name: cpanel-importer Build and Push
run-name: ${{ gitea.actor }} pushed a change to ${{ gitea.ref_name }}
on:
  push:
    branches:
      - main
    tags:
      - '20[0-9][0-9].[0-9][0-9].[0-9]+'

jobs:
  Build-and-Push:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Gitea
        uses: docker/login-action@v3
        with:
          registry: repo.anhonesthost.net
          username: ${{ secrets.CI_USER }}
          password: ${{ secrets.CI_TOKEN }}

      # Compute the version tag. If the commit is on a `YYYY.MM.NNN` tag
      # we tag the image with that version; otherwise we only tag :latest
      # and :<sha>.
      - name: Compute tags
        id: tags
        run: |
          set -euo pipefail
          SHA="${GITHUB_SHA:0:12}"
          REG="repo.anhonesthost.net/cloud-hosting-platform/cpanel-importer"
          TAGS="${REG}:latest"$'\n'"${REG}:${SHA}"
          # If this push includes a YYYY.MM.NNN tag, add it.
          VER_TAG="${GITHUB_REF_NAME:-}"
          if [[ "${GITHUB_REF:-}" == refs/tags/* && "$VER_TAG" =~ ^20[0-9][0-9]\.[0-9][0-9]\.[0-9]+$ ]]; then
            TAGS="${TAGS}"$'\n'"${REG}:${VER_TAG}"
          fi
          echo "tags<<EOF" >> "$GITHUB_OUTPUT"
          echo "$TAGS"     >> "$GITHUB_OUTPUT"
          echo "EOF"       >> "$GITHUB_OUTPUT"
          echo "Resolved tags:"
          echo "$TAGS"

      # First build locally (no push) so we can run a smoke test against
      # the resolved image before pushing. The build is cached by Buildx
      # so the push step below re-uses layers and is near-instant.
      - name: Build Image (local, for smoke test)
        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: linux/amd64
          push: false
          load: true
          tags: cpanel-importer:smoke
          no-cache: true

      - name: Smoke test — image starts and `echo ok` works
        run: |
          set -euo pipefail
          # Override the entrypoint so we don't have to provide the full
          # IMPORT_* env set just to verify the image runs.
          out="$(docker run --rm --entrypoint /bin/echo cpanel-importer:smoke ok)"
          if [[ "$out" != "ok" ]]; then
            echo "smoke test failed: expected 'ok', got '$out'"
            exit 1
          fi
          echo "smoke test passed"

      # Lints run directly on the runner instead of via `docker run -v "$PWD:/src"`
      # against the built image. Gitea runners are themselves containerized,
      # so $PWD inside the runner is NOT a path the host docker daemon can bind
      # mount; the previous approach surfaced as "Could not open input file"
      # for every script. Running php/bash directly on the runner works because
      # the runner image (ubuntu-latest) ships php-cli + bash, and the files
      # exist in $PWD because the checkout step already populated them.
      - name: PHP syntax check
        run: |
          set -euo pipefail
          for f in scripts/*.php scripts/lib/*.php; do
            php -l "$f"
          done

      - name: Bash syntax check
        run: |
          set -euo pipefail
          for f in scripts/*.sh; do
            bash -n "$f"
          done

      - name: Build and Push Image
        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: linux/amd64
          push: true
          tags: ${{ steps.tags.outputs.tags }}
          cache-from: type=registry,ref=repo.anhonesthost.net/cloud-hosting-platform/cpanel-importer:latest
          cache-to: type=inline