name: Release Community Docker Images

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

on:
  workflow_call:
    inputs:
      IS_PRERELEASE:
        description: "Whether this is a prerelease (affects latest tag)"
        required: false
        type: boolean
        default: false
      MAKE_LATEST:
        description: "Whether to tag as latest (from GitHub release 'Set as the latest release' option)"
        required: false
        type: boolean
        default: false
    outputs:
      VERSION:
        description: release version
        value: ${{ jobs.build.outputs.VERSION }}

env:
  # Use docker.io for Docker Hub if empty
  REGISTRY: ghcr.io
  # github.repository as <account>/<repo>
  IMAGE_NAME: ${{ github.repository }}

permissions:
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 45
    permissions:
      contents: read
      packages: write
      id-token: write
      # This is used to complete the identity challenge
      # with sigstore/fulcio when running outside of PRs.

    outputs:
      VERSION: ${{ steps.extract_release_tag.outputs.VERSION }}

    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: audit

      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Extract release version from tag
        id: extract_release_tag
        run: |
          set -euo pipefail

          # Extract tag name with fallback logic for different trigger contexts
          if [[ -n "${RELEASE_TAG:-}" ]]; then
            TAG="$RELEASE_TAG"
            echo "Using RELEASE_TAG override: $TAG"
          elif [[ "$GITHUB_REF_NAME" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]] || [[ "$GITHUB_REF_NAME" =~ ^v[0-9] ]]; then
            TAG="$GITHUB_REF_NAME"
            echo "Using GITHUB_REF_NAME (looks like tag): $TAG"
          else
            # Fallback: extract from GITHUB_REF for direct tag triggers
            TAG="${GITHUB_REF#refs/tags/}"
            if [[ -z "$TAG" || "$TAG" == "$GITHUB_REF" ]]; then
              TAG="$GITHUB_REF_NAME"
              echo "Using GITHUB_REF_NAME as final fallback: $TAG"
            else
              echo "Extracted from GITHUB_REF: $TAG"
            fi
          fi

          # Strip v-prefix if present (normalize to clean SemVer)
          TAG=${TAG#[vV]}

          # Validate SemVer format (supports prereleases like 4.0.0-rc.1)
          if [[ ! "$TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]]; then
            echo "ERROR: Invalid tag format '$TAG'. Expected SemVer (e.g., 1.2.3, 4.0.0-rc.1)"
            exit 1
          fi

          echo "VERSION=$TAG" >> $GITHUB_OUTPUT
          echo "Using version: $TAG"

      - name: Build and push community release image
        id: build
        uses: ./.github/actions/build-and-push-docker
        with:
          registry_type: "ghcr"
          ghcr_image_name: ${{ env.IMAGE_NAME }}
          version: ${{ steps.extract_release_tag.outputs.VERSION }}
          is_prerelease: ${{ inputs.IS_PRERELEASE }}
          make_latest: ${{ inputs.MAKE_LATEST }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          DEPOT_PROJECT_TOKEN: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          DUMMY_DATABASE_URL: ${{ secrets.DUMMY_DATABASE_URL }}
          DUMMY_ENCRYPTION_KEY: ${{ secrets.DUMMY_ENCRYPTION_KEY }}
          DUMMY_REDIS_URL: ${{ secrets.DUMMY_REDIS_URL }}
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}