# This action listens on new tags, generates a new container image
# sign it and upload it to the container registry.

name: Publish container image
on:
  push:
    tags:
      - "container-image/**"
    branches:
      - "test/image-**"
  workflow_dispatch:

permissions:
  id-token: write
  contents: read
  attestations: write
  packages: write

env:
  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
  REGISTRY_USER: ${{ github.actor }}
  REGISTRY_PASSWORD: ${{ github.token }}
  IMAGE_NAME: dangerzone/dangerzone

jobs:
  build-container-image:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
      - name: Build and push the dangerzone image
        id: build-image
        run: |
          sudo apt-get install -y python3-poetry
          python3 ./install/common/build-image.py
          echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
          gunzip -c share/container.tar.gz | podman load
          podman push \
                  dangerzone.rocks/dangerzone \
                  ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
          DIGEST=$(podman images --filter "id=dangerzone.rocks/dangerzone" --format "{{ .Digest }}")
          echo ${DIGEST}
          echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"

      - name: Generate artifact attestation
        uses: actions/attest-build-provenance@v1
        with:
          subject-name: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
          subject-digest: "${{ steps.build-image.outputs.digest }}"
          push-to-registry: true