.github/workflows/release.yml

on:
  release:
    types: [published]

env:
  GITHUB_ACTION_TAG: ${{ github.ref_name }}  

jobs:
  build-amd64-digest:
    permissions:
      contents: read
      id-token: write
    runs-on: ubuntu-latest
    outputs:
      digest: ${{ steps.digest.outputs.digest }}
    steps:
    - name: Check out code
      uses: actions/checkout@v4

    - name: Set the ENV values
      id: get-Envs
      run: |
        echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
        echo "$(make -s log | grep ARCH)" >> "$GITHUB_ENV"
        echo "$(make -s log | grep REGISTRY_IMAGE)" >> "$GITHUB_ENV"

    - name: Print ENV values
      id: print_Envs
      run: |
        echo "$GITHUB_ENV"

    - name: Docker meta
      id: meta-amd64
      uses: docker/metadata-action@v5
      with:
        images: ${{ env.REGISTRY_IMAGE }}

    - name: "Read secrets"
      run: |
        echo "DOCKER_USERNAME=mgfritch" >> $GITHUB_ENV
        echo "DOCKER_PASSWORD=${{ secrets.DOCKER_PASSWORD }}" >> $GITHUB_ENV
        echo "PRIME_REGISTRY_USERNAME=mgfritch" >> $GITHUB_ENV
        echo "PRIME_REGISTRY_PASSWORD=${{ secrets.PRIME_REGISTRY_PASSWORD }}" >> $GITHUB_ENV
        echo "PUBLIC_REGISTRY=docker.io" >> $GITHUB_ENV
        echo "PRIME_REGISTRY=ghcr.io" >> $GITHUB_ENV

    - name: Build and push container image
      id: build-amd64
      uses: rancher/ecm-distro-tools/actions/publish-image@v0.46.2
      env: 
        META_LABELS: ${{ steps.meta-amd64.outputs.labels }}
      with:
        image: hardened-calico
        tag: ${{ github.event.release.tag_name }}
        platforms: linux/amd64

        public-repo: mgfritch
        public-registry: ${{ env.PUBLIC_REGISTRY }}
        public-username: ${{ env.DOCKER_USERNAME }}
        public-password: ${{ secrets.DOCKER_PASSWORD }}

        push-to-prime: false
        prime-repo: mgfritch
        prime-registry: ${{ env.PRIME_REGISTRY }}
        prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
        prime-password: ${{ secrets.PRIME_REGISTRY_PASSWORD }}

    - name: Digest
      id: digest
      run: |
        IMAGE_DIGEST=$(jq -r '.["containerimage.digest"]' /tmp/metadata.json)
        echo "digest=$IMAGE_DIGEST" >> "$GITHUB_OUTPUT"

  merge:
    permissions:
      contents: read
      id-token: write
    runs-on: ubuntu-latest
    needs:
      - build-amd64-digest
    steps:
      - name: Check out code
        uses: actions/checkout@v4

      - name: Set the ENV values
        id: get-Envs
        run: |
          echo "$(make -s log | grep REGISTRY_IMAGE)" >> "$GITHUB_ENV"

      - name: Print ENV values
        id: print_Envs
        run: |
          echo "$GITHUB_ENV"

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
            images: ${{ env.REGISTRY_IMAGE }}
      
      - name: "Read secrets"
        run: |
          echo "DOCKER_USERNAME=mgfritch" >> $GITHUB_ENV
          echo "DOCKER_PASSWORD=${{ secrets.DOCKER_PASSWORD }}" >> $GITHUB_ENV
          echo "PRIME_REGISTRY_USERNAME=mgfritch" >> $GITHUB_ENV
          echo "PRIME_REGISTRY_PASSWORD=${{ secrets.PRIME_REGISTRY_PASSWORD }}" >> $GITHUB_ENV
          echo "PUBLIC_REGISTRY=docker.io" >> $GITHUB_ENV
          echo "PRIME_REGISTRY=ghcr.io" >> $GITHUB_ENV

      - name: Create manifest list and push
        id: push-manifest
        uses: rancher/ecm-distro-tools/actions/publish-image@v0.46.2
        env: 
          DOCKER_METADATA_OUTPUT_JSON: ${{ steps.meta.outputs.json }}
          REGISTRY_IMAGE: ${{ env.REGISTRY_IMAGE }}
          IMAGE_DIGESTS: ${{ needs.build-amd64-digest.outputs.digest }}
        with:
          make-target: manifest-push
          image: hardened-calico
          tag: ${{ github.event.release.tag_name }}

          public-repo: mgfritch
          public-registry: ${{ env.PUBLIC_REGISTRY }}
          public-username: ${{ env.DOCKER_USERNAME }}
          public-password: ${{ secrets.DOCKER_PASSWORD }}

          push-to-prime: false
          prime-repo: mgfritch
          prime-registry: ${{ env.PRIME_REGISTRY }}
          prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
          prime-password: ${{ secrets.PRIME_REGISTRY_PASSWORD }}

      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}