# This action listens on new tags, generates a new container image
# sign it and upload it to the container registry.

name: Release container image
on:
  push:
    tags:
      - "container-image/**"
    branches:
      - "test/image-**"
  workflow_dispatch:

permissions:
  id-token: write
  packages: write
  contents: read
  attestations: write

env:
  REGISTRY: ghcr.io/${{ github.repository_owner }}
  REGISTRY_USER: ${{ github.actor }}
  REGISTRY_PASSWORD: ${{ github.token }}
  IMAGE_NAME: dangerzone/dangerzone

jobs:
  build-container-image:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: USERNAME
          password: ${{ github.token }}

      - name: Build and push the dangerzone image
        id: build-image
        run: |
          sudo apt-get install -y python3-poetry
          python3 ./install/common/build-image.py
          echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin

          # Load the image with the final name directly
          gunzip -c share/container.tar.gz | podman load
          FINAL_IMAGE_NAME="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"
          podman tag dangerzone.rocks/dangerzone "$FINAL_IMAGE_NAME"
          podman push "$FINAL_IMAGE_NAME" --digestfile=digest
          echo "digest=$(cat digest)" >> "$GITHUB_OUTPUT"

      - name: Generate artifact attestation
        uses: actions/attest-build-provenance@v1
        with:
          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          subject-digest: "${{ steps.build-image.outputs.digest }}"
          push-to-registry: true