name: publish-image

on:
  push:
    branches:
      - main
    paths-ignore:
      - 'docs/**'

  workflow_dispatch:

env:
  REGISTRY: quay.io
  QUAY_ORG: centos-boot

jobs:

  build-and-push-image:
    runs-on: ubuntu-latest

    container:
      image: quay.io/centos-boot/builder:latest@sha256:c57f2d2e9672baaddf501ee91c799903517c4b6ee38fd2dbd6e98171fd1c180c
      options: --privileged

    strategy:
      matrix:
        os: [fedora, centos]
        tier: [tier-1]
        include:
        - os: fedora
          version: eln
        - os: centos
          version: stream9

    steps:
      - name: Checkout repository
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      # The --privileged bits seem to trip this up
      - name: Ensure git safe directory
        run: git config --global --add safe.directory '*'

      - name: Set SOURCE_DATE_EPOCH
        run: echo SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) >> $GITHUB_ENV

      - name: Build and Push
        run: |
          echo "${{ secrets.QUAY_PASSWORD }}" | skopeo login -u "${{ secrets.QUAY_USER }}" \
          --password-stdin ${{ env.REGISTRY }}
          rpm-ostree compose image --initialize-mode if-not-exists \
          --format=registry ${{ matrix.os }}-${{ matrix.tier }}-${{ matrix.version }}.yaml \
          ${{ env.REGISTRY }}/${{ env.QUAY_ORG }}/${{ matrix.os }}-${{ matrix.tier}}:${{ matrix.version }}