name: 'Pin build-tools image'

on:
  workflow_dispatch:
    inputs:
      from-tag:
        description: 'Source tag'
        required: true
        type: string
      force:
        description: 'Force the image to be pinned'
        default: false
        type: boolean
  workflow_call:
    inputs:
      from-tag:
        description: 'Source tag'
        required: true
        type: string
      force:
        description: 'Force the image to be pinned'
        default: false
        type: boolean

defaults:
  run:
    shell: bash -euo pipefail {0}

concurrency:
  group: pin-build-tools-image-${{ inputs.from-tag }}
  cancel-in-progress: false

# No permission for GITHUB_TOKEN by default; the **minimal required** set of permissions should be granted in each job.
permissions: {}

jobs:
  check-manifests:
    runs-on: ubuntu-22.04
    outputs:
      skip: ${{ steps.check-manifests.outputs.skip }}

    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
        with:
          egress-policy: audit

      - name: Check if we really need to pin the image
        id: check-manifests
        env:
          FROM_TAG: ${{ inputs.from-tag }}
          TO_TAG: pinned
        run: |
          docker manifest inspect "ghcr.io/neondatabase/build-tools:${FROM_TAG}" > "${FROM_TAG}.json"
          docker manifest inspect "ghcr.io/neondatabase/build-tools:${TO_TAG}"   > "${TO_TAG}.json"

          if diff "${FROM_TAG}.json" "${TO_TAG}.json"; then
            skip=true
          else
            skip=false
          fi

          echo "skip=${skip}" | tee -a $GITHUB_OUTPUT

  tag-image:
    needs: check-manifests

    # use format(..) to catch both inputs.force = true AND inputs.force = 'true'
    if: needs.check-manifests.outputs.skip == 'false' || format('{0}', inputs.force) == 'true'

    permissions:
      id-token: write  # Required for aws/azure login
      packages: write  # required for pushing to GHCR

    uses: ./.github/workflows/_push-to-container-registry.yml
    with:
      image-map: |
        {
          "ghcr.io/neondatabase/build-tools:${{ inputs.from-tag }}-bullseye": [
            "docker.io/neondatabase/build-tools:pinned-bullseye",
            "ghcr.io/neondatabase/build-tools:pinned-bullseye",
            "${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_ECR_REGION }}.amazonaws.com/build-tools:pinned-bullseye",
            "${{ vars.AZURE_DEV_REGISTRY_NAME }}.azurecr.io/neondatabase/build-tools:pinned-bullseye"
          ],
          "ghcr.io/neondatabase/build-tools:${{ inputs.from-tag }}-bookworm": [
            "docker.io/neondatabase/build-tools:pinned-bookworm",
            "docker.io/neondatabase/build-tools:pinned",
            "ghcr.io/neondatabase/build-tools:pinned-bookworm",
            "ghcr.io/neondatabase/build-tools:pinned",
            "${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_ECR_REGION }}.amazonaws.com/build-tools:pinned-bookworm",
            "${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_ECR_REGION }}.amazonaws.com/build-tools:pinned",
            "${{ vars.AZURE_DEV_REGISTRY_NAME }}.azurecr.io/neondatabase/build-tools:pinned-bookworm",
            "${{ vars.AZURE_DEV_REGISTRY_NAME }}.azurecr.io/neondatabase/build-tools:pinned"
          ]
        }
      aws-region: ${{ vars.AWS_ECR_REGION }}
      aws-account-id: "${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}"
      aws-role-to-assume: "gha-oidc-neon-admin"
      azure-client-id: ${{ vars.AZURE_DEV_CLIENT_ID }}
      azure-subscription-id: ${{ vars.AZURE_DEV_SUBSCRIPTION_ID }}
      azure-tenant-id: ${{ vars.AZURE_TENANT_ID }}
      acr-registry-name: ${{ vars.AZURE_DEV_REGISTRY_NAME }}
    secrets: inherit