name: runner image

on:
  workflow_dispatch:
    inputs:
      image:
        description: "Destination image name; blank publishes under this repo's GHCR namespace"
        required: false
        default: ""
      tag:
        description: "Destination image tag"
        required: true
        default: "1.0"

permissions:
  contents: read
  id-token: write
  packages: write

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: DeterminateSystems/determinate-nix-action@v3

      - name: Resolve destination image
        id: image
        env:
          INPUT_IMAGE: ${{ inputs.image }}
          INPUT_TAG: ${{ inputs.tag }}
          REPOSITORY: ${{ github.repository }}
        run: |
          set -euo pipefail
          image="$INPUT_IMAGE"
          if [ -z "$image" ]; then
            image="ghcr.io/${REPOSITORY,,}/runner-nix"
          fi
          case "$image" in
            *[!a-z0-9/:._-]* | "")
              echo "invalid image name: $image" >&2
              exit 2
              ;;
          esac
          case "$INPUT_TAG" in
            *[!A-Za-z0-9_.-]* | "")
              echo "invalid image tag: $INPUT_TAG" >&2
              exit 2
              ;;
          esac
          printf 'image=%s\n' "$image" >> "$GITHUB_OUTPUT"
          printf 'tag=%s\n' "$INPUT_TAG" >> "$GITHUB_OUTPUT"

      - name: Build image tarball
        run: nix build ./deploy/runner-images#runnerImage --print-build-logs

      - name: Load image
        run: docker load < result

      - name: Tag image
        run: docker tag ghcr.io/shithub/runner-nix:1.0 "${{ steps.image.outputs.image }}:${{ steps.image.outputs.tag }}"

      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Push image
        run: docker push "${{ steps.image.outputs.image }}:${{ steps.image.outputs.tag }}"