# SPDX-FileCopyrightText: Copyright (c) 2024-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: Apache-2.0

name: Shared Compliance Scan

on:
  workflow_call:
    inputs:
      framework:
        description: 'Framework name (vllm, sglang, trtllm)'
        required: true
        type: string
      target:
        description: 'Target docker stage'
        required: true
        type: string
      target_tag_plain:
        description: 'Plain runtime image tag prefix from the build workflow'
        required: true
        type: string
      cuda_version:
        description: 'CUDA versions to test as a JSON array'
        required: true
        type: string
      platform:
        description: 'Target platforms to test as a JSON array'
        required: true
        type: string
    secrets:
      AWS_DEFAULT_REGION:
        required: true
      AWS_ACCOUNT_ID:
        required: true
      AZURE_ACR_HOSTNAME:
        required: true
      AZURE_ACR_USER:
        required: true
      AZURE_ACR_PASSWORD:
        required: true

jobs:
  compliance:
    strategy:
      fail-fast: false
      matrix:
        platform: ${{ fromJson(inputs.platform) }}
        cuda_version: ${{ fromJson(inputs.cuda_version) }}
    runs-on: prod-builder-v3
    # cuda_version not empty -- name: cuda12, linux/amd64
    # cuda_version empty -- name: cpu, linux/amd64
    name: Compliance ${{ matrix.cuda_version == '' && 'cpu' || format('cuda{0}', matrix.cuda_version) }}, ${{ matrix.platform }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
      - name: Docker Login
        uses: ./.github/actions/docker-login
        with:
          aws_default_region: ${{ secrets.AWS_DEFAULT_REGION }}
          aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
          azure_acr_hostname: ${{ secrets.AZURE_ACR_HOSTNAME }}
          azure_acr_user: ${{ secrets.AZURE_ACR_USER }}
          azure_acr_password: ${{ secrets.AZURE_ACR_PASSWORD }}
      - name: Calculate target tag
        id: calculate-target-tag
        shell: bash
        env:
          ECR_REPOSITORY: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com/ai-dynamo/dynamo
        run: |
          CUDA_VERSION="${{ matrix.cuda_version }}"
          CUDA_MAJOR=${CUDA_VERSION%%.*}
          if [[ "${{ inputs.target_tag_plain }}" == *"planner"* ]]; then
            IMAGE_TAG=${{ github.sha }}-${{ inputs.target_tag_plain }}
          else
            IMAGE_TAG=${{ github.sha }}-${{ inputs.target_tag_plain }}-cuda${CUDA_MAJOR}
          fi

          RUNTIME_IMAGE=${ECR_REPOSITORY}:${IMAGE_TAG}
          echo "runtime_image=${RUNTIME_IMAGE}" >> $GITHUB_OUTPUT
      - name: Compliance scan
        uses: ./.github/actions/compliance-scan
        with:
          image: ${{ steps.calculate-target-tag.outputs.runtime_image }}
          artifact_name: compliance-${{ inputs.target_tag_plain }}-${{ matrix.cuda_version }}-${{ matrix.platform }}
          arch: ${{ matrix.platform }}
          framework: ${{ inputs.framework }}
          target: ${{ inputs.target }}
          cuda_version: ${{ matrix.cuda_version }}