name: Build containers

on:
  workflow_dispatch:
  pull_request:
    branches: ["main"]
  push:
    branches: ["main"]

jobs:
  build_push:
    name: Build and push image
    runs-on: coole-runner
    strategy:
      fail-fast: false
      matrix:
        image: [asahi-cosmic]
        version: [43]

    container:
      image: "quay.io/fedora-ostree-desktops/buildroot:${{ matrix.version }}"
      options: "--security-opt=label=disable --privileged --user 0:0 --device=/dev/fuse --volume /:/run/host:rw"

    steps:

      - name: Install rpm-ostree + tools
        run: |
          dnf upgrade -y --enablerepo=updates-testing --refresh rpm-ostree
          dnf install -y nodejs skopeo jq
          mkdir -p ~/.docker

      - name: Fix containers/storage.conf
        run: |
          sed -i 's/driver = "overlay"/driver = "vfs"/' /usr/share/containers/storage.conf

      - name: Checkout
        uses: actions/checkout@v4

      - name: Log in to registry
        uses: redhat-actions/podman-login@v1
        with:
          registry: git.plabble.org
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_TOKEN }}
          auth_file_path: /tmp/auth.json

      - name: Build rootfs (rpm-ostree compose image)
        run: |
          sudo ./builder.sh "${{ matrix.image }}" "${{ matrix.version }}"

      - name: Push OCI archive to registry
        run: |
          set -xeuo pipefail

          IMAGE="${{ matrix.image }}"
          VERSION="${{ matrix.version }}"
          REGISTRY="git.plabble.org/misthios"

          ARCHIVE="images/${IMAGE}/manifest.ociarchive"

          # Build ID (YYYYMMDD.0)
          if [[ -f ".buildid" ]]; then
            buildid="$(< .buildid)"
          else
            buildid="$(date '+%Y%m%d.0')"
            echo "${buildid}" > .buildid
          fi

          # Extract version from os-release mutation
          version="$(rpm-ostree compose tree --print-only --repo=repo manifests/${IMAGE}.yaml | jq -r '."mutate-os-release"')"

          # Full tag: version.buildid
          full_tag="${version}.${buildid}"
name: Build containers

on:
  workflow_dispatch:
  pull_request:
    branches: ["main"]
  push:
    branches: ["main"]

jobs:
  build_push:
    name: Build and push image
    runs-on: coole-runner
    strategy:
      fail-fast: false
      matrix:
        image: [asahi-cosmic]
        version: [43]

    container:
      image: "quay.io/fedora-ostree-desktops/buildroot:${{ matrix.version }}"
      options: "--security-opt=label=disable --privileged --user 0:0 --device=/dev/fuse --volume /:/run/host:rw"

    steps:

      - name: Install latest rpm-ostree package from testing repos
        run: |
          dnf upgrade -y --enablerepo=updates-testing --refresh rpm-ostree
          dnf install -y nodejs buildah tar jq
          mkdir -p ~/.docker

      - name: Fixup containers/storage.conf
        run: |
          sed -i 's/driver = "overlay"/driver = "vfs"/' /usr/share/containers/storage.conf

      - name: Checkout
        uses: actions/checkout@v4

      - name: Log in
        uses: redhat-actions/podman-login@v1
        with:
          registry: git.plabble.org
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_TOKEN }}
          auth_file_path: /tmp/auth.json

      - name: Build rootfs
        run: |
          sudo ./builder.sh asahi-cosmic 43

      - name: Build container (SUID‑preserving OCI extraction)
        run: |
          set -xeuo pipefail

          IMAGE_NAME="misthios/${{ matrix.image }}"
          IMAGE_TAG="${{ matrix.version }}"
          OCI_DIR="images/${{ matrix.image }}/manifest.ociarchive"

          # Create container from scratch
          ctr=$(buildah from scratch)
          mnt=$(buildah mount "$ctr")

          # Extract layers in correct order
          manifest="$OCI_DIR/manifest.json"
          layers=$(jq -r '.[0].Layers[]' "$manifest")

          for layer in $layers; do
            LAYER_PATH="$OCI_DIR/blobs/sha256/${layer#sha256:}"
            echo "Extracting layer: $LAYER_PATH"
            tar --numeric-owner -xpf "$LAYER_PATH" -C "$mnt"
          done

          # Add metadata
          buildah config \
            --label containers.bootc=1 \
            --label org.opencontainers.image.title="${{ matrix.image }}" \
            --label org.opencontainers.image.version="${{ matrix.version }}" \
            --label org.opencontainers.image.revision="${{ github.sha }}" \
            --label io.bootc.image.version="${{ matrix.version }}" \
            --label io.bootc.image.revision="${{ github.sha }}" \
            --env container=oci \
            --stop-signal SIGRTMIN+3 \
            --cmd "/sbin/init" \
            "$ctr"

          # Commit final image
          buildah commit "$ctr" "${IMAGE_NAME}:${IMAGE_TAG}"

          buildah unmount "$ctr"
          buildah rm "$ctr"

      - name: Push
        run: |
          buildah push \
            misthios/${{ matrix.image }}:${{ matrix.version }} \
            docker://git.plabble.org/misthios/${{ matrix.image }}:${{ matrix.version }} \
            --creds "${{ secrets.REGISTRY_USERNAME }}:${{ secrets.REGISTRY_TOKEN }}" \
            --compression-format=zstd \
            --compression-level=12

          echo "Pushing ${ARCHIVE} → ${REGISTRY}/${IMAGE}:${full_tag}"

          # Push OCI archive directly (preserves SUID, ownership, labels)
          skopeo copy \
            --authfile /tmp/auth.json \
            --retry-times 3 \
            --dest-compress-format zstd \
            oci-archive:${ARCHIVE} \
            docker://${REGISTRY}/${IMAGE}:${full_tag}

          # Also push version-only tag
          skopeo copy \
            --authfile /tmp/auth.json \
            --retry-times 3 \
            --dest-compress-format zstd \
            docker://${REGISTRY}/${IMAGE}:${full_tag} \
            docker://${REGISTRY}/${IMAGE}:${version}

          echo "Pushed:"
          echo " - ${REGISTRY}/${IMAGE}:${full_tag}"
          echo " - ${REGISTRY}/${IMAGE}:${version}"