when:
  event: [push, manual]
  branch: [dev, stage, main]

depends_on:
  - 01-test

# Multi-arch matrix. Adding amd64 = uncommenting the second entry once an
# amd64 agent is online.
matrix:
  include:
    - PLATFORM: arm64
      TAG_SUFFIX: arm
    # - PLATFORM: amd64
    #   TAG_SUFFIX: amd

labels:
  platform: ${PLATFORM}

steps:
  - name: build-push
    image: docker
    environment:
      REGISTRY_HOST:
        from_secret: registry_host
      REGISTRY_USER:
        from_secret: registry_user
      REGISTRY_TOKEN:
        from_secret: registry_token
    commands:
      - echo "$REGISTRY_TOKEN" | docker login "$REGISTRY_HOST" -u "$REGISTRY_USER" --password-stdin
      - export BRANCH_TAG=${CI_COMMIT_BRANCH}-${TAG_SUFFIX}
      # 12-char SHA prefix is human-readable while still globally-unique inside
      # the repo. Pair with TAG_SUFFIX so multi-arch entries don't collide.
      - export SHA_TAG=$(echo "$CI_COMMIT_SHA" | cut -c1-12)-${TAG_SUFFIX}
      - export BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ)
      - export IMAGE=$REGISTRY_HOST/azaion/admin
      - |
        docker build -f Dockerfile \
          --build-arg CI_COMMIT_SHA=$CI_COMMIT_SHA \
          --build-arg BUILD_DATE=$BUILD_DATE \
          --label org.opencontainers.image.revision=$CI_COMMIT_SHA \
          --label org.opencontainers.image.created=$BUILD_DATE \
          --label org.opencontainers.image.source=$CI_REPO_URL \
          -t $IMAGE:$BRANCH_TAG \
          -t $IMAGE:$SHA_TAG .
      # Mutable branch tag for "give me whatever's latest on dev" pulls.
      - docker push $IMAGE:$BRANCH_TAG
      # Immutable SHA tag — the deploy scripts pin to this and rollback uses it.
      - docker push $IMAGE:$SHA_TAG
      - echo "Pushed $IMAGE:$BRANCH_TAG and $IMAGE:$SHA_TAG"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock