todo/.github/workflows/build.yml

name: Build Docker Image

on:
  push:
    branches: [main]
    tags:
      - 'v*'
  workflow_dispatch:

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      packages: write

    outputs:
      image-tag: ${{ steps.meta.outputs.tags }}
      image-digest: ${{ steps.build.outputs.digest }}

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Lowercase repository name
        id: lowercase
        run: |
          echo "repo=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT

      - name: Extract metadata (tags, labels)
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ steps.lowercase.outputs.repo }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=sha,prefix={{branch}}-sha-,format=long
            type=raw,value=latest,enable={{is_default_branch}}

      - name: Build and push Docker image
        id: build
        uses: docker/build-push-action@v5
        with:
          context: ./services/nextjs
          file: ./deploy/docker/Dockerfile.prod
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Extract SHA tag
        id: extract-tag
        run: |
          # Extract the SHA-based tag from the tags list
          TAGS="${{ steps.meta.outputs.tags }}"
          echo "All tags:"
          echo "$TAGS"
          echo "---"
          
          # Get commit SHA (full 40 characters)
          COMMIT_SHA="${{ github.sha }}"
          
          # Method 1: Extract the full SHA tag from docker/metadata-action output
          # docker/metadata-action creates: main-sha-<full-40-char-sha>
          SHA_TAG=$(echo "$TAGS" | grep -oE 'main-sha-[a-f0-9]{40}' | head -n 1)
          
          # Method 2: If not found, try to extract any main-sha- tag (fallback)
          if [ -z "$SHA_TAG" ]; then
            SHA_TAG=$(echo "$TAGS" | grep -oE 'main-sha-[a-f0-9]+' | head -n 1)
            if [ -n "$SHA_TAG" ]; then
              echo "⚠️  Found SHA tag (may not be full 40 chars): $SHA_TAG"
            fi
          fi
          
          # Method 3: Fallback to commit SHA directly (construct the tag)
          if [ -z "$SHA_TAG" ]; then
            SHA_TAG="main-sha-$COMMIT_SHA"
            echo "⚠️  Could not extract from tags, using commit SHA: $SHA_TAG"
          fi
          
          if [ -z "$SHA_TAG" ]; then
            echo "❌ ERROR: Failed to extract SHA tag"
            exit 1
          fi
          
          echo "sha-tag=$SHA_TAG" >> $GITHUB_OUTPUT
          echo "✅ Extracted SHA tag: $SHA_TAG"

      - name: Update kustomization with new image tag
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          git config --global user.name "github-actions[bot]"
          git config --global user.email "github-actions[bot]@users.noreply.github.com"

          # Validate that SHA_TAG is not empty
          SHA_TAG="${{ steps.extract-tag.outputs.sha-tag }}"
          if [ -z "$SHA_TAG" ]; then
            echo "❌ ERROR: SHA_TAG is empty, cannot update kustomization"
            exit 1
          fi
          
          echo "📝 Updating kustomization.yaml with tag: $SHA_TAG"
          
          # Update kustomization.yaml with new image tag
          # Handle both cases: newTag: (with value) and newTag: (empty)
          sed -i.bak "s|newTag:.*|newTag: $SHA_TAG|" deploy/k8s/overlays/prod/kustomization.yaml
          
          # Verify the update was successful
          if grep -q "newTag: $SHA_TAG" deploy/k8s/overlays/prod/kustomization.yaml; then
            echo "✅ Successfully updated kustomization.yaml"
            rm -f deploy/k8s/overlays/prod/kustomization.yaml.bak
          else
            echo "❌ ERROR: Failed to update kustomization.yaml"
            cat deploy/k8s/overlays/prod/kustomization.yaml
            exit 1
          fi

          # Commit and push if there are changes
          if git diff --quiet; then
            echo "No changes to commit"
          else
            git add deploy/k8s/overlays/prod/kustomization.yaml
            git commit -m "Update image to $SHA_TAG"
            git push
            echo "✅ Kustomization updated with new image tag: $SHA_TAG"
          fi

      - name: Display image information
        run: |
          echo "✅ Image built and pushed successfully!"
          echo "📦 Image tags:"
          echo "${{ steps.meta.outputs.tags }}"
          echo "🔖 SHA tag: ${{ steps.extract-tag.outputs.sha-tag }}"
          echo "🔖 Digest: ${{ steps.build.outputs.digest }}"
          echo ""
          echo "🚀 Kustomization updated with new image tag"
          echo "   ArgoCD will automatically detect and deploy this new image"
          echo "   Monitor deployment at your ArgoCD dashboard"