name: Publish Docker Image

on:
  push:
    tags:
      - 'v*'

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: false

env:
  BUILDKIT_PROGRESS: plain
  IMAGE: ${{ vars.DOCKERHUB_USERNAME }}/pi-devbox

jobs:
  smoke:
    runs-on: ubuntu-latest
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - uses: actions/checkout@v4
      - run: echo 'precedence ::ffff:0:0/96  100' >> /etc/gai.conf
      - run: |
          rm -rf /opt/hostedtoolcache /opt/microsoft /opt/az /opt/ghc \
            /usr/local/.ghcup /usr/share/dotnet /usr/share/swift \
            /usr/local/lib/android /usr/local/share/powershell \
            /usr/local/share/chromium /usr/local/share/boost \
            /usr/lib/jvm 2>/dev/null || true
          docker system prune -af --volumes || true
          docker builder prune -af || true

      - uses: docker/setup-buildx-action@v4
        with: {driver-opts: network=host}

      - name: Build (amd64, load to local daemon)
        uses: docker/build-push-action@v7
        with:
          context: .
          platforms: linux/amd64
          push: false
          load: true
          tags: pi-devbox:smoke

      - name: Smoke test
        run: bash scripts/smoke-test.sh pi-devbox:smoke

  publish:
    needs: smoke
    runs-on: ubuntu-latest
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - uses: actions/checkout@v4
      - run: echo 'precedence ::ffff:0:0/96  100' >> /etc/gai.conf
      - run: |
          rm -rf /opt/hostedtoolcache /opt/microsoft /opt/az /opt/ghc \
            /usr/local/.ghcup /usr/share/dotnet /usr/share/swift \
            /usr/local/lib/android /usr/local/share/powershell \
            /usr/local/share/chromium /usr/local/share/boost \
            /usr/lib/jvm 2>/dev/null || true
          docker system prune -af --volumes || true
          docker builder prune -af || true

      - uses: docker/setup-qemu-action@v3
        with: {platforms: arm64}
      - uses: docker/setup-buildx-action@v4
        with: {driver-opts: network=host}
      - uses: docker/login-action@v3
        with:
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Compute tags
        id: tags
        run: |
          VERSION="${{ github.ref_name }}"
          { echo "tags<<EOF"
            echo "${IMAGE}:${VERSION}"
            echo "${IMAGE}:latest"
            echo "EOF"
          } >> "$GITHUB_OUTPUT"

      - name: Build and push (amd64 + arm64)
        uses: docker/build-push-action@v7
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.tags.outputs.tags }}
          cache-from: type=registry,ref=${{ env.IMAGE }}:buildcache
          cache-to: type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max

  update-description:
    needs: publish
    runs-on: ubuntu-latest
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - uses: actions/checkout@v4
      - name: Update Docker Hub description
        run: |
          PAYLOAD=$(jq -n --rawfile desc DOCKER_HUB.md '{"full_description": $desc}')
          TOKEN=$(curl -s -X POST "https://hub.docker.com/v2/auth/token" \
            -H "Content-Type: application/json" \
            -d "{\"username\":\"${{ vars.DOCKERHUB_USERNAME }}\",\"password\":\"${{ secrets.DOCKERHUB_TOKEN }}\"}" \
            | jq -r '.token')
          curl -s -X PATCH "https://hub.docker.com/v2/repositories/${{ vars.DOCKERHUB_USERNAME }}/pi-devbox/" \
            -H "Authorization: Bearer ${TOKEN}" \
            -H "Content-Type: application/json" \
            -d "${PAYLOAD}" | jq -r '.full_description | if . then "✅ description updated (\(. | length) chars)" else "❌ update failed" end'