---
name: Build, Scan and Publish Docker Image
on:
  push:
    branches:
      - main
    tags:
      - 'v*'

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Log in to Gitea Container Registry
        uses: docker/login-action@v3
        with:
          registry: git.br0tkasten.de
          username: ${{ secrets.PACKAGE_USER }}
          password: ${{ secrets.PACKAGE_TOKEN }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: git.br0tkasten.de/${{ gitea.repository }}
          flavor: |
            latest=true
          tags: |
            type=ref,event=branch
            type=semver,pattern={{version}}
            type=sha

      # Step 1: Build the image locally (do not push yet)
      - name: Build Docker image locally
        uses: docker/build-push-action@v5
        with:
          context: .
          load: true # This loads the image into the local docker daemon for Trivy to find
          tags: local_scan_target:${{ github.sha }}

      # Step 2: Scan the local image with Trivy
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'local_scan_target:${{ github.sha }}'
          format: 'table'
          exit-code: '1' # This will fail the pipeline if vulnerabilities are found
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'

      # Step 3: If scan passes, Build and Push to Registry
      - name: Build and push Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}