# .github/workflows/release-docker.yml
name: Publish Docker image

###############################################################################
# Triggers
###############################################################################
on:
  # 1️⃣  Traditional: run automatically when a GitHub Release is published
  release:
    types: [published]

  # 2️⃣  Manual: “Run workflow” button or `gh workflow run`
  workflow_dispatch:
    inputs:
      tag:
        description: "Tag to push (leave blank → latest release)"
        required: false
        type: string

###############################################################################
permissions:
  contents: read       # needed for checkout + GH API
  packages: write      # push to ghcr.io

###############################################################################
jobs:
  build-and-push:
    runs-on: ubuntu-latest

    steps:
    # -----------------------------------------------------------------------
    # Decide which tag we’re going to publish
    # -----------------------------------------------------------------------
    - name: Determine tag
      id: tag
      shell: bash
      env:
        # populated only for workflow_dispatch
        MANUAL_TAG: ${{ github.event.inputs.tag }}
        RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
      run: |
        set -euo pipefail
        if [[ "${GITHUB_EVENT_NAME}" == "release" ]]; then
          RAW_TAG="${RELEASE_TAG_NAME}"
        elif [[ -n "${MANUAL_TAG}" ]]; then
          RAW_TAG="${MANUAL_TAG}"
        else
          # manual w/o tag → ask GitHub API for latest release tag
          RAW_TAG=$(gh release view --repo "${{ github.repository }}" --json tagName --jq .tagName)
        fi

        if [[ ! "${RAW_TAG}" =~ ^v[0-9A-Za-z._+-]+$ ]]; then
          echo "Invalid tag format: ${RAW_TAG}" >&2
          exit 1
        fi

        # Strip a leading "v" so v1.2.3 → 1.2.3
        TAG=${RAW_TAG#v}
        echo "Selected tag: ${TAG}"
        echo "tag=${TAG}" >> "${GITHUB_OUTPUT}"

    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        ref: v${{ steps.tag.outputs.tag }}

    # -----------------------------------------------------------------------
    # Build & push
    # -----------------------------------------------------------------------
    - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

    - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

    - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
      with:
        context: .
        file: docker/Dockerfile
        platforms: linux/amd64,linux/arm64
        push: true
        tags: |
          ghcr.io/mongodb/kingfisher:latest
          ghcr.io/mongodb/kingfisher:${{ steps.tag.outputs.tag }}