name: Publish nx-webmail Image

on:
  workflow_dispatch:
  push:
    branches:
      - main
    paths:
      - "nx-webmail/**"
      - ".github/workflows/publish-nx-webmail-image.yml"

permissions:
  contents: write
  packages: write

jobs:
  publish:
    if: github.actor != 'github-actions[bot]'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Read app version
        id: meta
        shell: bash
        run: |
          version=$(grep '^version:' nx-webmail/umbrel-app.yml | awk -F'"' '{print $2}')
          if [ -z "$version" ]; then
            echo "Could not read nx-webmail version from umbrel-app.yml" >&2
            exit 1
          fi
          echo "version=$version" >> "$GITHUB_OUTPUT"
          echo "image=ghcr.io/weektab/nx-webmail" >> "$GITHUB_OUTPUT"

      - name: Build and push image
        id: build
        uses: docker/build-push-action@v6
        with:
          context: ./nx-webmail
          file: ./nx-webmail/Dockerfile
          platforms: linux/amd64,linux/arm64
          push: true
          tags: |
            ${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.version }}
            ${{ steps.meta.outputs.image }}:latest

      - name: Pin digest in docker-compose
        shell: bash
        run: |
          digest="${{ steps.build.outputs.digest }}"
          if [ -z "$digest" ]; then
            echo "No digest returned by build step" >&2
            exit 1
          fi
          pinned="    image: ${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.version }}@${digest}"
          sed -i -E "s|^    image: .*|$pinned|" nx-webmail/docker-compose.yml

      - name: Commit digest pin
        shell: bash
        run: |
          if git diff --quiet -- nx-webmail/docker-compose.yml; then
            echo "No docker-compose digest changes to commit."
            exit 0
          fi
          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git add nx-webmail/docker-compose.yml
          git commit -m "nx-webmail: pin image digest [skip ci]"
          git push

      - name: Summary
        shell: bash
        run: |
          {
            echo "### nx-webmail image published"
            echo ""
            echo "- Image: \`${{ steps.meta.outputs.image }}\`"
            echo "- Version tag: \`${{ steps.meta.outputs.version }}\`"
            echo "- Digest: \`${{ steps.build.outputs.digest }}\`"
          } >> "$GITHUB_STEP_SUMMARY"