name: Pantry build

on:
  push:
    branches: [ "trunk" ]

env:
  IMAGE_NAME: ${{ github.repository }}

jobs:
  build:

    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [ 18.x ]

    steps:
    - uses: actions/checkout@v3

    - name: Use Node.js ${{ matrix.node-version }}
      uses: actions/setup-node@v3
      with:
        node-version: ${{ matrix.node-version }}
        cache: 'yarn'
    - name: Install Node.js packages
      run: yarn install
    - name: Run build injection
      run: yarn inject

    - name: Use Java 17
      uses: actions/setup-java@v3
      with:
        distribution: 'temurin'
        java-version: '17'
        cache: 'maven'
    - name: Maven package
      run: mvn package -Pnative

    - name: Install cosign
      uses: sigstore/cosign-installer@v2
      with:
        cosign-release: 'v1.11.0'
    - name: Setup Docker buildx
      uses: docker/setup-buildx-action@v2
    - name: Log into DockerHub
      uses: docker/login-action@v2
      with:
        username: ${{ github.actor }}
        password: ${{ secrets.DOCKER_PASSWORD }}
    - name: Extract Docker metadata
      id: meta
      uses: docker/metadata-action@v4
      with:
        images: ${{ env.IMAGE_NAME }}
    - name: Build and push Docker image
      id: build-and-push
      uses: docker/build-push-action@v3
      with:
        context: .
        file: src/main/docker/Dockerfile.native
        tags: ${{ steps.meta.outputs.tags }}
        labels: ${{ steps.meta.outputs.labels }}
        cache-from: type=gha
        cache-to: type=gha,mode=max

    # Sign the resulting Docker image digest.
    # https://github.com/sigstore/cosign
    - name: Sign the published Docker image
      env:
        COSIGN_EXPERIMENTAL: "true"
      # This step uses the identity token to provision an ephemeral certificate
      # against the sigstore community Fulcio instance.
      run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}