.github/workflows/publish-docker.yaml

name: Build Debian Package
on:
  workflow_call:
    inputs:
      tag:
        description: 'The docker tag name'
        required: true
        type: string
      environment:
        description: 'Environment where the secrets are stored'
        required: true
        type: string
      extra_tag:
        description: 'Additional tag to push'
        required: false
        type: string
        default: ""
      cache_enabled:
        description: 'Enable caching'
        required: false
        type: boolean
        default: false
    secrets:
      DOCKERHUB_USERNAME:
        description: 'Docker Hub username'
        required: false
      DOCKERHUB_TOKEN:
        description: 'Docker Hub token'
        required: false


jobs:
  publish-docker:
    name: Publish docker image for ${{ inputs.tag }}
    environment: 
      name: ${{ inputs.environment }}
      url: ${{ steps.set-output-url.outputs.deployment_dockerhub_url }}
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    steps:
      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          egress-policy: audit
      - uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        id: buildx

      - uses: actions/download-artifact@v4
        with:
          merge-multiple: true
          pattern: build-*
          path: dist
          run-id: ${{ github.run_id }}

      - name: Rename built artifacts
        run: |
          for file in dist/*.deb; do
            mv "$file" "${file%.deb}-signed.deb"
          done

      - name: Login to Docker Hub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Check docker config and disable live reload
        run: |
          cat /etc/docker/daemon.json
          echo '{ "live-restore": false }' | sudo tee /etc/docker/daemon.json
          sudo systemctl reload docker

      - name: Build and push the images
        run: |
          if [ -n "${{ inputs.extra_tag }}" ]; then
            export EXTRA_TAG="${{ inputs.extra_tag }}"
          else 
            export EXTRA_TAG=$DOCKER_TAG
          fi
          docker buildx bake \
            --set "*.cache-from=type=gha" ${{ inputs.cache_enabled && '--set "*.cache-to=type=gha,mode=max"' || '' }} \
            --set "*.platform=linux/amd64" \
            --builder ${{ steps.buildx.outputs.name }} \
            --sbom=true \
            --push \
            -f docker-compose.yml \
            app worker
        env:
          DOCKER_TAG: ${{ inputs.tag }}

      - name: Set output url
        id: set-output-url
        run: |
          echo "deployment_dockerhub_url=https://hub.docker.com/r/pantosio/service-node-app/tags?name=${{ inputs.tag }}" >> $GITHUB_OUTPUT

      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

      - name: Sign the images
        run: |
          for app in $(docker buildx bake -f docker-compose.yml --print --progress "plain" | jq -r '.target[].tags | add'); do
            for image in $(docker buildx imagetools inspect $app --raw | jq -r '.manifests[].digest'); do
              echo "Signing $image from $app";
              cosign sign --yes --verbose "${app%%:*}@$image";
            done;
          done;
        env:
          DOCKER_TAG: ${{ inputs.tag }}
          COSIGN_EXPERIMENTAL: "true"