name: Build Docker image and publish to GAR

permissions: {}

on:
  push:
    branches:
      - main
    tags:
      - "*"

jobs:
  build_and_push_to_gar:
    # Define permissions at the job level
    permissions:
      contents: "read" # Needed for checkout
      id-token: "write" # Needed for GCP auth
      packages: "none" # Explicitly disable package permissions
    name: Build and Push Docker image to GAR
    runs-on: ubuntu-latest
    environment: build
    env:
      GAR_IMAGE_BASE: ${{ vars.GAR_REPO }}/${{ github.event.repository.name }} # Base name for GAR image
      GAR_REGISTRY: us-docker.pkg.dev
    steps:
      - name: Check out the repo
        uses: actions/checkout@v6
        with:
          persist-credentials: false

      - name: Authenticate to Google Cloud
        id: gcp-auth
        uses: google-github-actions/auth@v3
        with:
          token_format: access_token
          workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ vars.GCP_GAR_SERVICE_ACCOUNT }}

      - name: Login to Artifact Registry
        id: gar-login
        uses: docker/login-action@v3
        with:
          registry: ${{ env.GAR_REGISTRY }}
          username: oauth2accesstoken
          password: ${{ steps.gcp-auth.outputs.access_token }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v5
        with:
          # Only generate the image name for GAR
          images: ${{ env.GAR_IMAGE_BASE }}
          tags: |
            # Generate tag based on short commit SHA
            type=sha,format=short,prefix=

      - name: Create version.json
        run: |
          # Use full sha here for version.json content
          echo "{\"commit\":\"$GITHUB_SHA\",\"version\":\"$GITHUB_REF_NAME\",\"source\":\"https://github.com/$GITHUB_REPOSITORY\",\"build\":\"$GITHUB_RUN_ID\"}" > version.json

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v3

      - name: Build and push Docker image to GAR
        id: build-and-push
        env:
          TAGS: ${{ steps.meta.outputs.tags }}
        uses: docker/build-push-action@v6
        with:
          context: .
          # Push is true to push to GAR after build
          push: true
          # Tags generated by the metadata action (only GAR tag)
          tags: ${{ env.TAGS }}
          # Pass build arguments
          build-args: |
            SENTRY_RELEASE=${{ github.sha }}
            NEXT_PUBLIC_SENTRY_DSN=${{ secrets.SENTRY_DSN }}
          # Pass secrets securely to the build
          secrets: |
            SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }}
          # Enable build cache for faster builds (optional but recommended)
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Print Image URI
        env:
          TAGS: ${{ steps.meta.outputs.tags }}
        run: |
          echo "Pushed GAR image: $TAGS"