name: containers-multiarch
on:
  workflow_dispatch:
    inputs:
      image:
        description: "Image tag (e.g., ghcr.io/stella-ops/example:edge)"
        required: true
      context:
        description: "Build context directory"
        required: true
        default: "."
      platforms:
        description: "Platforms (comma-separated)"
        required: false
        default: "linux/amd64,linux/arm64"
      push:
        description: "Push to registry"
        required: false
        default: "false"

jobs:
  build-multiarch:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Task Pack offline bundle fixtures
        run: python3 scripts/packs/run-fixtures-check.sh

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          install: true

      - name: Install syft (SBOM)
        uses: anchore/sbom-action/download-syft@v0

      - name: Login to ghcr (optional)
        if: ${{ github.event.inputs.push == 'true' && secrets.GHCR_TOKEN != '' }}
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GHCR_TOKEN }}

      - name: Run multi-arch build
        env:
          COSIGN_EXPERIMENTAL: "1"
        run: |
          chmod +x scripts/buildx/build-multiarch.sh
          extra=""
          if [[ "${{ github.event.inputs.push }}" == "true" ]]; then extra="--push"; fi
          scripts/buildx/build-multiarch.sh \
            "${{ github.event.inputs.image }}" \
            "${{ github.event.inputs.context }}" \
            --platform "${{ github.event.inputs.platforms }}" \
            --sbom syft ${extra}

      - name: Build air-gap bundle
        run: |
          chmod +x scripts/buildx/build-airgap-bundle.sh
          scripts/buildx/build-airgap-bundle.sh "${{ github.event.inputs.image }}"

      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: buildx-${{ github.event.inputs.image }}
          path: out/buildx/**

      - name: Inspect built image archive
        run: |
          set -e
          ls -lh out/buildx/
          find out/buildx -name "image.oci" -print -exec sh -c 'tar -tf "$1" | head' _ {} \;

      - name: Upload air-gap bundle
        uses: actions/upload-artifact@v4
        with:
          name: bundle-${{ github.event.inputs.image }}
          path: out/bundles/**

      - name: Inspect remote image (if pushed)
        if: ${{ github.event.inputs.push == 'true' }}
        run: |
          docker buildx imagetools inspect "${{ github.event.inputs.image }}"