###############################################################################
# GitHub Actions equivalent of the Forgejo workflow.
# Disabled by default - rename to build.yml or remove the `if:` guard below
# if you decide to mirror to GitHub.
###############################################################################

name: build-image-github

on:
  workflow_dispatch:
  # Uncomment when you actually want GitHub to build:
  # push:
  #   branches: [main]
  # schedule:
  #   - cron: "0 6 * * 1"

env:
  IMAGE_NAME: kamos
  IMAGE_TAGS: "stable latest"
  REGISTRY: ghcr.io

jobs:
  build:
    runs-on: ubuntu-latest
    if: ${{ false }}  # remove this line to enable
    permissions:
      contents: read
      packages: write
      id-token: write
    steps:
      - uses: actions/checkout@v4

      - name: Login to GHCR
        uses: redhat-actions/podman-login@v1
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build
        run: |
          IMAGE_REF="${REGISTRY}/${{ github.repository_owner }}/${IMAGE_NAME}"
          podman build \
            --pull=newer \
            $(for t in $IMAGE_TAGS; do echo --tag "${IMAGE_REF}:${t}"; done) \
            .

      - name: Push
        run: |
          IMAGE_REF="${REGISTRY}/${{ github.repository_owner }}/${IMAGE_NAME}"
          for t in $IMAGE_TAGS; do podman push "${IMAGE_REF}:${t}"; done

      - name: Sign
        env:
          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
          COSIGN_PASSWORD: ""
        run: |
          IMAGE_REF="${REGISTRY}/${{ github.repository_owner }}/${IMAGE_NAME}"
          for t in $IMAGE_TAGS; do
            DIGEST=$(skopeo inspect --format '{{.Digest}}' "docker://${IMAGE_REF}:${t}")
            cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${IMAGE_REF}@${DIGEST}"
          done