apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: buildah-build-push
  namespace: tekton-pipelines
spec:
  description: Build container image with Buildah and push as OCI manifest list
  params:
    - name: IMAGE
      description: Image reference without tag (registry/repo)
      type: string
    - name: TAG
      description: Image tag (e.g., commit SHA or branch)
      type: string
      default: latest
    - name: DOCKERFILE
      description: Path to Dockerfile
      type: string
      default: ./Dockerfile
    - name: CONTEXT
      description: Build context directory
      type: string
      default: .
    - name: BUILD_ARGS
      description: Build arguments (key=value format, one per line)
      type: string
      default: ""
  workspaces:
    - name: source
      description: Source code workspace
    - name: dockerconfig
      description: Docker config for registry auth
      optional: true
  results:
    - name: IMAGE_DIGEST
      description: Digest of built image
    - name: IMAGE_URL
      description: Full URL of pushed image with digest
  steps:
    - name: build-and-push
      image: quay.io/buildah/stable:v1.33
      securityContext:
        privileged: true
      workingDir: $(workspaces.source.path)
      env:
        - name: BUILD_ARGS
          value: $(params.BUILD_ARGS)
      script: |
        #!/usr/bin/env bash
        set -ex

        IMAGE="$(params.IMAGE)"
        TAG="$(params.TAG)"
        REGISTRY=$(echo "$IMAGE" | cut -d'/' -f1)
        DOCKER_CONFIG="$(workspaces.dockerconfig.path)/.dockerconfigjson"

        # Login to registry
        if [ -f "$DOCKER_CONFIG" ]; then
          USER=$(sed -n 's/.*"username":"\([^"]*\)".*/\1/p' "$DOCKER_CONFIG")
          PASS=$(sed -n 's/.*"password":"\([^"]*\)".*/\1/p' "$DOCKER_CONFIG")
          buildah login -u "$USER" -p "$PASS" "$REGISTRY"
        fi

        # Parse build args
        BUILD_ARGS_FLAGS=""
        while IFS= read -r line; do
          [ -n "$line" ] && BUILD_ARGS_FLAGS="$BUILD_ARGS_FLAGS --build-arg $line"
        done <<< "$BUILD_ARGS"

        # Build OCI image
        buildah bud --platform linux/arm64 --format oci \
          -f $(params.DOCKERFILE) -t localhost/build:local $BUILD_ARGS_FLAGS $(params.CONTEXT)

        # Create and push manifest list with :latest tag
        buildah manifest create ${IMAGE}:latest
        buildah manifest add ${IMAGE}:latest localhost/build:local
        buildah manifest push --all --digestfile /tmp/image-digest \
          ${IMAGE}:latest docker://${IMAGE}:latest

        # Also push with specific tag if not 'latest'
        if [ "$TAG" != "latest" ]; then
          buildah manifest create ${IMAGE}:${TAG}
          buildah manifest add ${IMAGE}:${TAG} localhost/build:local
          buildah manifest push --all ${IMAGE}:${TAG} docker://${IMAGE}:${TAG}
        fi

        # Output results
        DIGEST=$(cat /tmp/image-digest)
        echo -n "$DIGEST" | tee $(results.IMAGE_DIGEST.path)
        echo -n "${IMAGE}:latest@${DIGEST}" | tee $(results.IMAGE_URL.path)