name: Release

on:
  push:
    tags:
      - '*'
  workflow_dispatch:

env:
    REGISTRY_USER: ${{ github.actor }}
    REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

jobs:
  verify-image:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Install dependencies
      run: sudo apt-get install -y libfyaml-utils

    - name: Read base image name from recipe
      id: read_base_recipe
      run: |
        BASE_IMAGE="$(fy-filter -f recipe.yml /stages/-1/base)"
        echo The base image is $BASE_IMAGE
        if [ -z $BASE_IMAGE ]; then exit 1; fi
        echo "base_image=$BASE_IMAGE" >> "$GITHUB_OUTPUT"
        echo "BASE_IMAGE=$BASE_IMAGE" >> "$GITHUB_ENV"

    - name: Verify Base Image Integrity
      run: |
        gh attestation verify oci://ghcr.io/${{ env.BASE_IMAGE }} --owner Vanilla-OS
      env:
        GH_TOKEN: ${{ github.token }}

  release:
    runs-on: ubuntu-latest
    needs: verify-image
    permissions:
      contents: write # Allow actions to create release
      attestations: write # To create and write attestations
      id-token: write # Additional permissions for the persistence of the attestations
    
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: vanilla-os/vib-gh-action@v0.8.1
        with:
            recipe: 'recipe.yml'
            plugins: 'Vanilla-OS/vib-fsguard:v1.5.3'

      - uses: actions/upload-artifact@v4
        with:
            name: Containerfile
            path: Containerfile

      - name: Create Release
        env:
            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: gh release create "${{ github.ref_name }}" --generate-notes Containerfile

      - name: Attest Release Files
        id: attest
        uses: actions/attest-build-provenance@v1
        with:
          subject-path: 'Containerfile'