name: Build Image

on:
    push:
        branches:
            - main

        tags:
            - v*

        paths:
            - .github/workflows/build.yml
            - '**/*.go'
            - go.mod
            - go.sum
            - Dockerfile
            - .dockerignore

env:
    FORCE_COLOR: true
    REGISTRY: ghcr.io
    IMAGE_NAME: ${{ github.repository }}

jobs:
    Build:
        runs-on: ubuntu-latest

        permissions:
            contents: read
            packages: write
            attestations: write
            id-token: write

        steps:
            - uses: actions/checkout@v4

            - name: Set up Buildx
              uses: docker/setup-buildx-action@v3

            - name: Log in to Registry
              uses: docker/login-action@v3
              with:
                  registry: ${{ env.REGISTRY }}
                  username: ${{ github.actor }}
                  password: ${{ secrets.GITHUB_ACTION }}

            - name: Extract metadata
              id: meta
              uses: docker/metadata-action@v5
              with:
                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

            - name: Build and push image
              id: push
              uses: docker/build-push-action@v6
              with:
                  context: .
                  push: true
                  tags: ${{ steps.meta.outputs.tags }}
                  labels: ${{ steps.meta.outputs.labels }}

            - name: Generate attestation
              uses: actions/attest-build-provenance@v1
              with:
                  subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
                  subject-digest: ${{ steps.push.outputs.digest }}
                  push-to-registry: true