name: Build control plane
run-name: Triggered from ${{ github.event_name }} by ${{ github.actor }}
on:
  workflow_call:
    inputs:
      sha:
        required: false
        type: string
        default: ${{ github.sha }}

permissions:
  id-token: write
  packages: write

jobs:
  control-plane:
    name: ${{ matrix.image_name }}
    runs-on: ubuntu-24.04
    strategy:
      fail-fast: ${{ github.event_name == 'merge_group' }}
      matrix:
        include:
          - image_name: domain
            target: runtime
            build-args: |
              APPLICATION_NAME=domain
              GIT_SHA=${{ inputs.sha }}
          - image_name: api
            target: runtime
            build-args: |
              APPLICATION_NAME=api
              GIT_SHA=${{ inputs.sha }}
          - image_name: web
            target: runtime
            build-args: |
              APPLICATION_NAME=web
              GIT_SHA=${{ inputs.sha }}
          - image_name: elixir
            target: compiler
            build-args: |
              APPLICATION_NAME=api
              GIT_SHA=${{ inputs.sha }}
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          ref: ${{ inputs.sha }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
      - uses: ./.github/actions/ghcr-docker-login
        id: login
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
        with:
          images: ${{ steps.login.outputs.registry }}/firezone/${{matrix.image_name }}
          tags: |
            type=raw,value=${{ inputs.sha }}
      - name: Sanitize github.ref_name
        run: |
          # `ref_name` contains `/`, '_' or '=' which is not a valid docker image tag
          REF="${{ github.ref_name }}"
          CACHE_TAG="${REF//[\/_=]/-}"
          echo "CACHE_TAG=$CACHE_TAG" >> "$GITHUB_ENV"
      # PRs & non-main branches: read-only cache
      - name: Build and push control plane images (read-only cache)
        if: ${{ github.ref != 'refs/heads/main' }}
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          build-args: ${{ matrix.build-args }}
          target: ${{ matrix.target }}
          context: elixir
          cache-from: |
            type=gha,scope=${{ matrix.image_name }}:${{ env.CACHE_TAG }}
            type=gha,scope=${{ matrix.image_name }}:main
          # no cache-to here -> read-only
          push: true
          tags: |
            ${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}:${{ inputs.sha }}
            ${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}:${{ env.CACHE_TAG }}

      # main: read/write cache
      - name: Build and push control plane images (read/write cache)
        if: ${{ github.ref == 'refs/heads/main' }}
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          build-args: ${{ matrix.build-args }}
          target: ${{ matrix.target }}
          context: elixir
          cache-from: |
            type=gha,scope=${{ matrix.image_name }}:${{ env.CACHE_TAG }}
            type=gha,scope=${{ matrix.image_name }}:main
          cache-to: |
            type=gha,scope=${{ matrix.image_name }}:${{ env.CACHE_TAG }},mode=max,ignore-error=true
          push: true
          tags: |
            ${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}:${{ inputs.sha }}
            ${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}:${{ env.CACHE_TAG }}