name: docker

on:
  # workflow_run:
  # workflows: [crane]
  push:
    branches: [main]
    # types:
    # - completed
  # schedule:
  # - cron: 0 0 * * 1
  #   # Publish semver tags as releases.
  #   tags: [ 'v*.*.*' ]
  # pull_request:
  #   branches: [ "main" ]

env:
  # Use docker.io for Docker Hub if empty
  REGISTRY: git.nexveridian.com
  # github.repository as <account>/<repo>
  IMAGE_NAME: ${{ github.repository }}
  NIX_CONFIG: "experimental-features = nix-command flakes"

jobs:
  build:
    runs-on: docker
    # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-a-workflow-based-on-the-conclusion-of-another-workflow
    # if: ${{ github.event.workflow_run.conclusion == 'success' }}
    permissions:
      contents: read
      packages: write
      # This is used to complete the identity challenge
      # with sigstore/fulcio when running outside of PRs.
      id-token: write

    steps:
      - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login nex https://nix.nexveridian.com ${{ secrets.ATTIC_TOKEN }} || true
      - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache create nexveridian-web || true
      - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client use nexveridian-web || true

      - name: Install Node.js
        run: |
          mkdir -p ~/.local/bin
          nix build -I nixpkgs=channel:nixos-unstable nixpkgs#nodejs_24 -o ~/.local/nodejs
          ln -sf ~/.local/nodejs/bin/node ~/.local/bin/node
          ln -sf ~/.local/nodejs/bin/npm ~/.local/bin/npm
          echo "$HOME/.local/bin" >> $GITHUB_PATH

      - uses: actions/checkout@v4

      - name: Install skopeo
        run: |
          mkdir -p ~/.local/bin
          nix build -I nixpkgs=channel:nixos-unstable nixpkgs#skopeo -o ~/.local/skopeo
          ln -sf ~/.local/skopeo/bin/skopeo ~/.local/bin/skopeo
          echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

      - name: Build Nix package
        run: nix build .#my-docker

      - name: Downcase REPO
        run: |
          echo "REPO=${GITHUB_REPOSITORY,,}" >> ${GITHUB_ENV}

      - name: Set image name
        run: |
          # Use the full repository name for Forgejo packages
          echo "IMAGE_NAME=${{ env.REPO }}" >> ${GITHUB_ENV}

      - name: Push Docker image with skopeo
        run: |
          # Create required temp directories
          mkdir -p /var/tmp
          IMAGE_PATH=$(readlink -f result)
          echo "Pushing image from: $IMAGE_PATH"
          echo "Target registry: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
          echo "Using actor: ${{ github.actor }}"

          # Use login approach which works better with Forgejo
          echo "${{ secrets.GITHUB_TOKEN }}" | skopeo login --username "${{ github.actor }}" --password-stdin "${{ env.REGISTRY }}"
          skopeo copy \
            --insecure-policy \
            "docker-archive://$IMAGE_PATH" \
            "docker://${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"

      - name: Push to attic
        if: always()
        run: |
          valid_paths=""
          for path in /nix/store/*/; do
            if nix path-info "$path" >/dev/null 2>&1; then
              valid_paths="$valid_paths $path"
            fi
          done

          if [ -n "$valid_paths" ]; then
            for i in {1..10}; do
              nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push nexveridian-web $valid_paths && break || [ $i -eq 5 ] || sleep 5
            done
          fi