formbricks/.github/workflows/release-docker-github.yml

name: Release Community Docker Images

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

on:
  workflow_call:
    inputs:
      IS_PRERELEASE:
        description: "Whether this is a prerelease (affects latest tag)"
        required: false
        type: boolean
        default: false
    outputs:
      VERSION:
        description: release version
        value: ${{ jobs.build.outputs.VERSION }}

env:
  # Use docker.io for Docker Hub if empty
  REGISTRY: ghcr.io
  # github.repository as <account>/<repo>
  IMAGE_NAME: ${{ github.repository }}

permissions:
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 45
    permissions:
      contents: read
      packages: write
      id-token: write
      # This is used to complete the identity challenge
      # with sigstore/fulcio when running outside of PRs.

    outputs:
      VERSION: ${{ steps.extract_release_tag.outputs.VERSION }}

    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: audit

      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Extract release version from tag
        id: extract_release_tag
        run: |
          set -euo pipefail
          # Extract version from tag (e.g., refs/tags/1.2.3 or refs/tags/v1.2.3 -> 1.2.3)
          TAG="$GITHUB_REF"
          TAG=${TAG#refs/tags/}

          # Strip leading 'v' or 'V' if present for backward compatibility
          TAG=${TAG#[vV]}

          # Validate the extracted tag format (clean SemVer expected)
          if [[ ! "$TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]]; then
            echo "ERROR: Invalid release tag format. Must be clean semver (e.g., 1.2.3, 1.2.3-alpha)"
            echo "Original ref: $GITHUB_REF"
            echo "Extracted tag: $TAG"
            echo "Expected: Clean SemVer (v-prefix is automatically stripped for backward compatibility)"
            exit 1
          fi

          echo "VERSION=$TAG" >> $GITHUB_OUTPUT
          echo "Using clean SemVer version: $TAG"

      - name: Build and push community release image
        id: build
        uses: ./.github/actions/build-and-push-docker
        with:
          registry_type: "ghcr"
          ghcr_image_name: ${{ env.IMAGE_NAME }}
          version: ${{ steps.extract_release_tag.outputs.VERSION }}
          is_prerelease: ${{ inputs.IS_PRERELEASE }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          DEPOT_PROJECT_TOKEN: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          DUMMY_DATABASE_URL: ${{ secrets.DUMMY_DATABASE_URL }}
          DUMMY_ENCRYPTION_KEY: ${{ secrets.DUMMY_ENCRYPTION_KEY }}
          DUMMY_REDIS_URL: ${{ secrets.DUMMY_REDIS_URL }}
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}