Docker image for arm64
        run: |
          docker buildx build --platform linux/arm64 --file ./DockerfileLambdaDemoApp \
            -t ${{ env.PRIVATE_REGISTRY_IMAGE }}:${{ steps.version.outputs.imageTagArm64 }} \
            -t ${{ env.PRIVATE_REGISTRY_IMAGE }}:${{ steps.version.outputs.imageTagArm64 }}-${{ steps.git-sha.outputs.sha_short }} \
            --load .
          docker push ${{ env.PRIVATE_REGISTRY_IMAGE }}:${{ steps.version.outputs.imageTagArm64 }}
          docker push ${{ env.PRIVATE_REGISTRY_IMAGE }}:${{ steps.version.outputs.imageTagArm64 }}-${{ steps.git-sha.outputs.sha_short }}
          docker buildx imagetools inspect ${{ env.PRIVATE_REGISTRY_IMAGE }}:${{ steps.version.outputs.imageTagArm64 }}

          docker buildx build --platform linux/arm64 --file ./DockerfileLambdaDemoApp \
            -t ${{ env.PUBLIC_REGISTRY_IMAGE }}:${{ steps.version.outputs.imageTagArm64 }} \
            --load .
          docker push ${{ env.PUBLIC_REGISTRY_IMAGE }}:${{ steps.version.outputs.imageTagArm64 }}
          docker buildx imagetools inspect ${{ env.PUBLIC_REGISTRY_IMAGE }}:${{ steps.version.outputs.imageTagArm64 }}

      - name: Build and push Docker image for amd64
        run: |
          docker buildx build --platform linux/amd64 --file ./DockerfileLambdaDemoApp \
            -t ${{ env.PRIVATE_REGISTRY_IMAGE }}:${{ steps.version.outputs.imageTagAmd64 }} \
            -t ${{ env.PRIVATE_REGISTRY_IMAGE }}:${{ steps.version.outputs.imageTagAmd64 }}-${{ steps.git-sha.outputs.sha_short }} \
            --load .
          docker push ${{ env.PRIVATE_REGISTRY_IMAGE }}:${{ steps.version.outputs.imageTagAmd64 }}
          docker push ${{ env.PRIVATE_REGISTRY_IMAGE }}:${{ steps.version.outputs.imageTagAmd64 }}-${{ steps.git-sha.outputs.sha_short }}
          docker buildx imagetools inspect  ${{ env.PRIVATE_REGISTRY_IMAGE }}:${{ steps.version.outputs.imageTagAmd64 }}

          docker buildx build --platform linux/amd64 --file ./DockerfileLambdaDemoApp \
            -t ${{ env.PUBLIC_REGISTRY_IMAGE }}:${{ steps.version.outputs.imageTagAmd64 }} \
            --load .
          docker push ${{ env.PUBLIC_REGISTRY_IMAGE }}:${{ steps.version.outputs.imageTagAmd64 }}
          docker buildx imagetools inspect  ${{ env.PUBLIC_REGISTRY_IMAGE }}:${{ steps.version.outputs.imageTagAmd64 }}

      # Also push multi-platform image
      # We do this because we can use it as a source with src/cdk-construct/DockerfileLambda
      # to push a lambda-compatible single-platform image using CDK without
      # having to get the platform-specific tag correct (we can use pr-123, main, or latest)
      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./DockerfileLambdaDemoApp
          platforms: linux/amd64,linux/arm64
          push: ${{ needs.check-access.outputs.has-token-access == 'true' }}
          tags: ${{ steps.meta.outputs.tags }}

  install-deps:
    needs:
      - build-demoapp
      - merge-router
    runs-on: ubuntu-latest
    if: ${{ !failure() && (needs.build-demoapp.result == 'skipped' || needs.build-demoapp.result == 'success') && (needs.merge-router.result == 'skipped' || needs.merge-router.result == 'success') }}
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/configure-nodejs
        with:
          lookup-only: 'true' # We only want to lookup from the cache - if a hit, this job does nothing

  deploy:
    needs: [install-deps]
    runs-on: ubuntu-latest
    environment:
      name: ghpublic
      url: https://lambdadispatch${{ steps.getDeployUrl.outputs.stack-url-suffix }}.ghpublic.pwrdrvr.com/ping
    permissions:
      id-token: write
      contents: read
    concurrency:
      group: deploy-${{ github.workflow }}-${{ github.event.pull_request.number }}
      cancel-in-progress: false
    outputs:
      stack-url-suffix: ${{ steps.getDeployUrl.outputs.stack-url-suffix }}
      url: https://lambdadispatch${{ steps.getDeployUrl.outputs.stack-url-suffix }}.ghpublic.pwrdrvr.com
    if: ${{ !cancelled() && needs.install-deps.result != 'failed' }}
    env:
      DEMO_APP_REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-demo-app${{ github.event_name == 'pull_request' && '-dev' || '' }}
      ROUTER_REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-router${{ github.event_name == 'pull_request' && '-dev' || '' }}
      IMAGE_TAG: ${{ github.event_name == 'pull_request' && 'pr-${{ github.event.pull_request.number }}' || 'latest' }}
      USE_PUBLIC_IMAGES: ${{ contains(github.event.pull_request.labels.*.name, 'USE-PUBLIC-IMAGES') && 'true' || 'false' }}
    steps:
      - uses: actions/checkout@v4

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-session-name: lambda-dispatch-ghpublic-build
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole
          aws-region: us-east-2

      - uses: ./.github/actions/configure-nodejs

      - name: Build CDK Stack
        run: |
          yarn build

      - name: Get Deploy URL
        id: getDeployUrl
        run: |
          if [ "${{ github.event_name }}" == "pull_request" ]; then
            echo stack-url-suffix="-pr-${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT
          else
            echo stack-url-suffix="" >> $GITHUB_OUTPUT
          fi

      - name: Get Git SHA
        id: git-sha
        run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

      - name: Deploy Stack
        env:
          PR_NUMBER: ${{ github.event.pull_request.number }}
          GIT_SHA_SHORT: ${{ steps.git-sha.outputs.sha_short }}
        run: |
          cd src/cdk-stack
          STACK_SUFFIX=${{ github.event_name == 'pull_request' && '-pr' || '' }}
          npx cdk deploy lambda-dispatch${STACK_SUFFIX} --require-approval never

  smoke-test:
    needs: [deploy]
    runs-on: ubuntu-latest
    if: ${{ !cancelled() && needs.deploy.result != 'failed' }}
    steps:
      - name: Smoke Test
        run: |
          if [ "${{ github.event_name }}" == "pull_request" ]; then
            STACK_SUFFIX="-pr-${{ github.event.pull_request.number }}"
          else
            STACK_SUFFIX=""
          fi

          BASE_URL="${{ needs.deploy.outputs.url }}"
          echo "Smoke testing ${BASE_URL}"

          for i in {1..5}; do
            curl ${BASE_URL}/ping
          done

  create-status-checks:
    needs: [deploy, smoke-test]
    runs-on: ubuntu-latest
    if: ${{ !cancelled() && needs.deploy.result != 'failed' && github.event_name == 'pull_request' }}
    steps:
      - name: Generate URLs
        id: generate-urls
        env:
          PR_NUMBER: ${{ github.event.pull_request.number }}
        run: |
          echo "alb_router=https://lambdadispatch-pr-${PR_NUMBER}.ghpublic.pwrdrvr.com" >> $GITHUB_OUTPUT
          echo "alb_demoapp=https://lambdadispatch-demoapp-pr-${PR_NUMBER}.ghpublic.pwrdrvr.com" >> $GITHUB_OUTPUT
          echo "nlb_router=https://lambdadispatch-nlb-pr-${PR_NUMBER}.ghpublic.pwrdrvr.com" >> $GITHUB_OUTPUT
          echo "nlb_demoapp=https://lambdadispatch-nlb-demoapp-pr-${PR_NUMBER}.ghpublic.pwrdrvr.com" >> $GITHUB_OUTPUT

      - name: Find Deployment URLs Comment
        uses: peter-evans/find-comment@v3
        id: find-comment
        with:
          issue-number: ${{ github.event.pull_request.number }}
          comment-author: 'github-actions[bot]'
          body-includes: '### 🚀 Deployment URLs'

      - name: Post Deployment URLs Comment
        uses: peter-evans/create-or-update-comment@v4
        with:
          comment-id: ${{ steps.find-comment.outputs.comment-id }}
          edit-mode: replace
          issue-number: ${{ github.event.pull_request.number }}
          body: |
            ### 🚀 Deployment URLs

            #### Application Load Balancer (ALB)
            - **Router**: [${{ steps.generate-urls.outputs.alb_router }}](${{ steps.generate-urls.outputs.alb_router }})
            - **Demo App**: [${{ steps.generate-urls.outputs.alb_demoapp }}](${{ steps.generate-urls.outputs.alb_demoapp }})

            #### Network Load Balancer (NLB)
            - **Router (Port ${{ github.event.pull_request.number }})**: [${{ steps.generate-urls.outputs.nlb_router }}](${{ steps.generate-urls.outputs.nlb_router }})
            - **Demo App (Port ${{ github.event.pull_request.number }}+10000)**: [${{ steps.generate-urls.outputs.nlb_demoapp }}](${{ steps.generate-urls.outputs.nlb_demoapp }})

            ### 🧪 Test Endpoints

            #### Basic Tests
            ```bash
            # Simple ping test
            curl -v ${{ steps.generate-urls.outputs.alb_router }}/ping

            # View request headers
            curl ${{ steps.generate-urls.outputs.alb_router }}/headers

            # Delayed response (milliseconds)
            curl ${{ steps.generate-urls.outputs.alb_router }}/delay?delay=500
            ```

            #### Load/Performance Tests
            ```bash
            # Ping test with 100 concurrent requests (Hey)
            hey -h2 -c 100 -n 10000 ${{ steps.generate-urls.outputs.alb_router }}/ping

            # Ping test with controlled concurrency (oha)
            oha -c 20 -z 60s ${{ steps.generate-urls.outputs.alb_router }}/ping

            # Post and echo data
            curl -X POST -H "Content-Type: text/plain" --data "Hello World" ${{ steps.generate-urls.outputs.alb_router }}/echo
            ```

            #### Advanced Features
            ```bash
            # Chunked/streaming response
            curl ${{ steps.generate-urls.outputs.alb_router }}/chunked-response

            # Read from S3
            curl ${{ steps.generate-urls.outputs.alb_router }}/read-s3

            # Read from DynamoDB
            curl ${{ steps.generate-urls.outputs.alb_router }}/read
            ```

            *Deployment updated: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}*

      # Create a single environment for the main deployment URL to show in PR checks
      - name: Update Main Environment
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          # This will update the environment URL that appears in the PR checks
          echo "Deployment URLs have been posted as a comment"