.github/workflows/publish-release-synapse-module.yml

# This pipeline runs for every new tag. It will pull the docker container for
# the commit hash of the tag, and will publish it as `:<tag-name>` and `latest`.
name: Release Synapse Guest Module

on:
  push:
    tags:
      - '@nordeck/synapse-guest-module@*'

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: read
      packages: write
      id-token: write
    env:
      DOCKER_IMAGE: ghcr.io/nordeck/synapse-guest-module
    steps:
      - name: Generate Docker metadata of the existing image
        id: meta-existing-tag
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.DOCKER_IMAGE }}
          tags: |
            type=sha,prefix=

      - name: Generate Docker metadata of the new image
        id: meta-new-tags
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.DOCKER_IMAGE }}
          labels: |
            org.opencontainers.image.title=Synapse Guest Module
            org.opencontainers.image.description=A synapse module to restrict the actions of guests
            org.opencontainers.image.vendor=Nordeck IT + Consulting GmbH
          tags: |
            type=match,pattern=@nordeck/synapse-guest-module@(.*),group=1

      - name: Generate Dockerfile
        env:
          SOURCE_IMAGE: ${{ fromJSON(steps.meta-existing-tag.outputs.json).tags[0] }}
        run: |
          echo "FROM $SOURCE_IMAGE" > Dockerfile

      - name: Login to ghcr.io
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Install Cosign
        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # @v3.8.1

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build and push
        id: build_and_push
        uses: docker/build-push-action@v6
        with:
          push: true
          context: .
          tags: ${{ steps.meta-new-tags.outputs.tags }}
          labels: ${{ steps.meta-new-tags.outputs.labels }}
          platforms: linux/amd64,linux/arm64,linux/s390x
          sbom: true
          provenance: true

      - name: Sign the images with GitHub OIDC Token
        env:
          DIGEST: ${{ steps.build_and_push.outputs.digest }}
        run: cosign sign --yes "${DOCKER_IMAGE}@${DIGEST}"