name: cpanel-importer Build and Push
run-name: ${{ gitea.actor }} pushed a change to ${{ gitea.ref_name }}
on:
  push:
    branches:
      - main
    tags:
      - '20[0-9][0-9].[0-9][0-9].[0-9]+'

jobs:
  Build-and-Push:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Gitea
        uses: docker/login-action@v3
        with:
          registry: repo.anhonesthost.net
          username: ${{ secrets.CI_USER }}
          password: ${{ secrets.CI_TOKEN }}

      # Compute the version tag. If the commit is on a `YYYY.MM.NNN` tag
      # we tag the image with that version; otherwise we only tag :latest
      # and :<sha>.
      - name: Compute tags
        id: tags
        run: |
          set -euo pipefail
          SHA="${GITHUB_SHA:0:12}"
          REG="repo.anhonesthost.net/cloud-hosting-platform/cpanel-importer"
          TAGS="${REG}:latest"$'\n'"${REG}:${SHA}"
          # If this push includes a YYYY.MM.NNN tag, add it.
          VER_TAG="${GITHUB_REF_NAME:-}"
          if [[ "${GITHUB_REF:-}" == refs/tags/* && "$VER_TAG" =~ ^20[0-9][0-9]\.[0-9][0-9]\.[0-9]+$ ]]; then
            TAGS="${TAGS}"$'\n'"${REG}:${VER_TAG}"
          fi
          echo "tags<<EOF" >> "$GITHUB_OUTPUT"
          echo "$TAGS"     >> "$GITHUB_OUTPUT"
          echo "EOF"       >> "$GITHUB_OUTPUT"
          echo "Resolved tags:"
          echo "$TAGS"

      # First build locally (no push) so we can run a smoke test against
      # the resolved image before pushing. The build is cached by Buildx
      # so the push step below re-uses layers and is near-instant.
      - name: Build Image (local, for smoke test)
        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: linux/amd64
          push: false
          load: true
          tags: cpanel-importer:smoke
          no-cache: true

      - name: Smoke test — image starts and `echo ok` works
        run: |
          set -euo pipefail
          # Override the entrypoint so we don't have to provide the full
          # IMPORT_* env set just to verify the image runs.
          out="$(docker run --rm --entrypoint /bin/echo cpanel-importer:smoke ok)"
          if [[ "$out" != "ok" ]]; then
            echo "smoke test failed: expected 'ok', got '$out'"
            exit 1
          fi
          echo "smoke test passed"

      # Lints run inside the just-built image rather than on the runner side.
      # The Dockerfile already COPYs scripts/ to /scripts/ inside the image,
      # so we don't need a host bind mount (the original `docker run -v
      # "$PWD:/src"` shape failed under Gitea's dockerized runner, where
      # $PWD on the runner is not a path the host docker daemon can mount).
      # Switching the path from /src/$f to /$f reads from the image's own
      # /scripts/ rootfs entries directly. Runner-side `php -l` won't work
      # because the act-based ubuntu-latest image doesn't ship php-cli.
      - name: PHP syntax check
        run: |
          set -euo pipefail
          for f in scripts/*.php scripts/lib/*.php; do
            docker run --rm --entrypoint php cpanel-importer:smoke -l "/$f"
          done

      - name: Bash syntax check
        run: |
          set -euo pipefail
          for f in scripts/*.sh; do
            docker run --rm --entrypoint bash cpanel-importer:smoke -n "/$f"
          done

      - name: Build and Push Image
        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: linux/amd64
          push: true
          tags: ${{ steps.tags.outputs.tags }}
          cache-from: type=registry,ref=repo.anhonesthost.net/cloud-hosting-platform/cpanel-importer:latest
          cache-to: type=inline