---
name: Build, Scan and Push Image

on:
  workflow_call:
    inputs:
      image:
        type: string
        required: true
        description: Image name excluding registry
      build-args:
        type: string
        required: false
        description: "List of build-time variables"
      file:
        type: string
        required: false
      registry:
        type: string
        default: reg.dev.krd
        required: false

      runs-on:
        type: string
        default: "[ 'self-hosted', 'ubuntu-focal' ]"
        required: false

      # Trivy Options
      trivy:
        type: boolean
        required: false
        default: true
        description: Enable trivy image vulnerability check

      trivy-exit-code:
        type: number
        required: false
        default: 0
        description: Exit code when vulnerabilities were found

      trivy-severity:
        type: string
        required: false
        default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
        description: severities of vulnerabilities to be displayed (comma separated)

      trivy-format:
        type: string
        required: false
        default: table
        description: How to display the results

    secrets:
      username:
        required: true
      password:
        required: true
      build-secrets:
        required: false

jobs:
  build-push:
    name: Build and Push
    runs-on: ${{ fromJson(inputs.runs-on) }}
    timeout-minutes: 10
    steps:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - id: meta
        name: Extract Metadata
        uses: docker/metadata-action@v4
        with:
          images: ${{ inputs.registry }}/{{ inputs.image }}
          flavor: latest=false
          tags: |
            # Branches
            type=ref,event=branch
            type=ref,event=branch,suffix=-{{sha}},priority=8888 # 2

            # Releases
            type=semver,pattern={{major}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{version}},priority=9999 #1

      - name: Login to Registry
        uses: docker/login-action@v2
        with:
          registry: ${{ inputs.registry }}
          username: ${{ secrets.username }}
          password: ${{ secrets.password }}

      - name: Build Docker images
        if: ${{ inputs.trivy }}
        uses: docker/build-push-action@v3
        with:
          load: true
          file: ${{ inputs.file }}
          tags: ${{ steps.meta.outputs.tags }}
          cache-to: type=registry,ref=${{ inputs.registry }}/{{ inputs.image }}:buildcache,mode=max
          cache-from: type=registry,ref=${{ inputs.registry }}/{{ inputs.image }}:buildcache
          build-args: ${{ inputs.build-args }}
          secrets: ${{ secrets.build-secrets }}

      - name: Run Trivy vulnerability scanner
        if: ${{ inputs.trivy }}
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ fromJson(steps.meta.outputs.json).tags[0] }}
          format: ${{ inputs.format }}
          exit-code: ${{ inputs.exit-code }}
          severity: ${{ inputs.severity }}

      - name: Build Docker images
        if: ${{ inputs.trivy }}
        uses: docker/build-push-action@v3
        with:
          load: true
          file: ${{ inputs.file }}
          tags: ${{ steps.meta.outputs.tags }}
          cache-to: type=registry,ref=${{ inputs.registry }}/{{ inputs.image }}:buildcache,mode=max
          cache-from: type=registry,ref=${{ inputs.registry }}/{{ inputs.image }}:buildcache
          build-args: ${{ inputs.build-args }}
          secrets: ${{ secrets.build-secrets }}