.github/workflows/publish-container.yml

# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json

name: Build & Publish Containers

on:
  workflow_dispatch:

  push:
    branches:
      - main

  pull_request:

env:
  REGISTRY: ghcr.io

jobs:
  build:
    if: github.repository_owner == 'Alwatr'

    name: Build & Publish Containers
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
      matrix:
        include:
          - name: alpine
            path: alpine
            version:
              short: 3
              full: 3.17

          - name: php
            path: php/7.4-apache
            version:
              short: 7-apache
              full: 7.4-apache

          - name: php
            path: php/7.4-fpm
            version:
              short: 7-fpm
              full: 7.4-fpm

          - name: php
            path: php/8.2-fpm
            version:
              short: 8-fpm
              full: 8.2-fpm

          - name: wordpress
            path: wordpress/php7.4
            version:
              short: 6-php7
              full: 6.1-php7.4-fpm

          - name: wordpress
            path: wordpress/php8.2
            version:
              short: 6
              full: 6.2-php8.2-fpm

    permissions:
      contents: read
      packages: write
      # actions: write
      # This is used to complete the identity challenge
      # with sigstore/fulcio when running outside of PRs.
      id-token: write

    steps:
      - name: ⤵️ Checkout repository
        uses: actions/checkout@v4.0.0

      - name: ❔ Check Container files changed
        id: file_change
        uses: dorny/paths-filter@v2.11.1
        with:
          filters: |
            container_folder:
              ./${{ matrix.path }}/*

      # - name: ❔ Stop if files not changed
      #   if: ${{ steps.file_change.outputs.container_folder != 'true' }}
      #   run: |
      #     gh run cancel ${{ github.run_id }}
      #     gh run watch ${{ github.run_id }}
      #   env:
      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: 🏗 Extract Docker metadata
        id: meta
        if: ${{ steps.file_change.outputs.container_folder == 'true' }}
        uses: docker/metadata-action@v5.0.0
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          images: name=${{env.REGISTRY}}/${{github.repository_owner}}/${{matrix.name}}
          tags: |
            type=raw,value=${{matrix.version.short}}
            type=raw,value=${{matrix.version.full}}
          labels: |
            org.opencontainers.image.title="alwatr/${{matrix.name}}"
            org.opencontainers.image.authors=S. Ali Mihandoost <ali.mihandoost@gmail.com> (https://ali.mihandoost.com), S. Amir Mohammad Najafi <njfamirm@gmail.com> (https://njfamirm.ir/)
            org.opencontainers.image.source="https://github.com/Alwatr/containers/tree/main/${{matrix.name}}"
            org.opencontainers.image.licenses="MIT"
            org.opencontainers.image.url="https://github.com/Alwatr/containers/tree/main/${{matrix.name}}"
            org.opencontainers.image.documentation="https://github.com/Alwatr/containers/tree/main/${{matrix.name}}"
            org.opencontainers.image.vendor="Alwatr"

      - name: 🏗 Install cosign
        if: ${{ github.event_name != 'pull_request' && steps.file_change.outputs.container_folder == 'true' }}
        uses: sigstore/cosign-installer@v3.1.2

      - name: 🏗 Setup Docker Buildx
        if: ${{ steps.file_change.outputs.container_folder == 'true' }}
        uses: docker/setup-buildx-action@v3.0.0

      - name: 🏗 Cache Docker Layers
        if: ${{ steps.file_change.outputs.container_folder == 'true' }}
        uses: actions/cache@v3
        with:
          path: /tmp/.buildx-cache
          key: container-${{ matrix.name }}

      - name: 🏗 Log into registry ${{env.REGISTRY}}
        if: ${{ github.event_name != 'pull_request' && steps.file_change.outputs.container_folder == 'true' }}
        uses: docker/login-action@v3.0.0
        with:
          registry: ${{env.REGISTRY}}
          username: ${{github.repository_owner}}
          password: ${{secrets.GITHUB_TOKEN}}

      - name: 🚀 Build and push container image
        if: ${{ steps.file_change.outputs.container_folder == 'true' }}
        id: build_and_push
        uses: docker/build-push-action@v5.0.0
        with:
          context: ./${{matrix.path}}
          push: ${{github.event_name != 'pull_request'}}
          tags: ${{steps.meta.outputs.tags}}
          labels: ${{steps.meta.outputs.labels}}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache
          # cache-from: type=gha
          # cache-to: type=gha,mode=max

      # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
      - name: 🏗 Sign the image with GitHub OIDC Token
        if: ${{ github.event_name != 'pull_request' && steps.file_change.outputs.container_folder == 'true' }}
        env:
          COSIGN_EXPERIMENTAL: 'true'
        run: echo "${{steps.meta.outputs.tags}}" | xargs -I {} cosign sign --yes {}@${{steps.build_and_push.outputs.digest}}