---
name: Lint, Build, Scan and Publish Docker Image
on:
  push:
    branches:
      - main
    tags:
      - 'v*'

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: install Trivy Security scanner
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin

      - name: Lint & Format Check python code with ruff
        uses: astral-sh/ruff-action@v3

      - name: Lint Dockerfile (Hadolint)
        uses: hadolint/hadolint-action@v3.1.0
        with:
          dockerfile: Dockerfile

      - name: Security Lint Dockerfile (Trivy)
        run: |
          trivy config .

      - name: Log in to Gitea Container Registry
        uses: docker/login-action@v3
        with:
          registry: git.br0tkasten.de
          username: ${{ secrets.PACKAGE_USER }}
          password: ${{ secrets.PACKAGE_TOKEN }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: git.br0tkasten.de/${{ gitea.repository }}
          flavor: |
            latest=true
          tags: |
            type=ref,event=branch
            type=semver,pattern={{version}}
            type=sha

      - name: Build Docker image locally
        uses: docker/build-push-action@v5
        with:
          context: .
          load: true # This loads the image into the local docker daemon for Trivy to find
          tags: local_scan_target:${{ github.sha }}

      - name: Run Trivy scanner (Binary Mode)
        run: |
          trivy image --exit-code 1 --severity CRITICAL,HIGH --ignore-unfixed --server http://trivy-server:8080 local_scan_target:${{ github.sha }}

      - name: Build and push Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}