name: Build talosctl+talhelper+sops image (push on main only)

on:
  push:
    branches: [ "**" ]
  workflow_dispatch: {}

env:
  # Configure these in your repository Settings → Variables/Secrets
  REGISTRY: ${{ vars.REGISTRY }}
  IMAGE_NAME: ${{ vars.IMAGE_NAME }} # e.g. forgejo.example.com/owner/talos-tools

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Extract component versions from Dockerfile
        id: versions
        run: |
          set -euo pipefail
          TALOSCTL_VERSION=$(grep -E "^ARG TALOSCTL_VERSION=" Dockerfile | head -n1 | cut -d'=' -f2)
          TALHELPER_VERSION=$(grep -E "^ARG TALHELPER_VERSION=" Dockerfile | head -n1 | cut -d'=' -f2)
          SOPS_VERSION=$(grep -E "^ARG SOPS_VERSION=" Dockerfile | head -n1 | cut -d'=' -f2)
          echo "talosctl=${TALOSCTL_VERSION}" >> "$GITHUB_OUTPUT"
          echo "talhelper=${TALHELPER_VERSION}" >> "$GITHUB_OUTPUT"
          echo "sops=${SOPS_VERSION}" >> "$GITHUB_OUTPUT"
          TAG="v${TALOSCTL_VERSION}-${TALHELPER_VERSION}-${SOPS_VERSION}"
          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to registry (main only)
        if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}

      - name: Build and push image (main only)
        if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master'
        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: true
          provenance: false
          cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:buildcache
          cache-to: type=registry,ref=${{ env.IMAGE_NAME }}:buildcache,mode=max
          build-args: |
            TALOSCTL_VERSION=${{ steps.versions.outputs.talosctl }}
            TALHELPER_VERSION=${{ steps.versions.outputs.talhelper }}
            SOPS_VERSION=${{ steps.versions.outputs.sops }}
          tags: |
            ${{ env.IMAGE_NAME }}:${{ steps.versions.outputs.tag }}
            ${{ env.IMAGE_NAME }}:latest
          labels: |
            org.opencontainers.image.revision=${{ github.sha }}
            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}

      - name: Build without push (branches other than main)
        if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/master'
        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: linux/amd64
          load: true
          push: false
          provenance: false
          build-args: |
            TALOSCTL_VERSION=${{ steps.versions.outputs.talosctl }}
            TALHELPER_VERSION=${{ steps.versions.outputs.talhelper }}
            SOPS_VERSION=${{ steps.versions.outputs.sops }}
          tags: |
            ${{ env.IMAGE_NAME }}:${{ steps.versions.outputs.tag }}
          labels: |
            org.opencontainers.image.revision=${{ github.sha }}
            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}

      - name: "Smoke test (main: run pushed image)"
        if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master'
        run: |
          docker run --rm ${{ env.IMAGE_NAME }}:${{ steps.versions.outputs.tag }} sh -lc \
            'talosctl version --client && talhelper version && sops --version'

      - name: "Smoke test (branch: run locally loaded image)"
        if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/master'
        run: |
          docker run --rm ${{ env.IMAGE_NAME }}:${{ steps.versions.outputs.tag }} sh -lc \
            'talosctl version --client && talhelper version && sops --version'