.github/workflows/docker.yml

name: Docker CI

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

on:
  push:
    paths:
      - "app/**"
      - "public/**"
      - "bun.lockb"
      - "package.json"
      - "yarn.lock"
      - "*config.*"
  pull_request_target:
    paths:
      - "app/**"
      - "public/**"
      - "bun.lockb"
      - "package.json"
      - "yarn.lock"
      - "*config.*"
  workflow_dispatch:
    inputs:
      push:
        description: 'whether to push image'
        required: true
        default: false
        type: boolean

env:
  REPOSITORY_OWNER: openup-labtakizawa
  REPOSITORY: marukome0743/homepage
  GHCR_REGISTRY: ghcr.io
  GHCR_REPOSITORY: openup-labtakizawa/homepage
  IS_PUSH: ${{ inputs.push || github.event_name == 'push' && github.repository_owner == 'openup-labtakizawa' && github.ref_name == 'main' }}

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Hub
        if: github.repository_owner == env.REPOSITORY_OWNER
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_PAT }}

      - name: Login to GitHub Container Registry
        if: fromJSON(env.IS_PUSH)
        uses: docker/login-action@v3
        with:
          registry: ${{ env.GHCR_REGISTRY }}
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Docker Meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.REPOSITORY }}
            ${{ env.GHCR_REGISTRY }}/${{ env.GHCR_REPOSITORY }}
          tags: |
            type=ref,event=tag
            type=ref,event=pr,prefix=pr-
            type=raw,value=canary,enable=${{ github.event_name != 'pull_request_target' }}
        env:
          DOCKER_METADATA_ANNOTATIONS_LEVELS: ${{ fromJSON(env.IS_PUSH) && 'manifest,index' || 'manifest' }}

      - name: Build and Push
        uses: docker/build-push-action@v5
        with:
          context: .
          platforms: ${{ fromJSON(env.IS_PUSH) && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
          push: ${{ fromJSON(env.IS_PUSH) }}
          load: ${{ !fromJSON(env.IS_PUSH) }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          annotations: ${{ steps.meta.outputs.annotations }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          provenance: false

      - name: Docker Scout
        if: github.repository_owner == env.REPOSITORY_OWNER && github.event_name == 'pull_request_target'
        uses: docker/scout-action@v1
        with:
          command: compare
          image: ${{ env.REPOSITORY }}:${{ steps.meta.outputs.version }}
          to: ${{ env.GHCR_REGISTRY }}/${{ env.GHCR_REPOSITORY }}:canary
          only-severities: critical,high