on:
  push:
    paths:
      - 'oci-builder/**'
      - '.forgejo/workflows/build-image.yaml'
  schedule:
    - cron: '0 5 * * 0'

jobs:
  build-oci-builder:
    name: 'Build oci-builder'
    runs-on: 'oci-builder'

    steps:
      - name: 'Checkout'
        uses: 'actions/checkout@v4'

      - name: 'Build image'
        uses: 'https://git.uncontrol.me/ver4a-actions/buildah-build@v2-compat'
        with:
          image: 'registry.uncontrol.me/ver4a/oci-builder'
          tags: 'ci-dev'
          context: 'oci-builder'
          containerfiles: 'oci-builder/Containerfile'
          oci: true
          extra-args: |
            --userns=container
            --security-opt=no-new-privileges
            --annotation=quay.expires-after=
          build-args: |
            REGISTRY_DOMAIN=${{ vars.REGISTRY_DOMAIN }}
            NAMESPACE=${{ vars.NAMESPACE }}
            GITHUB_RUN_ID=${{ env.GITHUB_RUN_ID }}

      - name: 'Log in to registry'
        uses: 'actions/podman-login@v1'
        with:
          registry: ${{ vars.REGISTRY_DOMAIN }}
          username: ${{ vars.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}

      - name: 'Push :ci-dev to registry'
        uses: 'actions/push-to-registry@v2'
        with:
          image: 'ver4a/oci-builder'
          tags: 'ci-dev'
          registry: 'registry.uncontrol.me'

  test-oci-builder:
    name: 'Test oci-builder'
    runs-on: 'oci-builder-ci-dev'
    needs: 'build-oci-builder'

    steps:
      - name: 'Make sure oci-builder originates from current workflow run'
        run: 'diff <(echo $GITHUB_RUN_ID) /.github_run_id'

      - name: 'Checkout'
        uses: 'actions/checkout@v4'

      - name: 'Build image'
        uses: 'https://git.uncontrol.me/ver4a-actions/buildah-build@v2-compat'
        with:
          image: 'registry.uncontrol.me/ver4a/oci-builder'
          tags: 'throwaway'
          context: 'oci-builder'
          containerfiles: 'oci-builder/Containerfile'
          oci: true
          extra-args: |
            --userns=container
            --security-opt=no-new-privileges
            --annotation=quay.expires-after=
          build-args: |
            REGISTRY_DOMAIN=${{ vars.REGISTRY_DOMAIN }}
            NAMESPACE=${{ vars.NAMESPACE }}
            GITHUB_RUN_ID=${{ env.GITHUB_RUN_ID }}

  release-oci-builder:
    name: 'Release oci-builder'
    runs-on: 'oci-builder-ci-dev'
    needs: 'test-oci-builder'

    steps:
      - name: 'Make sure oci-builder originates from current workflow run'
        run: 'diff <(echo $GITHUB_RUN_ID) /.github_run_id'

      - name: 'Log in to registry'
        uses: 'actions/podman-login@v1'
        with:
          registry: '${{ vars.REGISTRY_DOMAIN }}'
          username: '${{ vars.REGISTRY_USERNAME }}'
          password: '${{ secrets.REGISTRY_PASSWORD }}'

      - name: 'Move :ci-dev to :stable'
        run: 'skopeo copy docker://registry.uncontrol.me/ver4a/oci-builder:ci-dev docker://registry.uncontrol.me/ver4a/oci-builder:stable'