.github/workflows/build.yml

name: Build

on:
  workflow_dispatch:
  push:
    branches:
      - 'master'
      - 'fix-actions-artefact'
    tags:
      - 'v*'
env:
  # Use docker.io for Docker Hub if empty
  REGISTRY: ghcr.io
  # github.repository as <account>/<repo>
  IMAGE_NAME: ${{ github.repository }}
  REGISTRY_IMAGE: "ghcr.io/cottand/leng"


jobs:
  publish-nix-container:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        system:
          - aarch64-linux
          - x86_64-linux
    steps:
      - uses: actions/checkout@v3

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2.2.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - uses: cachix/install-nix-action@v29
        with:
          github_access_token: ${{ secrets.GITHUB_TOKEN }}
          extra_nix_config: |
            extra-platforms = ${{ matrix.system }}

      - uses: DeterminateSystems/magic-nix-cache-action@main

      - uses: docker/setup-qemu-action@v1

      # build in parallel
      - run: nix build .#packages.${{ matrix.system }}.leng-container-image -L

      - name: Tag and push image
        run: |
          git_sha=$(git rev-parse --short "$GITHUB_SHA")
          label=$git_sha-${{ matrix.system }}

          docker load < result
          docker tag leng:nix ${{ env.REGISTRY_IMAGE }}:$label
          docker push ${{ env.REGISTRY_IMAGE }}:$label

          # export digest
          docker pull ${{ env.REGISTRY_IMAGE }}:$label
          full=$(docker image inspect ${{ env.REGISTRY_IMAGE }}:$label --format "{{index .RepoDigests 0}}")
          digest=${full#${{ env.REGISTRY_IMAGE }}@}
          mkdir -p /tmp/digests

  merge-docker:
    runs-on: ubuntu-latest
    needs: [publish-nix-container]
    steps:
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2.2.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: digest for x86
        run:  |
          system=x86_64-linux
          git_sha=${GITHUB_SHA::7}
          label="${git_sha}-${system}"

          # export digest x86
          docker pull ${{ env.REGISTRY_IMAGE }}:$label
          full=$(docker image inspect ${{ env.REGISTRY_IMAGE }}:$label --format "{{index .RepoDigests 0}}")
          digest=${full#${{ env.REGISTRY_IMAGE }}@}
          mkdir -p /tmp/digests
          touch "/tmp/digests/${digest#sha256:}"

      - name: digest for aarch64
        run:  |
          system=aarch64-linux
          git_sha=${GITHUB_SHA::7}
          label="${git_sha}-${system}"

          # export digest x86
          docker pull ${{ env.REGISTRY_IMAGE }}:$label
          full=$(docker image inspect ${{ env.REGISTRY_IMAGE }}:$label --format "{{index .RepoDigests 0}}")
          digest=${full#${{ env.REGISTRY_IMAGE }}@}
          mkdir -p /tmp/digests
          touch "/tmp/digests/${digest#sha256:}"

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          # list of Docker images to use as base name for tags
          images: ${{ env.REGISTRY_IMAGE }}
          tags: |
            type=sha,event=push

      - name: Create manifest list and push
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)

      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}          

      - name: Summary
        run: |
          echo "# Published \`${{ steps.meta.outputs.tags }}\`" >> $GITHUB_STEP_SUMMARY