# This wrorkflow checkouts the latest src code, builds a docker image and
# push it to DockerHun and GitHub Container Registry

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

name: Publish Docker image

on:
  push:
    branches: [ v5 ]
    tags:
      - '[0-9]+.[0-9]+.[0-9]+'

jobs:
  build-and-push:
    name: Build Docker image and push to multiple registries
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
      attestations: write
      id-token: write

    steps:
      # Step 1: Source code checkout
      - name: Source code checkout
        uses: actions/checkout@v4

      #- name: Gradle cache
      #  uses: actions/setup-java@v4
      #  with:
      #    distribution: 'corretto'
      #    java-version: '21'
      #    cache: 'gradle'
      #
      #- name: Setup Gradle
      #  uses: gradle/actions/setup-gradle@v4
      #
      #- name: Gradle build
      #  run: ./gradlew build --no-daemon

      # Step 2: Configure Docker Buildx
      - name: Configure Docker Buildx
        uses: docker/setup-buildx-action@v3

      # Step 2.5: Setup QEMU
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      # Step 3: Log in to Docker Hub
      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      # Step 4: GitHub Container Registry login
      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GHCR_TOKEN }}

      # Step 5: Configure image tags
      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ secrets.DOCKERHUB_USERNAME }}/aruppi-api
            ghcr.io/${{ github.repository }}
          tags: |
            type=ref,event=branch
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=sha

      # Step 6: Build and publish to Docker Hub and GitHub Container Registry
      - name: Build and publish
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          #platforms: linux/amd64,linux/arm64
          platforms: linux/amd64
          cache-from: type=gha
          cache-to: type=gha,mode=max
          #github-token: ${{ secrets.GHCR_TOKEN }}

      # Step 7: Generate artifact attestation
      - name: Generate artifact attestation
        uses: actions/attest-build-provenance@v1
        with:
          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true