name: Docker image builds

on:
  workflow_dispatch:
  push:
    branches: ["main"]
    tags: ["v*"]

env:
  DOCKER_METADATA_SET_OUTPUT_ENV: "true"

permissions:
  contents: read
  packages: write
  attestations: write
  id-token: write
  pull-requests: write

jobs:
  buildx-bake:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-tags: true
          fetch-depth: 0
          persist-credentials: false

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

      - name: Log into registry
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push
        id: build
        uses: docker/bake-action@76f9fa3a758507623da19f6092dc4089a7e61592 # v6.6.0
        with:
          source: .
          push: true
          sbom: true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          set: ""

  containerbuild:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-tags: true
          fetch-depth: 0
          persist-credentials: false

      - name: Set lowercase image name
        run: |
          echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV

      - name: Set up Homebrew
        uses: Homebrew/actions/setup-homebrew@main

      - name: Setup Homebrew cellar cache
        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          path: |
            /home/linuxbrew/.linuxbrew/Cellar
            /home/linuxbrew/.linuxbrew/bin
            /home/linuxbrew/.linuxbrew/etc
            /home/linuxbrew/.linuxbrew/include
            /home/linuxbrew/.linuxbrew/lib
            /home/linuxbrew/.linuxbrew/opt
            /home/linuxbrew/.linuxbrew/sbin
            /home/linuxbrew/.linuxbrew/share
            /home/linuxbrew/.linuxbrew/var
          key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-homebrew-cellar-

      - name: Install Brew dependencies
        run: |
          brew bundle

      - name: Log into registry
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
        with:
          images: ${{ env.IMAGE }}

      - name: Build and push
        id: build
        run: |
          npm ci
          npm run container
        env:
          DOCKER_REPO: ${{ env.IMAGE }}
          SLOG_LEVEL: debug

      - name: Generate artifact attestation
        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
        with:
          subject-name: ${{ env.IMAGE }}
          subject-digest: ${{ steps.build.outputs.digest }}
          push-to-registry: true