# .github/workflows/release-docker.yml
name: Publish Docker image

###############################################################################
# Triggers
###############################################################################
on:
  # 1️⃣  Traditional: run automatically when a GitHub Release is published
  release:
    types: [published]

  # 2️⃣  Option 2: run every time the build-and-release workflow
  #     completes successfully on the main branch
  workflow_run:
    workflows: ["build-and-release"]
    types: [completed]
    branches: [main]

  # 3️⃣  Manual: “Run workflow” button or `gh workflow run`
  workflow_dispatch:
    inputs:
      tag:
        description: "Tag to push (leave blank → latest release)"
        required: false
        type: string

###############################################################################
permissions:
  contents: read       # needed for checkout + GH API
  packages: write      # push to ghcr.io

###############################################################################
jobs:
  build-and-push:
    # Only run on workflow_run if the upstream workflow succeeded
    if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
    runs-on: ubuntu-latest

    steps:
    # -----------------------------------------------------------------------
    # Check out the exact commit that produced the artifacts (workflow_run),
    # otherwise just use the SHA tied to the release / manual dispatch.
    # -----------------------------------------------------------------------
    - uses: actions/checkout@v4
      with:
        ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}

    # -----------------------------------------------------------------------
    # Decide which tag we’re going to publish
    # -----------------------------------------------------------------------
    - name: Determine tag
      id: tag
      shell: bash
      env:
        # populated only for workflow_dispatch
        MANUAL_TAG: ${{ github.event.inputs.tag }}
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        set -euo pipefail
        if [[ "${GITHUB_EVENT_NAME}" == "release" ]]; then
          RAW_TAG="${{ github.event.release.tag_name }}"
        elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${MANUAL_TAG}" ]]; then
          RAW_TAG="${MANUAL_TAG}"
        else
          # workflow_run (or manual w/o tag) → ask GitHub API for latest release tag
          RAW_TAG=$(curl -sSL -H "Authorization: Bearer ${GH_TOKEN}" \
                   "https://api.github.com/repos/${{ github.repository }}/releases/latest" \
                   | jq -r .tag_name)
        fi

        # Strip a leading "v" so v1.2.3 → 1.2.3
        TAG=${RAW_TAG#v}
        echo "Selected tag: ${TAG}"
        echo "tag=${TAG}" >> "${GITHUB_OUTPUT}"

    # -----------------------------------------------------------------------
    # Build & push
    # -----------------------------------------------------------------------
    - uses: docker/setup-buildx-action@v3

    - uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

    - uses: docker/build-push-action@v5
      with:
        context: .
        file: docker/Dockerfile
        platforms: linux/amd64,linux/arm64
        push: true
        tags: |
          ghcr.io/mongodb/kingfisher:latest
          ghcr.io/mongodb/kingfisher:${{ steps.tag.outputs.tag }}