name: Docker image builds

on:
  workflow_dispatch:
  push:
    branches: [ "main" ]
    tags: [ "v*" ]
  pull_request:
    branches: [ "main" ]

env:
  DOCKER_METADATA_SET_OUTPUT_ENV: "true"

permissions:
  contents: read
  packages: write
  attestations: write
  id-token: write

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-tags: true
          fetch-depth: 0

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - uses: actions/setup-go@v5
        with:
          go-version: '1.24.x'

      - uses: ko-build/setup-ko@v0.8

      - name: Log into registry 
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: techarohq
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/techarohq/anubis

      - name: Build and push
        id: build
        run: |
          go run ./cmd/containerbuild --docker-repo ghcr.io/techarohq/anubis --slog-level debug
      
      - name: Generate artifact attestation
        uses: actions/attest-build-provenance@v2
        with:
          subject-name: ghcr.io/techarohq/anubis
          subject-digest: ${{ steps.build.outputs.digest }}
          push-to-registry: true