name: Build and publish

on:
  push:
    branches: [main]
    tags: ["v*"]
  pull_request:
    branches: [main]

# Required secrets:
#   REGISTRY        git.librete.ch
#   REGISTRY_USER   libretech-bot
#   REGISTRY_PASS   bot PAT (write:package; bot is in libreshop Owners team)
# Required variable:
#   PUBLISH_ENABLED "true" to actually push (off = build-only on PRs)
#
# Image: git.librete.ch/libreshop/nginx
#   main pushes  → :main + :sha-<short>
#   tag pushes   → :<tag> + :latest

jobs:
  build:
    runs-on: ubuntu-latest
    container:
      image: git.librete.ch/libretech/runner-image:v1
    timeout-minutes: 20
    steps:
      - uses: actions/checkout@v4

      - uses: docker/setup-buildx-action@v3

      - name: Login (only when publishing)
        if: ${{ vars.PUBLISH_ENABLED == 'true' }}
        uses: docker/login-action@v3
        with:
          registry: ${{ secrets.REGISTRY }}
          username: ${{ secrets.REGISTRY_USER }}
          password: ${{ secrets.REGISTRY_PASS }}

      - id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ secrets.REGISTRY }}/libreshop/nginx
          tags: |
            type=ref,event=branch
            type=ref,event=tag
            type=sha,format=short
            type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') }}

      - uses: docker/build-push-action@v6
        with:
          context: .
          push: ${{ vars.PUBLISH_ENABLED == 'true' && github.event_name == 'push' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}