name: Release Image

# Reusable workflow: called from ci.yml after all checks pass.
# Can also be dispatched manually for rebuilds or tag overrides.
#
# Pushes to the Gitea container registry (the same host the workflow runs on)
# using the auto-provisioned GITHUB_TOKEN. No external secrets required.
on:
  workflow_call:
    inputs:
      image_tag:
        description: Optional tag override, defaults to sha-<commit>
        required: false
        type: string
  workflow_dispatch:
    inputs:
      image_tag:
        description: Optional tag override, defaults to sha-<commit>
        required: false
        type: string

permissions:
  contents: read
  packages: write

jobs:
  build-and-push:
    name: Build And Push Images
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v4

      - name: Set up Docker Buildx
        run: docker buildx create --use --name ci-builder 2>/dev/null || true

      - id: registry
        name: Resolve Gitea registry host
        # GITHUB_SERVER_URL inside act_runner resolves to the *internal* Gitea
        # hostname (gitea:3000) which is not reachable from the job container.
        # Hardcode the externally-resolvable host instead.
        run: |
          echo "host=gitea.hartmut-noerenberg.com" >> "$GITHUB_OUTPUT"

      - name: Login to Gitea container registry
        # GITHUB_TOKEN is auto-provisioned by Gitea Actions for the running
        # workflow; no manual secret configuration required.
        run: |
          echo "${{ secrets.GITHUB_TOKEN }}" | \
            docker login "${{ steps.registry.outputs.host }}" \
              -u "${{ github.actor }}" --password-stdin

      - id: vars
        name: Compute image refs
        run: |
          owner="$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')"
          repo="$(basename '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')"
          image_tag="${{ inputs.image_tag }}"
          if [ -z "${image_tag}" ]; then
            image_tag="sha-${GITHUB_SHA}"
          fi
          host="${{ steps.registry.outputs.host }}"
          echo "app_image=${host}/${owner}/${repo}-app:${image_tag}" >> "$GITHUB_OUTPUT"
          echo "migrator_image=${host}/${owner}/${repo}-migrator:${image_tag}" >> "$GITHUB_OUTPUT"

      # Guardrail anchor: target: runner
      - name: Build and push app image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./Dockerfile.prod
          target: runner
          push: true
          tags: ${{ steps.vars.outputs.app_image }}
          cache-from: type=gha,scope=app
          cache-to: type=gha,mode=max,scope=app

      # Guardrail anchor: target: migrator
      - name: Build and push migrator image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./Dockerfile.prod
          target: migrator
          push: true
          tags: ${{ steps.vars.outputs.migrator_image }}
          cache-from: type=gha,scope=migrator
          cache-to: type=gha,mode=max,scope=migrator

      - name: Release summary
        run: |
          echo "App image:      ${{ steps.vars.outputs.app_image }}"
          echo "Migrator image: ${{ steps.vars.outputs.migrator_image }}"