---
name: build

on:
  push:
    branches: [ master ]

permissions:
  contents: read

env:
  REGISTRY_SERVER: docker.io
  RELEASE_IMAGE_NAME: docker.io/genunix/homeassistant
  KUBERNETES_NAMESPACE: hass

jobs:
  build-and-publish:
    if: github.event_name == 'push'
    runs-on: docker
    container:
      image: quay.io/podman/stable:v5.4
      options: >-
        --privileged
        --security-opt seccomp=unconfined
        --device /dev/fuse
        --user root
    env:
      CONTAINERS_STORAGE_DRIVER: vfs
      BUILDAH_FORMAT: docker
      XDG_RUNTIME_DIR: /tmp/run
    steps:
      - name: Checkout
        env:
          SERVER_URL: ${{ github.server_url }}
          REPOSITORY: ${{ github.repository }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        working-directory: ${{ github.workspace }}
        run: |
          set -euo pipefail
          # Install git and ca-certs if missing (works across base distros)
          if ! command -v git >/dev/null 2>&1; then
            (command -v microdnf >/dev/null 2>&1 && microdnf -y install git ca-certificates tar gzip) \
            || (command -v dnf >/dev/null 2>&1 && dnf -y install git ca-certificates tar gzip) \
            || (command -v apk >/dev/null 2>&1 && apk add --no-cache git ca-certificates tar gzip) \
            || (command -v apt-get >/dev/null 2>&1 && apt-get update && apt-get install -y git ca-certificates tar gzip)
          fi
          # Prepare auth if provided
          HOST=$(echo "$SERVER_URL" | sed -E 's#https?://([^/]+)/?.*#\1#')
          # Use token as password with a placeholder username
          if [ -n "${GITHUB_TOKEN:-}" ]; then
            printf "machine %s login %s password %s\n" "$HOST" "token" "$GITHUB_TOKEN" > $HOME/.netrc
            chmod 600 $HOME/.netrc
          fi
          # Initialize and fetch exact commit
          git init
          git remote add origin "${SERVER_URL}/${REPOSITORY}.git"
          git fetch --depth=1 origin "${GITHUB_SHA}"
          git checkout -q FETCH_HEAD
      - name: Podman login
        env:
          REGISTRY_USERNAME: ${{ secrets.dockerhub_username }}
          REGISTRY_PASSWORD: ${{ secrets.dockerhub_password }}
        working-directory: ${{ github.workspace }}
        run: |
          mkdir -p /var/lib/containers "$XDG_RUNTIME_DIR"
          echo -n "$REGISTRY_PASSWORD" | podman login --username "$REGISTRY_USERNAME" --password-stdin "$REGISTRY_SERVER"
      - name: Build image
        id: build
        working-directory: ${{ github.workspace }}
        run: |
          set -euo pipefail
          HASS_VERSION=$(grep -E '^FROM ' Dockerfile | head -n1 | cut -d ':' -f 2)
          echo "HASS_VERSION=$HASS_VERSION" >> "$GITHUB_OUTPUT"
          echo "== Building ${RELEASE_IMAGE_NAME}:${GITHUB_SHA}"
          podman build --pull-always --format docker -t "${RELEASE_IMAGE_NAME}:${GITHUB_SHA}" .
      - name: Publish image
        working-directory: ${{ github.workspace }}
        run: |
          set -euo pipefail
          echo "== Publishing ${RELEASE_IMAGE_NAME}:${GITHUB_SHA}"
          podman push "${RELEASE_IMAGE_NAME}:${GITHUB_SHA}" "docker://${RELEASE_IMAGE_NAME}:${GITHUB_SHA}"
          echo "== Publishing ${RELEASE_IMAGE_NAME}:${{ steps.build.outputs.HASS_VERSION }}"
          podman push "${RELEASE_IMAGE_NAME}:${GITHUB_SHA}" "docker://${RELEASE_IMAGE_NAME}:${{ steps.build.outputs.HASS_VERSION }}"
      - name: Logout
        if: always()
        run: |
          podman logout "${REGISTRY_SERVER}"
      - name: Notify via Pushover on failure
        if: failure()
        run: |
          curl -v \
            -F "token=${{ secrets.PUSHOVER_TOKEN }}" \
            -F "user=${{ secrets.PUSHOVER_USER }}" \
            --form-string "title=HomeAssistant Build Failed" \
            --form-string "url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
            -F "message=Workflow failed on ${{ github.repository }}" \
            https://api.pushover.net/1/messages.json