on:
  workflow_call:
    inputs:
      image_name:
        required: true
        type: string
      containerfile:
        description: containerfile to build
        required: true
        type: string
      context:
        required: true
        type: string
      extra_tags:
        description: extra tags to apply to image
        required: true
        type: string
      build_args:
        required: true
        type: string
    secrets:
      akmods_key:
        description: private akmods key for signing
        required: false

env:
  REGISTRY: ghcr.io/${{ github.repository_owner }}

jobs:
  build:
    name: Build and Publish
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Extract metadata
        id: metadata
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images: ${{ env.REGISTRY }}/${{ inputs.image_name }}
          tags: |
            type=sha
            type=ref,event=branch
            type=ref,event=pr
            type=schedule,pattern={{date 'YYYYMMDD'}}
            ${{ inputs.extra_tags }}

      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0

      - name: Get akmods signing key
        if: github.event_name != 'pull_request'
        env:
          AKMODS_KEY: ${{ secrets.akmods_key }}
        run: |
          echo "$AKMODS_KEY" > akmods/certs/private_key.priv

      - name: Login to registry
        if: github.event_name != 'pull_request'
        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ github.token }}

      - name: Build image
        id: build
        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
        with:
          context: ${{ inputs.context }}
          file: ${{ inputs.containerfile }}
          tags: ${{ steps.metadata.outputs.tags }}
          labels: ${{ steps.metadata.outputs.labels }}
          build-args: ${{ inputs.build_args }}
          push: ${{ github.event_name != 'pull_request' }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Install cosign
        if: github.event_name != 'pull_request'
        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

      - name: Sign image
        if: github.event_name != 'pull_request'
        env:
          DIGEST: ${{ steps.build.outputs.digest }}
          TAGS: ${{ steps.metadata.outputs.tags }}
        run: |
          images=()
          for tag in ${TAGS}; do
            images+=("${tag}@${DIGEST}")
          done
          cosign sign --yes "${images[@]}"