name: Dynamic Build and Deploy Hardened Images

on:
  push:
    branches:
      - main
    paths:
      - '**.yml'
      - '**.yaml'
  schedule:
    # Runs every Friday at 00:00 UTC
    - cron: '0 0 * * 5'
  workflow_dispatch:

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    steps:
      - name: Prepare Git for SHA256 Repo
        run: git config --global init.defaultObjectFormat sha256

      - name: Checkout Code
        uses: actions/checkout@v4
        with:
          # Fetch full history to allow git diff comparisons between commits
          fetch-depth: 0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to DHI Registry
        uses: docker/login-action@v3
        with:
          registry: dhi.io
          username: ${{ secrets.DHI_USERNAME }}
          password: ${{ secrets.DHI_PASSWORD }}

      - name: Log in to Private Registry
        uses: docker/login-action@v3
        with:
          registry: registry.chillcog.com
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}

      - name: Detect and Build Images
        run: |
          FILES_TO_BUILD=""

          # 1. Check the event type triggering the action
          if [ "${{ github.event_name }}" = "schedule" ] || [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            echo "Scheduled or manual run triggered. Processing all YAML files..."
            # Find all root-level YAML configuration files
            FILES_TO_BUILD=$(find . -maxdepth 1 -name "*.yml" -o -name "*.yaml")
          else
            echo "Push triggered. Detecting changed files..."
            # Isolate only the added or modified YAML files in the current push event
            FILES_TO_BUILD=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} | grep -E '\.(yml|yaml)$' || true)
          fi

          # 2. Loop through and compile each matched configuration file
          for file in $FILES_TO_BUILD; do
            # Clean string structures and confirm the physical file path still exists
            file=$(echo "$file" | sed 's|^\./||')
            if [ ! -f "$file" ]; then continue; fi
            
            # Skip workflow files to avoid self-building cycles
            if [[ "$file" == .gitea/* ]]; then continue; fi

            # Strip paths and extensions (e.g., 'nginx.yml' becomes 'nginx')
            filename=$(basename -- "$file")
            image_name="${filename%.*}"

            echo "---------------------------------------------------"
            echo "Processing: $file -> Target: registry.chillcog.com/${image_name}:latest"
            echo "---------------------------------------------------"

            # Execute the DHI BuildKit routine and route to the local target registry
            docker buildx build \
              --push \
              --no-cache \
              -f "$file" \
              -t "registry.chillcog.com/${image_name}:latest" \
              .
          done