name: Build Nix Docker image

on:
  push:
    branches:
      - develop
    paths:
      - ".github/workflows/build-nix-image.yml"
      - "docker/nix.Dockerfile"
      - "flake.nix"
      - "flake.lock"
      - "nix/**"
  pull_request:
    paths:
      - ".github/workflows/build-nix-image.yml"
      - "docker/nix.Dockerfile"
      - "flake.nix"
      - "flake.lock"
      - "nix/**"
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

defaults:
  run:
    shell: bash

env:
  UBUNTU_VERSION: "20.04"
  RHEL_VERSION: "9"
  DEBIAN_VERSION: "bookworm"

jobs:
  build:
    name: Build and push Nix image (${{ matrix.distro }})
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    strategy:
      matrix:
        include:
          - distro: nixos
          - distro: ubuntu
          - distro: rhel
          - distro: debian

    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Determine base image
        id: vars
        run: |
          case "${{ matrix.distro }}" in
            nixos)
              echo "base_image=nixos/nix:latest" >> $GITHUB_OUTPUT
              ;;
            ubuntu)
              echo "base_image=ubuntu:${UBUNTU_VERSION}" >> $GITHUB_OUTPUT
              ;;
            rhel)
              echo "base_image=registry.access.redhat.com/ubi${RHEL_VERSION}/ubi:latest" >> $GITHUB_OUTPUT
              ;;
            debian)
              echo "base_image=debian:${DEBIAN_VERSION}" >> $GITHUB_OUTPUT
              ;;
          esac

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Login to GitHub Container Registry
        if: github.event_name == 'push'
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Docker metadata
        id: meta
        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: ghcr.io/xrplf/ci/nix-${{ matrix.distro }}
          tags: |
            type=sha,prefix=sha-,format=short
            type=raw,value=latest

      - name: Build and push
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          file: docker/nix.Dockerfile
          platforms: linux/amd64
          push: ${{ github.event_name == 'push' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          build-args: BASE_IMAGE=${{ steps.vars.outputs.base_image }}