on:
  push:
    paths:
      - 'oci-builder/**'
      - '.forgejo/workflows/build-image.yaml'
  schedule:
    - cron: '0 5 * * 0'

jobs:
  build-oci-builder:
    name: 'Build oci-builder'
    runs-on: 'oci-builder'

    steps:
      - name: 'Checkout'
        uses: 'actions/checkout@v4'

      - name: 'Build image'
        run: >
          buildah bud
          -f oci-builder/Containerfile
          -t '${{ vars.REGISTRY_DOMAIN }}/${{ vars.NAMESPACE }}/oci-builder:ci-dev'
          --userns=container
          --security-opt=no-new-privileges
          --annotation=quay.expires-after=
          --build-arg REGISTRY_DOMAIN='${{ vars.REGISTRY_DOMAIN }}'
          --build-arg NAMESPACE='${{ vars.NAMESPACE }}'
          --build-arg GITHUB_RUN_ID='${{ env.GITHUB_RUN_ID }}'
          oci-builder

      - name: 'Log in to registry'
        run: >
          echo '${{ secrets.REGISTRY_PASSWORD }}' |
          buildah login
          -u '${{ vars.REGISTRY_USERNAME }}'
          --password-stdin
          '${{ vars.REGISTRY_DOMAIN }}'

      - name: 'Push :ci-dev to registry'
        run: >
          buildah push
          --compression-format=zstd
          --compression-level='${{ vars.COMPRESSION_LEVEL }}'
          '${{ vars.REGISTRY_DOMAIN }}/${{ vars.NAMESPACE }}/oci-builder:ci-dev'

  test-oci-builder:
    name: 'Test oci-builder'
    runs-on: 'oci-builder-ci-dev'
    needs: 'build-oci-builder'

    steps:
      - name: 'Make sure oci-builder originates from current workflow run'
        run: 'diff <(echo $GITHUB_RUN_ID) /.github_run_id'

      - name: 'Checkout'
        uses: 'actions/checkout@v4'

      - name: 'Build image'
        run: >
          buildah bud
          -f oci-builder/Containerfile
          -t '${{ vars.REGISTRY_DOMAIN }}/${{ vars.NAMESPACE }}/oci-builder:throwaway'
          --userns=container
          --security-opt=no-new-privileges
          --annotation=quay.expires-after=
          --build-arg REGISTRY_DOMAIN='${{ vars.REGISTRY_DOMAIN }}'
          --build-arg NAMESPACE='${{ vars.NAMESPACE }}'
          --build-arg GITHUB_RUN_ID='${{ env.GITHUB_RUN_ID }}'
          oci-builder

  release-oci-builder:
    name: 'Release oci-builder'
    runs-on: 'oci-builder-ci-dev'
    needs: 'test-oci-builder'

    steps:
      - name: 'Make sure oci-builder originates from current workflow run'
        run: 'diff <(echo $GITHUB_RUN_ID) /.github_run_id'

      - name: 'Log in to registry'
        run: >
          echo '${{ secrets.REGISTRY_PASSWORD }}' |
          buildah login
          -u '${{ vars.REGISTRY_USERNAME }}'
          --password-stdin
          '${{ vars.REGISTRY_DOMAIN }}'

      - name: 'Move :ci-dev to :stable'
        run: 'skopeo copy docker://${{ vars.REGISTRY_DOMAIN }}/${{ vars.NAMESPACE }}/oci-builder:ci-dev docker://${{ vars.REGISTRY_DOMAIN }}/${{ vars.NAMESPACE }}/oci-builder:stable'