authentik/.github/workflows/_reusable-docker-build-single.yml

---
# Re-usable workflow for a single-architecture build
name: Reusable - Single-arch Container build

on:
  workflow_call:
    inputs:
      image_name:
        required: true
        type: string
      image_arch:
        required: true
        type: string
      runs-on:
        required: true
        type: string
      registry_dockerhub:
        default: false
        type: boolean
      registry_ghcr:
        default: false
        type: boolean
      release:
        default: false
        type: boolean
    outputs:
      image-digest:
        value: ${{ jobs.build.outputs.image-digest }}

jobs:
  build:
    name: Build ${{ inputs.image_arch }}
    runs-on: ${{ inputs.runs-on }}
    outputs:
      image-digest: ${{ steps.push.outputs.digest }}
    permissions:
      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
      # Needed for checkout
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
        with:
          image-name: ${{ inputs.image_name }}
          image-arch: ${{ inputs.image_arch }}
          release: ${{ inputs.release }}
      - name: Login to Docker Hub
        if: ${{ inputs.registry_dockerhub }}
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKER_CORP_USERNAME }}
          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
      - name: Login to GitHub Container Registry
        if: ${{ inputs.registry_ghcr }}
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        id: push
        with:
          context: .
          file: lifecycle/container/Dockerfile
          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
          secrets: |
            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          build-args: |
            ${{ steps.ev.outputs.imageBuildArgs }}
          tags: ${{ steps.ev.outputs.imageTags }}
          platforms: linux/${{ inputs.image_arch }}
          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
          cache-to: ${{ steps.ev.outputs.cacheTo }}
      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true