on:
  workflow_call:
    inputs:
      image_name:
        required: true
        type: string
      containerfile:
        description: containerfile to build
        required: true
        type: string
      context:
        required: true
        type: string
      extra_tags:
        description: extra tags to apply to image
        required: true
        type: string
      build_args:
        required: true
        type: string
    secrets:
      akmods_key:
        description: private akmods key for signing
        required: false

env:
  REGISTRY: ghcr.io/${{ github.repository_owner }}

jobs:
  build:
    name: Build and Publish
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2

      - name: Extract metadata
        id: metadata
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images: ${{ env.REGISTRY }}/${{ inputs.image_name }}
          tags: |
            type=sha
            type=ref,event=branch
            type=ref,event=pr
            type=schedule,pattern={{date 'YYYYMMDD'}}
            ${{ inputs.extra_tags }}

      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3.1.0

      - name: Get akmods signing key
        if: github.event_name != 'pull_request'
        env:
          AKMODS_KEY: ${{ secrets.akmods_key }}
        run: |
          echo "$AKMODS_KEY" > akmods/certs/private_key.priv

      - name: Login to registry
        if: github.event_name != 'pull_request'
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ github.token }}

      - name: Build image
        id: build
        uses: docker/build-push-action@af5a7ed5ba88268d5278f7203fb52cd833f66d6e # v5.2.0
        with:
          context: ${{ inputs.context }}
          file: ${{ inputs.containerfile }}
          tags: ${{ steps.metadata.outputs.tags }}
          labels: ${{ steps.metadata.outputs.labels }}
          build-args: ${{ inputs.build_args }}
          push: ${{ github.event_name != 'pull_request' }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Install cosign
        if: github.event_name != 'pull_request'
        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0

      - name: Sign image
        if: github.event_name != 'pull_request'
        env:
          DIGEST: ${{ steps.build.outputs.digest }}
          TAGS: ${{ steps.metadata.outputs.tags }}
        run: |
          images=()
          for tag in ${TAGS}; do
            images+=("${tag}@${DIGEST}")
          done
          cosign sign --yes "${images[@]}"