name: Build Nix Docker image

on:
  push:
    branches:
      - develop
    paths:
      - ".github/workflows/build-nix-image.yml"
      - ".github/workflows/reusable-build-docker-image.yml"
      - "docker/**"
      - "flake.nix"
      - "flake.lock"
      - "nix/**"
  pull_request:
    paths:
      - ".github/workflows/build-nix-image.yml"
      - ".github/workflows/reusable-build-docker-image.yml"
      - "docker/**"
      - "flake.nix"
      - "flake.lock"
      - "nix/**"
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

defaults:
  run:
    shell: bash

jobs:
  build:
    name: Build ${{ matrix.distro.name }} (${{ matrix.target.platform }})
    permissions:
      contents: read
      packages: write
    strategy:
      fail-fast: false
      matrix:
        # The base images are the oldest supported version of each distro
        # that we want to build images for.
        distro:
          - name: nixos
            base_image: nixos/nix:latest
          - name: ubuntu
            base_image: ubuntu:20.04
          - name: rhel
            base_image: registry.access.redhat.com/ubi9/ubi:latest
          - name: debian
            base_image: debian:bookworm
        target:
          - platform: linux/amd64
            runner: ubuntu-latest
          - platform: linux/arm64
            runner: ubuntu-24.04-arm
    uses: ./.github/workflows/reusable-build-docker-image.yml
    with:
      image_name: ghcr.io/xrplf/xrpld/nix-${{ matrix.distro.name }}
      dockerfile: docker/nix.Dockerfile
      base_image: ${{ matrix.distro.base_image }}
      platform: ${{ matrix.target.platform }}
      runner: ${{ matrix.target.runner }}
      push: ${{ github.repository == 'XRPLF/rippled' && github.event_name == 'push' }}

  merge:
    name: Merge ${{ matrix.distro }} manifest
    needs: build
    if: ${{ github.repository == 'XRPLF/rippled' && github.event_name == 'push' }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    strategy:
      fail-fast: false
      matrix:
        distro: [nixos, ubuntu, rhel, debian]
    env:
      IMAGE_NAME: ghcr.io/xrplf/xrpld/nix-${{ matrix.distro }}

    steps:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0

      - name: Docker metadata
        id: meta
        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
        with:
          images: ${{ env.IMAGE_NAME }}
          tags: |
            type=sha,prefix=sha-,format=short
            type=raw,value=latest

      - name: Login to GitHub Container Registry
        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Create multi-arch manifests
        run: |
          for tag in $(jq -cr '.tags[]' <<<"$DOCKER_METADATA_OUTPUT_JSON"); do
              docker buildx imagetools create -t "$tag" "${tag}-amd64" "${tag}-arm64"
          done

      - name: Inspect image
        run: |
          docker buildx imagetools inspect "${IMAGE_NAME}:${{ steps.meta.outputs.version }}"