name: CI / Publish Docker Images

on:
  schedule:
    - cron: '0 0 * * 0'
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

env:
  DOCKER: docker.io
  GITHUB: ghcr.io
  GITLAB: registry.gitlab.com
  DOCKERFILE: ./Dockerfile
  MULTI_ARCH: true
  GLCR: ${{ secrets.GLCR_SLUG }}
  GHCR: ${{ secrets.GHCR_SLUG }}
  DOCKERHUB: ${{ secrets.DOCKER_USER }}/${{secrets.DOCKER_IMAGE }}
  USERNAME: ${{ secrets.DOCKER_USER }}
  PASSWORD: ${{ secrets.DOCKER_TOKEN }}
  GLCR_PASSWORD: ${{ secrets.GLCR_TOKEN }}
  GHCR_PASSWORD: ${{ secrets.GHCR_TOKEN }}

jobs:
  deploy:
    runs-on: ubuntu-latest
    name: Publish Images
    permissions:
      contents: read
      packages: write
      id-token: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

      - name: Extract Docker Metadata
        id: meta
        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
        with:
          images: |
            ${{ env.DOCKERHUB }}
            ${{ env.GHCR }}
            ${{ env.GLCR }}
          tags: |
            type=edge
          flavor: |
            latest=true
          labels: |
            org.opencontainers.image.title=Icons
            org.opencontainers.image.vendor=Vedansh
            org.opencontainers.image.multi-platform=true
            org.opencontainers.image.description=Free SVG Icons for Every Tech Framework and Programming Languages.
            org.opencontainers.image.source=https://github.com/offensive-vk/Icons

      - name: Install Cosign
        if: github.event_name != 'pull_request'
        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 #v3.6.0
        with:
          cosign-release: 'v2.1.1'
      
      - name: Login to Dockerhub
        if: github.event_name != 'pull_request'
        uses: docker/login-action@3b8fed7e4b60203b2aa0ecc6c6d6d91d12c06760 # v3.0.0
        with:
          registry: ${{ env.DOCKER }}
          username: ${{ env.USERNAME }}
          password: ${{ env.PASSWORD }}

      - name: Login to Gitlab Container Registry
        if: github.event_name != 'pull_request'
        uses: docker/login-action@3b8fed7e4b60203b2aa0ecc6c6d6d91d12c06760 # v3.0.0
        with:
          registry: ${{ env.GITLAB }}
          username: ${{ github.repository_owner }}
          password: ${{ env.GLCR_PASSWORD }}

      - name: Login to Github Container Registry
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.GITHUB }}
          username: ${{ github.repository_owner }}
          password: ${{ env.GHCR_PASSWORD }}

      - name: Build and Push Image
        id: build-and-push
        uses: docker/build-push-action@e44afff3590e1d4f93b6adc72376512edb012a7c # v5.0.0
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/amd64/v2,linux/amd64/v3
          
      - name: Sign the Published image
        if: ${{ github.event_name != 'pull_request' }}
        env:
          TAGS: ${{ steps.meta.outputs.tags }}
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
        run: echo "Image with ${TAGS} tag has been sucessfully Signed."

      - name: Verify Tags and Labels
        run: |
          echo "## Action Summary - Docker CI " >> $GITHUB_STEP_SUMMARY
          echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY
          echo "${{ steps.meta.outputs.labels }} " >> $GITHUB_STEP_SUMMARY
          echo "*** VERIFICATION COMPLETED ***"