name: Build and publish docker image
on:
  workflow_call:
    inputs:
      docker_tags:
        required: true
        type: string
      artifact_run_id:
        required: false
        type: string
        default: ${{ github.run_id }}

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  build_and_deploy:
    name: Build & publish docker
    runs-on: ubuntu-latest
    permissions:
      contents: write # required to upload release asset
      packages: write
    steps:
      - name: Check it out
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

      - name: 📥 Download artifact
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          run-id: ${{ inputs.artifact_run_id }}
          name: build-output-full
          path: dist

      - name: Login to GitHub container registry
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Connect to Tailscale
        uses: tailscale/github-action@53acf823325fe9ca47f4cdaa951f90b4b0de5bb9 # v4
        if: github.event_name != 'pull_request'
        with:
            oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
            audience: ${{ secrets.TS_AUDIENCE }}
            tags: tag:github-actions

      - name: Compute vault jwt role name
        id: vault-jwt-role
        if: github.event_name != 'pull_request'
        run: |
            echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT"

      - name: Get team registry token
        id: import-secrets
        uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3
        if: github.event_name != 'pull_request'
        with:
            url: https://vault.infra.ci.i.element.dev
            role: ${{ steps.vault-jwt-role.outputs.role_name }}
            path: service-management/github-actions
            jwtGithubAudience: https://vault.infra.ci.i.element.dev
            method: jwt
            secrets: |
                services/<team>-repositories/secret/data/oci.element.io username | OCI_USERNAME ;
                services/<team>-repositories/secret/data/oci.element.io password | OCI_PASSWORD ;

      - name: Login to oci.element.io Registry
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
        if: github.event_name != 'pull_request'
        with:
            registry: oci-push.vpn.infra.element.io
            username: ${{ steps.import-secrets.outputs.OCI_USERNAME }}
            password: ${{ steps.import-secrets.outputs.OCI_PASSWORD }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
        with:
          images: |
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
            oci-push.vpn.infra.element.io/element-web
          tags: ${{ inputs.docker_tags }}
          labels: |
            org.opencontainers.image.licenses=AGPL-3.0-only OR LicenseRef-Element-Commercial

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Build and push Docker image
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}