name: Build build-tools image

on:
  workflow_call:
    inputs:
      image-tag:
        description: "build-tools image tag"
        required: true
        type: string
    outputs:
      image-tag:
        description: "build-tools tag"
        value: ${{ inputs.image-tag }}
      image:
        description: "build-tools image"
        value: neondatabase/build-tools:${{ inputs.image-tag }}

defaults:
  run:
    shell: bash -euo pipefail {0}

concurrency:
  group: build-build-tools-image-${{ inputs.image-tag }}
  cancel-in-progress: false

# No permission for GITHUB_TOKEN by default; the **minimal required** set of permissions should be granted in each job.
permissions: {}

jobs:
  check-image:
    uses: ./.github/workflows/check-build-tools-image.yml

  # This job uses older version of GitHub Actions because it's run on gen2 runners, which don't support node 20 (for newer versions)
  build-image:
    needs: [ check-image ]
    if: needs.check-image.outputs.found == 'false'

    strategy:
      matrix:
        arch: [ x64, arm64 ]

    runs-on: ${{ fromJson(format('["self-hosted", "gen3", "{0}"]', matrix.arch == 'arm64' && 'large-arm64' || 'large')) }}

    env:
      IMAGE_TAG: ${{ inputs.image-tag }}

    steps:
      - name: Check `input.tag` is correct
        env:
          INPUTS_IMAGE_TAG: ${{ inputs.image-tag }}
          CHECK_IMAGE_TAG : ${{ needs.check-image.outputs.image-tag }}
        run: |
          if [ "${INPUTS_IMAGE_TAG}" != "${CHECK_IMAGE_TAG}" ]; then
            echo "'inputs.image-tag' (${INPUTS_IMAGE_TAG}) does not match the tag of the latest build-tools image 'inputs.image-tag' (${CHECK_IMAGE_TAG})"
            exit 1
          fi

      - uses: actions/checkout@v3

      # Use custom DOCKER_CONFIG directory to avoid conflicts with default settings
      # The default value is ~/.docker
      - name: Set custom docker config directory
        run: |
          mkdir -p /tmp/.docker-custom
          echo DOCKER_CONFIG=/tmp/.docker-custom >> $GITHUB_ENV

      - uses: docker/setup-buildx-action@v2

      - uses: docker/login-action@v2
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}

      - uses: docker/build-push-action@v4
        with:
          context: .
          provenance: false
          push: true
          pull: true
          file: Dockerfile.build-tools
          cache-from: type=registry,ref=neondatabase/build-tools:cache-${{ matrix.arch }}
          cache-to: type=registry,ref=neondatabase/build-tools:cache-${{ matrix.arch }},mode=max
          tags: neondatabase/build-tools:${{ inputs.image-tag }}-${{ matrix.arch }}

      - name: Remove custom docker config directory
        run: |
          rm -rf /tmp/.docker-custom

  merge-images:
    needs: [ build-image ]
    runs-on: ubuntu-latest

    env:
      IMAGE_TAG: ${{ inputs.image-tag }}

    steps:
      - uses: docker/login-action@v3
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}

      - name: Create multi-arch image
        run: |
          docker buildx imagetools create -t neondatabase/build-tools:${IMAGE_TAG} \
                                             neondatabase/build-tools:${IMAGE_TAG}-x64 \
                                             neondatabase/build-tools:${IMAGE_TAG}-arm64