.github/workflows/docker.yml

name: Build and publish Docker images

on:
  workflow_dispatch:
    inputs:
      version:
        description: 'The version of zizmor to build against'
        required: true

      latest:
        description: 'Whether to tag the image as latest'
        required: false
        default: true
        type: boolean

permissions: {}

env:
  ZIZMOR_IMAGE: ghcr.io/woodruffw/zizmor

jobs:
  build:
    strategy:
      fail-fast: false
      matrix:
        image:
          - runner: ubuntu-latest
            platform: linux/amd64
            platform-pair: linux-amd64
          - runner: ubuntu-24.04-arm
            platform: linux/arm64
            platform-pair: linux-arm64

    name: Build and publish Docker image (${{ matrix.image.runner }})

    runs-on: ${{ matrix.image.runner }}

    environment:
      name: docker

    permissions:
      contents: read
      packages: write

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          persist-credentials: false

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3
        with:
          cache-binary: false

      - name: Extract Docker metadata
        id: docker-metadata
        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
        with:
          images: "${{ env.ZIZMOR_IMAGE }}"

      - name: Login to GHCR
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v6
        if: github.repository_owner == 'woodruffw'
        with:
          registry: ghcr.io
          username: "${{ github.repository_owner }}"
          password: "${{ secrets.GITHUB_TOKEN }}"

      - name: Build and push by digest
        id: build
        uses: docker/build-push-action@0adf9959216b96bec444f325f1e493d4aa344497 # v6
        with:
          platforms: ${{ matrix.image.platform }}
          labels: ${{ steps.docker-metadata.outputs.labels }}
          outputs: type=image,"name=${{ env.ZIZMOR_IMAGE }}",push-by-digest=true,name-canonical=true,push=true

      - name: Export digest
        run: |
          mkdir -p ${{ runner.temp }}/digests
          digest="${DIGEST}"
          touch "${{ runner.temp }}/digests/${digest#sha256:}"
        env:
          DIGEST: ${{ steps.build.outputs.digest }}

      - name: Upload digest
        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
        with:
          name: digests-${{ matrix.image.platform-pair }}
          path: ${{ runner.temp }}/digests/*
          if-no-files-found: error
          retention-days: 1

  merge:
    needs: build
    runs-on: ubuntu-latest

    environment:
      name: docker

    permissions:
      contents: read
      packages: write

    steps:
      - name: Download digests
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-*
          merge-multiple: true

      - name: Login to GHCR
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v6
        if: github.repository_owner == 'woodruffw'
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3
        with:
          cache-binary: false

      - name: Extract Docker metadata
        id: docker-metadata
        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
        env:
          DOCKER_METADATA_ANNOTATIONS_LEVELS: index
        with:
          images: "${{ env.ZIZMOR_IMAGE }}"
          tags: |
            type=raw,value=${{ github.event.inputs.version }}
            typw=raw,value=latest,enable=${{ github.event.inputs.latest }}

      - name: Create manifest list and push
        working-directory: ${{ runner.temp }}/digests
        # NOTE: annotation technique adapted from Ruff's build-docker.yml,
        # see: https://github.com/astral-sh/ruff/blob/6e34f74c16/.github/workflows/build-docker.yml
        run: |
          readarray -t lines <<< "$DOCKER_METADATA_OUTPUT_ANNOTATIONS"
          annotations=()
          for line in "${lines[@]}"; do
            annotations+=(--annotation "$line")
          done

          docker buildx imagetools create \
            "${annotations[@]}" \
            $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf '${{ env.ZIZMOR_IMAGE }}@sha256:%s ' *)

      - name: Inspect image
        run: |
          docker buildx imagetools inspect "${ZIZMOR_IMAGE}:${VERSION}"
        env:
          VERSION: ${{ steps.docker-metadata.outputs.version }}