.github/workflows/publish-docker.yml

name: Publish (docker)
on:
  workflow_call:

jobs:
  publish:
    name: ${{ matrix.target }}
    runs-on: ubuntu-24.04
    permissions:
      id-token: write
      attestations: write
      packages: write
    strategy:
      matrix:
        target: [ web, worker, legacy-importer, database-migration ]
    steps:
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3

    - name: Generate image name
      run: |
        IMAGE_ID=ghcr.io/${{ github.repository }}/${{ matrix.target }}
        # Change all uppercase to lowercase
        IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
        echo "IMAGE_ID=$IMAGE_ID" >> "$GITHUB_ENV"

    - name: Download digests
      uses: actions/download-artifact@v4
      with:
        path: /tmp/digests
        pattern: docker-digests-*
        merge-multiple: true

    - name: Docker meta
      id: meta
      uses: docker/metadata-action@v5
      with:
        images: ${{ env.IMAGE_ID }}
        flavor: |
          latest=false
        tags: |
          # set latest tag for default branch
          type=raw,value=latest,enable={{is_default_branch}}
          type=ref,event=tag
          type=ref,event=pr
        annotations: |
          org.opencontainers.image.description=${{ matrix.target }} image for gw2treasures.com
      env:
        DOCKER_METADATA_ANNOTATIONS_LEVELS: index

    - name: Login to GitHub Container Registry
      uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

    - name: Merge and push image
      id: image
      run: |
        ARGS=$(jq -cr '(.tags | map("--tag " + (. | @sh))) + (.annotations | map("--annotation " + (. | @sh))) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON")
        SOURCES=$(find /tmp/digests/${{ matrix.target }} -type f -printf '${{ env.IMAGE_ID }}@sha256:%f ')
        echo "$ARGS"
        echo "$SOURCES"

        eval "docker buildx imagetools create $ARGS $SOURCES"

        echo "digest=$(docker buildx imagetools inspect --format '{{json .Manifest}}' ghcr.io/gw2treasures/gw2treasures.com/web:pr-1526 | jq -cr '.digest')" >> "$GITHUB_OUTPUT"

    - name: Attest
      uses: actions/attest-build-provenance@v2.1.0
      with:
        subject-name: ${{ env.IMAGE_ID }}
        subject-digest: ${{ steps.image.outputs.digest }}

    - name: Inspect image
      run: docker buildx imagetools inspect $(jq -cr '.tags[0]' <<< "$DOCKER_METADATA_OUTPUT_JSON")