.github/workflows/build-images.yml

---
# desc: build container images, perform static tests then publish
name: build-images

on:
    push:
        branches:
            - '**'
        tags:
            - keycloak-[0-9]+-[0-9]+-[0-9]+-[0-9]+-[0-9]+ # `keycloak-23-yyyy-mm-dd-xxx`: only keycloak 23
            - '[0-9]+-[0-9]+-[0-9]+-[0-9]+' # `yyyy-mm-dd-xxx`: all keycloak versions
    schedule:
        - cron: 0 3 * * *
    workflow_dispatch:
        inputs:
            notify_back_error_message:
                description: \ Error message if retry was not successful. This parameter is used for internal call back actions.
                required: false
                default: ''

jobs:
    triage:
        runs-on: ubuntu-24.04
        steps:
            - name: Display notify_back_error_message if present
              if: ${{ inputs.notify_back_error_message != '' }}
              run: |
                  echo "A previous workflow failed but has attempted to retry: ${{ inputs.notify_back_error_message }}"
                  exit 1

    list-keycloak-versions:
        runs-on: ubuntu-24.04
        needs:
            - triage
        outputs:
            matrix_keycloak_versions: ${{ steps.set-matrix.outputs.matrix_keycloak_versions }}
        steps:
            - name: Checkout
              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

            - name: List Keycloak Versions from repository's folders
              id: set-matrix
              run: |
                  : # if we release a specified version of keycloak, the matrix should only contain it
                  if [[ $GITHUB_REF =~ ^refs/tags/keycloak-([0-9]+)- ]]; then
                    keycloak_version=${BASH_REMATCH[1]}
                    matrix_json="[\"${keycloak_version}\"]"
                  else
                    : # List folders matching the pattern keycloak-*
                    : # Export the list as an output in JSON format
                    matrix_json=$(printf "%s\n" keycloak-*/ | sed 's/\/$//' | sed 's/keycloak-//' | jq -R -s -c 'split("\n")[:-1]')
                  fi

                  echo "matrix_keycloak_versions=${matrix_json}" >> "$GITHUB_OUTPUT"
                  echo "matrix_keycloak_versions=${matrix_json}"

    build-image:
        runs-on: ubuntu-24.04
        outputs:
            full_image_name: ${{ steps.compute-image-name-step.outputs.full_image_name }}
        needs:
            - list-keycloak-versions
        strategy:
            fail-fast: false # don't propagate failing jobs
            matrix:
                keycloak_version: ${{ fromJson(needs.list-keycloak-versions.outputs.matrix_keycloak_versions) }}
        steps:
            - name: Checkout
              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

            - name: Install tooling using asdf
              uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3

            - name: Import secrets
              uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
              id: secrets
              with:
                  url: ${{ secrets.VAULT_ADDR }}
                  method: approle
                  roleId: ${{ secrets.VAULT_ROLE_ID }}
                  secretId: ${{ secrets.VAULT_SECRET_ID }}
                  exportEnv: false
                  secrets: |
                      secret/data/products/infrastructure-experience/ci/common MACHINE_PWD;
                      secret/data/products/infrastructure-experience/ci/common MACHINE_USR;

                      secret/data/products/infrastructure-experience/ci/common DOCKERHUB_USER;
                      secret/data/products/infrastructure-experience/ci/common DOCKERHUB_PASSWORD;

            - name: Login to the dockerhub registry # prevents pull limit rate
              uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
              with:
                  registry: ${{ vars.CONTAINER_REGISTRY }}
                  username: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
                  password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}

            - name: Compute build image variables
              id: compute-build-image-name-step
              run: |
                  keycloak_full_version=$(grep "ARG BASE_IMAGE_NAME=.*$1" keycloak-${{ matrix.keycloak_version }}/Dockerfile \
                      | awk -F'[:=]' '{print $NF}' \
                      | tr -d '"' \
                      | awk -F'[:/-]' '{print $1}' \
                      || { echo "Error: Image tag $1 not found in Dockerfile"; exit 1; })

                  echo "keycloak_full_version=${keycloak_full_version}"

            - name: Build image using Camunda docker build
              id: build-image-step
              uses: camunda/infra-global-github-actions/build-docker-image@5f523a49b3681db91bb985f8763aea8b2dbb529e # main
              with:
                  registry_host: ${{ vars.CONTAINER_REGISTRY_CI }}
                  registry_username: ${{ steps.secrets.outputs.MACHINE_USR }}
                  registry_password: ${{ steps.secrets.outputs.MACHINE_PWD }}
                  force_push: true
                  image_name: ${{ vars.CONTAINER_IMAGE_NAME_CI }}
                  build_context: ./keycloak-${{ matrix.keycloak_version }}/
                  build_platforms: linux/amd64,linux/arm64
                  extra_tags: | # the ci- prefix ensures a build context, this image is treated as "temporary"
                      type=sha,enable=true,priority=1000,prefix=ci-${{ matrix.keycloak_version }}-sha-,suffix=,format=short

            - name: Compute target built image fully qualified name from metadata
              id: compute-image-name-step
              run: |
                  image_metadata='${{ steps.build-image-step.outputs.image_metadata }}'
                  image_name=$(echo "${image_metadata}" | tr -d '\n' | jq -r '."image.name"' | tr ',' '\n' | head -n 1 | tr -d ' ')
                  digest=$(echo "${image_metadata}" | tr -d '\n' | jq -r '."containerimage.digest"')
                  full_image_name="${image_name}@${digest}"
                  echo "full_image_name=${full_image_name}" >> "$GITHUB_OUTPUT"
                  echo "$full_image_name"

      ## Write for matrix outputs workaround
            - uses: cloudposse/github-action-matrix-outputs-write@ed06cf3a6bf23b8dce36d1cf0d63123885bb8375 # v1
              id: out
              with:
                  matrix-step-name: ${{ github.job }}
                  matrix-key: ${{ matrix.keycloak_version }}
                  outputs: |-
                      full_image_name: ${{ steps.compute-image-name-step.outputs.full_image_name }}

  ## Read matrix outputs
    read-build-image-output:
        runs-on: ubuntu-24.04
        needs: [build-image]
        steps:
            - uses: cloudposse/github-action-matrix-outputs-read@33cac12fa9282a7230a418d859b93fdbc4f27b5a # v1
              id: read
              with:
                  matrix-step-name: build-image
        outputs:
            result: ${{ steps.read.outputs.result }}

    test-base-image:
        runs-on: ubuntu-24.04
        needs:
            - list-keycloak-versions
            - build-image
            - read-build-image-output
        strategy:
            fail-fast: false # don't propagate failing jobs
            matrix:
                keycloak_version: ${{ fromJson(needs.list-keycloak-versions.outputs.matrix_keycloak_versions) }}
        steps:
            - name: Checkout
              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

            - name: Install tooling using asdf
              uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3

            - name: Set Keycloak Image Name
              id: set-keycloak-image-name
              shell: bash
              run: |
                  keycloak_image_name="${{ fromJson(needs.read-build-image-output.outputs.result).full_image_name[matrix.keycloak_version] }}"
                  echo "keycloak_image_name=${keycloak_image_name}" >> "$GITHUB_ENV"
                  echo "keycloak_image_name=${keycloak_image_name}"

            - name: Import secrets
              uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
              id: secrets
              with:
                  url: ${{ secrets.VAULT_ADDR }}
                  method: approle
                  roleId: ${{ secrets.VAULT_ROLE_ID }}
                  secretId: ${{ secrets.VAULT_SECRET_ID }}
                  exportEnv: false
                  secrets: |
                      secret/data/products/infrastructure-experience/ci/common MACHINE_PWD;
                      secret/data/products/infrastructure-experience/ci/common MACHINE_USR;

            - name: Login to the registry
              uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
              with:
                  registry: ${{ vars.CONTAINER_REGISTRY_CI }}
                  username: ${{ steps.secrets.outputs.MACHINE_USR }}
                  password: ${{ steps.secrets.outputs.MACHINE_PWD }}

            - name: KeyCloak Show-Config
              run: |
                  docker run "${{ env.keycloak_image_name }}" /opt/bitnami/keycloak/bin/kc.sh show-config >> docker.log
                  echo "config=$(< docker.log tr '\n' ' ')" >> "$GITHUB_ENV"

            - name: Assert Config
              env:
                  CONFIG: ${{ env.config }}
              run: python3 ./.github/scripts/build-check/main.py

    test-postgres-integ:
        strategy:
            fail-fast: false # don't propagate failing jobs
            matrix:
                runner_desc:
                    - runner: ubuntu-22.04
                      postgres_replicas: 1
                      keycloak_jdbc_driver: postgresql
                      keycloak_db_driver: org.postgresql.Driver
                      keycloak_db_host_template: postgres
                      keycloak_db_jdbc_query: ''
                      keycloak_db_port: '5432'

                    - runner: aws-core-2-default
                      postgres_replicas: 0
                      keycloak_jdbc_driver: aws-wrapper:postgresql
                      keycloak_db_driver: software.amazon.jdbc.Driver
                      keycloak_db_host_template: camunda-ci-eks-aurora-postgresql-{{ postgres_version }}.cluster-clnwzia8ptad.eu-central-1.rds.amazonaws.com
                      keycloak_db_jdbc_query: wrapperPlugins=iam&ssl=true&sslmode=require
                      keycloak_db_port: '5432'

                    - runner: aws-arm-core-2-default
                      postgres_replicas: 0
                      keycloak_jdbc_driver: aws-wrapper:postgresql
                      keycloak_db_driver: software.amazon.jdbc.Driver
                      keycloak_db_host_template: camunda-ci-eks-aurora-postgresql-{{ postgres_version }}.cluster-clnwzia8ptad.eu-central-1.rds.amazonaws.com
                      keycloak_db_jdbc_query: wrapperPlugins=iam&ssl=true&sslmode=require
                      keycloak_db_port: '5432'
                      # Add the gcp runner when GCloud SQL is available
                      # GCloud SQL is not tested yet as we don't have a dedicated db

                keycloak_version: ${{ fromJson(needs.list-keycloak-versions.outputs.matrix_keycloak_versions) }}
        runs-on: ${{ matrix.runner_desc.runner }}
        needs:
            - list-keycloak-versions
            - build-image
            - read-build-image-output
        steps:
            - name: Checkout
              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

            - name: Install build-essentials for asdf
              run: |
                  sudo apt-get update

                  sudo apt-get install -y build-essential git libexpat1-dev libssl-dev zlib1g-dev \
                  libncurses5-dev libbz2-dev liblzma-dev \
                  libsqlite3-dev libffi-dev tcl-dev linux-headers-generic libgdbm-dev \
                  libreadline-dev tk tk-dev

            - name: Install tooling using asdf
              uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3

            - name: Set Keycloak Image Name
              id: set-keycloak-image-name
              shell: bash
              run: |
                  keycloak_image_name="${{ fromJson(needs.read-build-image-output.outputs.result).full_image_name[matrix.keycloak_version] }}"
                  echo "keycloak_image_name=${keycloak_image_name}" >> "$GITHUB_ENV"
                  echo "keycloak_image_name=${keycloak_image_name}"

            - name: Import secrets
              uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
              id: secrets
              with:
                  url: ${{ secrets.VAULT_ADDR }}
                  method: approle
                  roleId: ${{ secrets.VAULT_ROLE_ID }}
                  secretId: ${{ secrets.VAULT_SECRET_ID }}
                  exportEnv: true
                  secrets: |
                      secret/data/products/infrastructure-experience/ci/common MACHINE_PWD;
                      secret/data/products/infrastructure-experience/ci/common MACHINE_USR;

                      secret/data/products/infrastructure-experience/ci/common AURORA_POSTGRESQL_PASSWORD | postgres_superuser_password;
                      secret/data/products/infrastructure-experience/ci/common AURORA_POSTGRESQL_USERNAME | postgres_superuser;

                      secret/data/products/infrastructure-experience/ci/common DOCKERHUB_USER;
                      secret/data/products/infrastructure-experience/ci/common DOCKERHUB_PASSWORD;

            - name: Login to the dockerhub registry # prevents pull limit rate
              uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
              with:
                  registry: ${{ vars.CONTAINER_REGISTRY }}
                  username: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
                  password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}

            - name: Login to the registry
              uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
              with:
                  registry: ${{ vars.CONTAINER_REGISTRY_CI }}
                  username: ${{ steps.secrets.outputs.MACHINE_USR }}
                  password: ${{ steps.secrets.outputs.MACHINE_PWD }}

            - name: Compute AWS variables
              if: startsWith(matrix.runner_desc.runner, 'aws')
              run: |
                  : # aws aurora superuser is only used for bootstrapping a standard user that will auth using irsa
                  echo "postgres_user=keycloak-irsa" | tee -a "$GITHUB_ENV"
                  echo "postgres_password=" | tee -a "$GITHUB_ENV"

                  echo "compose_keycloak_volume_1=$AWS_WEB_IDENTITY_TOKEN_FILE:$AWS_WEB_IDENTITY_TOKEN_FILE" >> "$GITHUB_ENV"

                  : # export AWS variables
                  echo "AWS_STS_REGIONAL_ENDPOINTS=$AWS_STS_REGIONAL_ENDPOINTS" >> "$GITHUB_ENV"
                  echo "AWS_STS_REGIONAL_ENDPOINTS=${AWS_STS_REGIONAL_ENDPOINTS}"
                  echo "AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION" >> "$GITHUB_ENV"
                  echo "AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}"
                  echo "AWS_REGION=$AWS_REGION" >> "$GITHUB_ENV"
                  echo "AWS_REGION=${AWS_REGION}"
                  echo "AWS_ROLE_ARN=$AWS_ROLE_ARN" >> "$GITHUB_ENV"
                  echo "AWS_ROLE_ARN=${AWS_ROLE_ARN}"
                  echo "AWS_WEB_IDENTITY_TOKEN_FILE=$AWS_WEB_IDENTITY_TOKEN_FILE" >> "$GITHUB_ENV"
                  echo "AWS_WEB_IDENTITY_TOKEN_FILE=${AWS_WEB_IDENTITY_TOKEN_FILE}"

            - name: Compute Ubuntu variables
              if: startsWith(matrix.runner_desc.runner, 'ubuntu')
              run: |
                  : # we use plain values that will be used by the postgres container
                  echo "postgres_user=keycloak" | tee -a "$GITHUB_ENV"
                  echo "postgres_password=password" | tee -a "$GITHUB_ENV"

            - name: Declare test recipe variables
              shell: bash
              run: |
                  if (( "${{ matrix.runner_desc.postgres_replicas }}" < 1 )); then
                    echo "compose_keycloak_depends_on=" >> "$GITHUB_ENV"
                  else
                    echo "compose_keycloak_depends_on=postgres" >> "$GITHUB_ENV"
                  fi

                  : # ensure uniqueness of the db name
                  uuid="$(cat /proc/sys/kernel/random/uuid)"
                  postgres_database="infex-keycloak-db-${uuid}-${{ github.sha }}"
                  echo "postgres_database=${postgres_database}" | tee -a "$GITHUB_ENV"

                  : # get the postgres version to test
                  keycloak_version_git="$(echo '${{ matrix.keycloak_version }}' | sed -E 's/^([0-9]+)\.?(.*)$/\1.0/g')" # make sure to have a major.0 format
                  postgres_version=$(
                    curl -s "https://raw.githubusercontent.com/keycloak/keycloak/release/${keycloak_version_git}/pom.xml" \
                    | awk -F'[><]' '/<postgresql.version>/{print $3}'
                  )

                  echo "postgres_version=${postgres_version}" >> "$GITHUB_ENV"
                  echo "postgres_version=${postgres_version}"

                  : # apply template on the address
                  postgres_host=$(echo "${{ matrix.runner_desc.keycloak_db_host_template }}" | sed "s/{{ postgres_version }}/${postgres_version}/g")
                  echo "postgres_host=${postgres_host}" >> "$GITHUB_ENV"
                  echo "postgres_host=${postgres_host}"

      # The self-hosted runner doesn't provide a postgres client and the prerequisites for make,
      # so we need to install them manually
            - name: Install required packages
              run: sudo apt-get update && sudo apt-get install -y build-essential postgresql-client

            - name: Tear up Aurora PG (aws only)
              if: startsWith(matrix.runner_desc.runner, 'aws')
              run: ./.helpers/actions/create_aurora_pg_db.sh
              env:
                  PGDATABASE: ${{ env.postgres_database }}
                  PGHOST: ${{ env.postgres_host }}
                  PGPORT: ${{ matrix.runner_desc.keycloak_db_port }}
                  PGPASSWORD: ${{ env.postgres_superuser_password }}
                  PGUSER: ${{ env.postgres_superuser }}
                  PGUSER_IRSA: ${{ env.postgres_user }}

            - name: Generate a db auth token using aws for simple psql db connection test (aws only)
              if: startsWith(matrix.runner_desc.runner, 'aws')
              shell: bash
              run: |
                  : # We generate a db auth token using the aws cli because IRSA access in Keycloak might not be easy to debug.
                  : # This token will be used in the "Test psql db connection" step, and then it will be reset for the Keycloak integration test.
                  : # The aws command uses the environment variables provided by the runner
                  AWS_PG_PASSWORD="$(aws rds generate-db-auth-token --hostname ${{ env.postgres_host }} \
                     --port ${{ matrix.runner_desc.keycloak_db_port }} --region ${{ env.AWS_REGION }} --username ${{ env.postgres_user }})"

                  echo "postgres_password=${AWS_PG_PASSWORD}" >> "$GITHUB_ENV"

            - name: Test psql db connection (for external db only)
              if: ${{ matrix.runner_desc.postgres_replicas == 0 }}
              shell: bash
              run: |
                  : # Perform a simple psql connection test to ensure the database can be reached.
                  : # The psql command provides clear and simple error messages compared to jdbc,
                  : # which is why we perform this step.
                  PGPASSWORD="${{ env.postgres_password }}"
                  export PGPASSWORD
                  psql -h "${{ env.postgres_host }}" -p "${{ matrix.runner_desc.keycloak_db_port }}" \
                    "dbname=${{ env.postgres_database }} user=${{ env.postgres_user }}" -c 'SELECT version();'

            - name: Reset postgres_password for IRSA connection  (aws only)
              if: startsWith(matrix.runner_desc.runner, 'aws')
              shell: bash
              run: |
                  : # For AWS IRSA connection, we don't use password-based authentication.
                  : # Since a password was generated in the previous steps, we need to ensure it is empty.
                  echo "postgres_password=" >> "$GITHUB_ENV"

            - name: Start Test Environment
              uses: ./.github/actions/compose
              with:
                  project_name: keycloak
              env:

                  POSTGRES_DB: ${{ env.postgres_database }}
                  POSTGRES_USER: ${{ env.postgres_user }}
                  POSTGRES_PASSWORD: ${{ env.postgres_password }}

                  KEYCLOAK_DATABASE_USER: ${{ env.postgres_user }}
                  KEYCLOAK_DATABASE_PASSWORD: ${{ env.postgres_password }}
                  KEYCLOAK_DATABASE_NAME: ${{ env.postgres_database }}
                  KEYCLOAK_DATABASE_HOST: ${{ env.postgres_host }}
                  KEYCLOAK_DATABASE_PORT: ${{ matrix.runner_desc.keycloak_db_port }}
                  KEYCLOAK_JDBC_DRIVER: ${{ matrix.runner_desc.keycloak_jdbc_driver }}
                  KEYCLOAK_JDBC_PARAMS: ${{ matrix.runner_desc.keycloak_db_jdbc_query }}
                  KC_DB_DRIVER: ${{ matrix.runner_desc.keycloak_db_driver }}

                  KEYCLOAK_LOG_LEVEL: INFO,software.amazon.jdbc:INFO

                  COMPOSE_POSTGRES_IMAGE: docker.io/postgres:${{ env.postgres_version }}
                  COMPOSE_POSTGRES_DEPLOY_REPLICAS: ${{ matrix.runner_desc.postgres_replicas }}
                  COMPOSE_KEYCLOAK_DEPENDS_ON: ${{ env.compose_keycloak_depends_on }}
                  COMPOSE_KEYCLOAK_VOLUME_1: ${{ env.compose_keycloak_volume_1 || '/dev/null:/dummynull1' }}
                  COMPOSE_KEYCLOAK_IMAGE: ${{ env.keycloak_image_name }}

                  # AWS specific variables to forward,
                  # see https://confluence.camunda.com/pages/viewpage.action?pageId=178590693#IAMRolesforServiceAccountsTesting(IRSA)-EnvironmentVariables
                  AWS_STS_REGIONAL_ENDPOINTS: ${{ env.AWS_STS_REGIONAL_ENDPOINTS }}
                  AWS_DEFAULT_REGION: ${{ env.AWS_DEFAULT_REGION }}
                  AWS_REGION: ${{ env.AWS_REGION }}
                  AWS_ROLE_ARN: ${{ env.AWS_ROLE_ARN }}
                  AWS_WEB_IDENTITY_TOKEN_FILE: ${{ env.AWS_WEB_IDENTITY_TOKEN_FILE }}

            - name: Install dependencies
              run: |
                  python -m pip install --upgrade pip
                  pip install -r ./.github/scripts/integration/requirements.txt

            - name: Test Environment
              run: python3 ./.github/scripts/integration/main.py

            - name: Tear down Aurora PG (aws only)
              if: startsWith(matrix.runner_desc.runner, 'aws') && always()
              run: ./.helpers/actions/delete_aurora_pg_db.sh
              env:
                  PGDATABASE: ${{ env.postgres_database }}
                  PGHOST: ${{ env.postgres_host }}
                  PGPORT: ${{ matrix.runner_desc.keycloak_db_port }}
                  PGPASSWORD: ${{ env.postgres_superuser_password }}
                  PGUSER: ${{ env.postgres_superuser }}

    publish-image:
        runs-on: ubuntu-24.04
        # to release all versions of keycloak, tag it using the date (e.g.: `2024-03-10-001`)
        # to release only one version keycloak, tag it using the date prefixed by the version of keycloak (e.g.: `keycloak-23-2024-03-10-001`)
        if: startsWith(github.ref, 'refs/tags')
        strategy:
            fail-fast: false # don't propagate failing jobs
            matrix:
                keycloak_version: ${{ fromJson(needs.list-keycloak-versions.outputs.matrix_keycloak_versions) }}
        needs:
            - read-build-image-output
            - list-keycloak-versions
            - test-postgres-integ
            - test-base-image
        steps:
            - name: Checkout
              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

            - name: Install if required common software tooling
              uses: camunda/infra-global-github-actions/common-tooling@5f523a49b3681db91bb985f8763aea8b2dbb529e # main
              with:
                  node-enabled: false
                  java-enabled: false
                  yarn-enabled: false
                  python-enabled: false
                  buildx-install: true

            - name: Install tooling using asdf
              uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3

            - name: Import secrets
              uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
              id: secrets
              with:
                  url: ${{ secrets.VAULT_ADDR }}
                  method: approle
                  roleId: ${{ secrets.VAULT_ROLE_ID }}
                  secretId: ${{ secrets.VAULT_SECRET_ID }}
                  exportEnv: false
                  secrets: |
                      secret/data/products/infrastructure-experience/ci/common MACHINE_PWD;
                      secret/data/products/infrastructure-experience/ci/common MACHINE_USR;

                      secret/data/products/infrastructure-experience/ci/common DOCKERHUB_USER;
                      secret/data/products/infrastructure-experience/ci/common DOCKERHUB_PASSWORD;

            - name: Login to the registry
              uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
              with:
                  registry: ${{ vars.CONTAINER_REGISTRY_CI }}
                  username: ${{ steps.secrets.outputs.MACHINE_USR }}
                  password: ${{ steps.secrets.outputs.MACHINE_PWD }}

            - name: Login to Docker Hub
              uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
              with:
                  registry: ${{ vars.CONTAINER_REGISTRY }}
                  username: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
                  password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}

            - name: Set Keycloak Version
              id: set-keycloak-version
              run: |
                  keycloak_image_name="${{ fromJson(needs.read-build-image-output.outputs.result).full_image_name[matrix.keycloak_version] }}"
                  echo "keycloak_image_name=${keycloak_image_name}" >> "$GITHUB_ENV"
                  echo "keycloak_image_name=${keycloak_image_name}"

                  dockerhub_target_name="${{ vars.CONTAINER_REGISTRY }}/${{ vars.CONTAINER_IMAGE_NAME }}"
                  echo "dockerhub_target_name=${dockerhub_target_name}" >> "$GITHUB_ENV"
                  echo "dockerhub_target_name=${dockerhub_target_name}"

            - name: Pull built image
              run: |
                  docker pull "${{ env.keycloak_image_name }}"

            - name: Retag and push the image
              shell: bash
              run: |
                  : # extract the base image tag to use it as base tag
                  base_image_tag=$(grep "ARG BASE_IMAGE_NAME=.*$1" keycloak-${{ matrix.keycloak_version }}/Dockerfile \
                  | awk -F'[:=]' '{print $NF}' \
                  | tr -d '"' \
                  || { echo "Error: Image tag $1 not found in Dockerfile"; exit 1; })

                  echo "base_image_tag=${base_image_tag}"

                  : # version of keycloak (e.g.: 23.0.1)
                  semver_tag=$(echo "${base_image_tag}"  | awk -F'-' '{print $1}')

                  : # remove keycloak- prefix
                  suffix_version=$(echo '${{ github.ref_name }}' | sed 's/keycloak-[0-9]*-//')

                  docker buildx imagetools create -t "${{ env.dockerhub_target_name }}:${{ matrix.keycloak_version }}" "${{ env.keycloak_image_name }}"
                  docker buildx imagetools create -t "${{ env.dockerhub_target_name }}:${base_image_tag}" "${{ env.keycloak_image_name }}"
                  docker buildx imagetools create -t "${{ env.dockerhub_target_name }}:${base_image_tag}-${suffix_version}" "${{ env.keycloak_image_name }}"
                  docker buildx imagetools create -t "${{ env.dockerhub_target_name }}:${semver_tag}" "${{ env.keycloak_image_name }}"

                  if [ "$(./.github/scripts/utils/find_latest_keycloak.sh)" = "${{ matrix.keycloak_version }}" ]; then
                    docker buildx imagetools create -t "${{ env.dockerhub_target_name }}:latest" "${{ env.keycloak_image_name }}"
                  fi

  # Rerun failed jobs running on self-hosted runners in case of network issues or node preemption
    rerun-failed-jobs:
        needs:
            - test-postgres-integ
        if: failure() && fromJSON(github.run_attempt) < 3 && inputs.notify_back_error_message == ''
        runs-on: ubuntu-latest
        steps:
            - name: Retrigger job
              uses: camunda/infra-global-github-actions/rerun-failed-run@5f523a49b3681db91bb985f8763aea8b2dbb529e # main
              with:
                  error-messages: |
                      lost communication with the server
                      The runner has received a shutdown signal
                  run-id: ${{ github.run_id }}
                  repository: ${{ github.repository }}
                  vault-addr: ${{ secrets.VAULT_ADDR }}
                  vault-role-id: ${{ secrets.VAULT_ROLE_ID }}
                  vault-secret-id: ${{ secrets.VAULT_SECRET_ID }}
                  notify-back-on-error: 'true'

    notify-on-failure:
        runs-on: ubuntu-latest
        if: failure() && (fromJSON(github.run_attempt) >= 3 || inputs.notify_back_error_message != '') && github.event_name == 'schedule'
        needs:
            - publish-image
            - read-build-image-output
            - list-keycloak-versions
            - test-postgres-integ
            - test-base-image
            - rerun-failed-jobs
        steps:
            - name: Notify in Slack in case of failure
              id: slack-notification
              uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@4dcb257030b8026f86747777802b10cc6d64c20b # 1.2.5
              with:
                  vault_addr: ${{ secrets.VAULT_ADDR }}
                  vault_role_id: ${{ secrets.VAULT_ROLE_ID }}
                  vault_secret_id: ${{ secrets.VAULT_SECRET_ID }}