# .github/workflows/release-docker.yml
name: Publish Docker image

###############################################################################
# Triggers
###############################################################################
on:
  # Called automatically by the release workflow after a successful build
  workflow_call:
    inputs:
      tag:
        description: "Tag to push (e.g. v1.2.3)"
        required: true
        type: string

  # Manual: "Run workflow" button or `gh workflow run`
  workflow_dispatch:
    inputs:
      tag:
        description: "Tag to push (leave blank → latest release)"
        required: false
        type: string

###############################################################################
permissions:
  contents: read       # needed for checkout

###############################################################################
jobs:
  build-and-push:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write    # push to ghcr.io

    steps:
    # -----------------------------------------------------------------------
    # Decide which tag we're going to publish
    # -----------------------------------------------------------------------
    - name: Determine tag
      id: tag
      shell: bash
      env:
        # workflow_call passes tag here; workflow_dispatch may or may not
        CALL_TAG: ${{ inputs.tag }}
        GH_TOKEN: ${{ github.token }}
      run: |
        set -euo pipefail
        if [[ -n "${CALL_TAG}" ]]; then
          RAW_TAG="${CALL_TAG}"
        else
          # workflow_dispatch without a tag → query latest release
          RAW_TAG=$(gh release view --repo "${{ github.repository }}" --json tagName --jq .tagName)
        fi

        if [[ ! "${RAW_TAG}" =~ ^v[0-9A-Za-z._+-]+$ ]]; then
          echo "Invalid tag format: ${RAW_TAG}" >&2
          exit 1
        fi

        # Strip a leading "v" so v1.2.3 → 1.2.3
        TAG=${RAW_TAG#v}
        echo "Selected tag: ${TAG}"
        echo "tag=${TAG}" >> "${GITHUB_OUTPUT}"

    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
      with:
        ref: v${{ steps.tag.outputs.tag }}

    # -----------------------------------------------------------------------
    # Build & push
    # -----------------------------------------------------------------------
    - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

    - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

    - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
      with:
        context: .
        file: docker/Dockerfile
        platforms: linux/amd64,linux/arm64
        push: true
        tags: |
          ghcr.io/mongodb/kingfisher:latest
          ghcr.io/mongodb/kingfisher:${{ steps.tag.outputs.tag }}