.github/workflows/docker.yaml

name: Build and push Docker image

on:
  push:
    tags:
      - "trifid@*.*.*"

jobs:
  docker:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      packages: write
      id-token: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Cosign
        uses: sigstore/cosign-installer@v3.5.0

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Docker meta
        id: docker_meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ghcr.io/zazuko/trifid
            index.docker.io/zazuko/trifid
          tags: |
            type=ref,event=branch
            type=match,prefix=v,pattern=trifid@(\d+\.\d+\.\d+),group=1
            type=match,prefix=v,pattern=trifid@(\d+\.\d+),group=1
            type=match,prefix=v,pattern=trifid@(\d+),group=1
            type=sha
          labels: |
            io.artifacthub.package.alternative-locations=ghcr.io/zazuko/trifid,index.docker.io/zazuko/trifid
            io.artifacthub.package.logo-url=https://charts.zazuko.com/icons/logo-zazuko.svg
            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/zazuko/trifid/${{ github.sha }}/README.md

      - name: Build and push Docker images
        id: docker_build
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.docker_meta.outputs.tags }}
          labels: ${{ steps.docker_meta.outputs.labels }}
          platforms: |
            linux/amd64
            linux/arm64/v8

      - name: Sign the images with GitHub OIDC Token
        env:
          DIGEST: ${{ steps.docker_build.outputs.digest }}
          TAGS: ${{ steps.docker_meta.outputs.tags }}
        run: |
          images=""
          for tag in ${TAGS}; do
            images+="${tag}@${DIGEST} "
          done
          cosign sign --yes ${images}