name: Build container/push to container registry

on: [workflow_dispatch]

env:
  # 950402358378.dkr.ecr.us-east-1.amazonaws.com/reflector
  AWS_REGION: us-east-1
  ECR_REPOSITORY: reflector

jobs:
  build:
    strategy:
      matrix:
        include:
          - platform: linux/amd64
            runner: linux-amd64
            arch: amd64
          - platform: linux/arm64
            runner: linux-arm64
            arch: arm64

    runs-on: ${{ matrix.runner }}

    permissions:
      contents: read

    outputs:
      registry: ${{ steps.login-ecr.outputs.registry }}

    steps:
      - uses: actions/checkout@v4

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build and push ${{ matrix.arch }}
        uses: docker/build-push-action@v5
        with:
          context: server
          platforms: ${{ matrix.platform }}
          push: true
          tags: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:latest-${{ matrix.arch }}
          cache-from: type=gha,scope=${{ matrix.arch }}
          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
          github-token: ${{ secrets.GHA_CACHE_TOKEN }}
          provenance: false

  create-manifest:
    runs-on: ubuntu-latest
    needs: [build]

    permissions:
      deployments: write
      contents: read

    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Login to Amazon ECR
        uses: aws-actions/amazon-ecr-login@v2

      - name: Create and push multi-arch manifest
        run: |
          # Get the registry URL (since we can't easily access job outputs in matrix)
          ECR_REGISTRY=$(aws ecr describe-registry --query 'registryId' --output text).dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com

          docker manifest create \
            $ECR_REGISTRY/${{ env.ECR_REPOSITORY }}:latest \
            $ECR_REGISTRY/${{ env.ECR_REPOSITORY }}:latest-amd64 \
            $ECR_REGISTRY/${{ env.ECR_REPOSITORY }}:latest-arm64

          docker manifest push $ECR_REGISTRY/${{ env.ECR_REPOSITORY }}:latest

          echo "✅ Multi-arch manifest pushed: $ECR_REGISTRY/${{ env.ECR_REPOSITORY }}:latest"