name: Docker Build & Publish

on:
  push:
    branches:
      - main
      - development
    tags:
      - 'v*.*.*'
  pull_request:
    branches:
      - main
      - development
  workflow_call:

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository_owner }}/cpmp

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    permissions:
      contents: read
      packages: write
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1

      - name: Determine skip condition
        id: skip
        env:
          ACTOR: ${{ github.actor }}
          EVENT: ${{ github.event_name }}
          HEAD_MSG: ${{ github.event.head_commit.message }}
        run: |
          should_skip=false
          pr_title=""
          if [ "$EVENT" = "pull_request" ]; then
            pr_title=$(jq -r '.pull_request.title' "$GITHUB_EVENT_PATH" 2>/dev/null || echo '')
          fi
          if [ "$ACTOR" = "renovate[bot]" ]; then should_skip=true; fi
          if echo "$HEAD_MSG" | grep -Ei '^chore\(deps' >/dev/null 2>&1; then should_skip=true; fi
          if echo "$HEAD_MSG" | grep -Ei '^chore:' >/dev/null 2>&1; then should_skip=true; fi
          if echo "$pr_title" | grep -Ei '^chore\(deps' >/dev/null 2>&1; then should_skip=true; fi
          if echo "$pr_title" | grep -Ei '^chore:' >/dev/null 2>&1; then should_skip=true; fi
          echo "skip_build=$should_skip" >> $GITHUB_OUTPUT

      - name: Set up QEMU
        if: steps.skip.outputs.skip_build != 'true'
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

      - name: Set up Docker Buildx
        if: steps.skip.outputs.skip_build != 'true'
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Resolve Caddy base digest
        if: steps.skip.outputs.skip_build != 'true'
        id: caddy
        run: |
          docker pull caddy:2-alpine
          DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' caddy:2-alpine)
          echo "image=$DIGEST" >> $GITHUB_OUTPUT

      - name: Log in to Container Registry
        if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true'
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.PROJECT_TOKEN }}

      - name: Extract metadata (tags, labels)
        if: steps.skip.outputs.skip_build != 'true'
        id: meta
        uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.0.1
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=raw,value=latest,enable={{is_default_branch}}
            type=raw,value=dev,enable=${{ github.ref == 'refs/heads/development' }}
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}

      - name: Build and push Docker image
        if: steps.skip.outputs.skip_build != 'true'
        id: build-and-push
        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
        with:
          context: .
          # PRs: amd64 only, no push. Pushes: amd64+arm64, push.
          platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64,linux/arm64' }}
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          build-args: |
            VERSION=${{ steps.meta.outputs.version }}
            BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
            VCS_REF=${{ github.sha }}
            CADDY_IMAGE=${{ steps.caddy.outputs.image }}

      # Trivy steps only on push
      - name: Run Trivy scan (table output)
        if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true'
        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
        with:
          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
          format: 'table'
          severity: 'CRITICAL,HIGH'
          exit-code: '0'
        continue-on-error: true

      - name: Run Trivy vulnerability scanner (SARIF)
        if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true'
        id: trivy
        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
        with:
          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
        continue-on-error: true

      - name: Upload Trivy results
        if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true'
        uses: github/codeql-action/upload-sarif@c3d42c5d08633d8b33635fbd94b000a0e2585b3c # v3
        with:
          sarif_file: 'trivy-results.sarif'