# SPDX-FileCopyrightText: 2024 Gnuxie <Gnuxie@protonmail.com>
# SPDX-FileCopyrightText: 2026 Catalan Lover <catalanlover@protonmail.com>
#
# SPDX-License-Identifier: Apache-2.0

# Copied from https://github.com/matrix-org/matrix-bifrost/blob/develop/.github/workflows/docker-hub-latest.yml

name: "Docker Hub - Develop"

on:
  push:
    branches:
      - main

env:
  DOCKER_NAMESPACE: gnuxie
  PLATFORMS: linux/amd64,linux/arm64
  # Only push if this is main, otherwise we just want to build
  PUSH: ${{ github.ref == 'refs/heads/main' }}
  IMG_SOURCE: https://github.com/${{ github.repository }}

jobs:
  docker-latest:
    runs-on: ubuntu-latest
    if: ${{ github.repository == 'the-draupnir-project/Draupnir' }}
    permissions:
      id-token: write
      contents: read
      attestations: write
      artifact-metadata: write
    steps:
      - name: Check out
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
        with:
          fetch-depth: 0
          fetch-tags: true

      # Needed for multi platform builds
      - name: Set up QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a
        with:
          platforms: ${{ env.PLATFORMS }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd

      - name: Log in to Docker Hub
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build image
        id: push
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
        with:
          context: .
          file: ./Dockerfile
          platforms: ${{ env.PLATFORMS }}
          push: ${{ env.PUSH }}
          # Shared Buildx cache scope reused by all container image workflows.
          # Keep the scope name aligned across workflows to maximize cache hits.
          cache-from: type=gha,scope=draupnir-container-build
          cache-to: type=gha,scope=draupnir-container-build,mode=max
          labels: |
            org.opencontainers.image.source=${{ env.IMG_SOURCE }}
            org.opencontainers.image.revision=${{ github.sha }}
            org.opencontainers.image.version=${{ github.ref_name }}-${{ github.sha }}
            org.opencontainers.image.ref.name=${{ github.ref_name }}
            org.opencontainers.image.licenses=Apache-2.0

          # prettier-ignore
          outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=Draupnir is a community management platform for Matrix.
          sbom: true
          provenance: true
          tags: |
            ${{ env.DOCKER_NAMESPACE }}/draupnir:develop

      - name: Attest pushed image
        id: attest
        if: ${{ env.PUSH == 'true' }}
        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26
        with:
          subject-name: docker.io/${{ env.DOCKER_NAMESPACE }}/draupnir
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true