name: "Build, Scan and Push Image"
description: "Build, Scan and Push Image to Self Hosted Registry"
inputs:
  push:
    description: "Push to Registry"
    required: false
    default: "true"
  image:
    description: "Image Name"
    required: true
  build-args:
    description: "Build Arguments"
    required: false
  file:
    description: "Dockerfile Path"
    required: false
  registry:
    description: "Registry URL"
    required: true
    default: reg.dev.krd

  username:
    required: true
    description: "Username for registry"
  password:
    required: true
    description: "Password for registry"
  build-secrets:
    required: false
    description: "Build Secrets"

  harbor-scan-report:
    required: false
    default: "true"
    description: "Should try to get harbor scan report"

  comment-harbor-scan-report:
    required: false
    default: "true"
    description: "Should comment harbor scan report on PR"

  harbor-scan-report-comment-marker:
    required: false
    default: '<!-- actions-comment-pull-request "build-and-push" -->'
    description: "Comment marker for harbor scan report"

outputs:
  digest:
    description: "Digest"
    value: ${{ steps.build-and-push.outputs.digest }}
  tag:
    description: "Image Tag"
    value: ${{ steps.set_tag.outputs.tag }}
  tags:
    description: "Image Tags"
    value: ${{ steps.meta.outputs.tags }}

runs:
  using: "composite"
  steps:
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3

    - id: meta
      name: Extract Metadata
      uses: docker/metadata-action@v5
      with:
        images: ${{ inputs.registry }}/${{ inputs.image }}
        flavor: latest=false
        tags: |
          # Pull Request
          type=ref,event=pr
          type=ref,event=pr,suffix=-{{sha}},priority=8887 # 2

          # Branches
          type=ref,event=branch
          type=ref,event=branch,suffix=-{{sha}},priority=8888 # 2

          # Releases
          type=semver,pattern={{major}}
          type=semver,pattern={{major}}.{{minor}}
          type=semver,pattern={{version}},priority=9999 #1

    - name: Login to Registry
      uses: docker/login-action@v3
      with:
        registry: ${{ inputs.registry }}
        username: ${{ inputs.username }}
        password: ${{ inputs.password }}

    - name: Build Docker images
      uses: docker/build-push-action@v6
      id: build-and-push
      with:
        push: ${{ inputs.push }}
        file: ${{ inputs.file }}
        tags: ${{ steps.meta.outputs.tags }}
        cache-to: type=registry,ref=${{ inputs.registry }}/${{ inputs.image }}:buildcache,mode=max
        cache-from: type=registry,ref=${{ inputs.registry }}/${{ inputs.image }}:buildcache
        build-args: ${{ inputs.build-args }}
        secrets: ${{ inputs.build-secrets }}

    - name: Set Tag
      id: set_tag
      shell: bash
      run: |

        extracted_tag=$(echo "$json" | jq -r '.tags | .[0]')
        echo "tag=$extracted_tag" >> $GITHUB_OUTPUT

      env:
        tags: ${{ steps.meta.outputs.tags }}
        json: ${{ steps.meta.outputs.json }}

    - name: Harbor Scan Results
      id: harbor-scan-results
      if: ${{ inputs.harbor-scan-report }} == 'true'
      uses: ditkrg/harbor-scan-results-action@main
      with:
        image: ${{ steps.set_tag.outputs.tag }}
        username: ${{ inputs.username }}
        password: ${{ inputs.password }}
        digest: ${{ steps.build-and-push.outputs.digest }}

    - name: Comment on active branch PR
      uses: actions/github-script@v7
      if: ${{ inputs.comment-harbor-scan-report }} == 'true'
      env:
        COMMENT_MARKER: ${{ inputs.harbor-scan-report-comment-marker }}
        TRIVY_SCAN_RESULTS: ${{ steps.harbor-scan-results.outputs.report-markdown }}
      with:
        script: |
          const prs = await github.rest.pulls.list({
            owner: context.repo.owner,
            repo: context.repo.repo,
            head: `${context.repo.owner}:${context.ref.replace('refs/heads/', '')}`
          });

          if (prs.data.length <= 0) {
            console.log('No open PR found for the current branch');
            return;
          }

          const pr = prs.data[0];
          // Check if there's already a comment from this workflow
          const comments = await github.rest.issues.listComments({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: pr.number
            });
            
            const comment_marker = process.env.COMMENT_MARKER;
            const buildComment = comments.data.find(comment => 
              comment.body.includes(comment_marker)
            );

            const commentBody = `${comment_marker}
            ${process.env.TRIVY_SCAN_RESULTS}
            `;
            
            if (buildComment) {
              // Update existing comment
              await github.rest.issues.updateComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                comment_id: buildComment.id,
                body: commentBody
              });

              console.log(`Updated comment to PR #${pr.number}`);
            } else {
              // Create new comment
              await github.rest.issues.createComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: pr.number,
                body: commentBody
              });

              console.log(`Added comment to PR #${pr.number}`);
            }