name: Reusable docker image build workflow

on:
  workflow_call:
    inputs:
      namespace-repository:
        description: "The namespace and repository in the following format `namespace/repository` e.g. (flwr/base)."
        required: true
        type: string
      file-dir:
        description: "Path of the directory that contains the Dockerfile."
        required: true
        type: string
      build-args:
        description: "List of build-time variables."
        required: false
        type: string
      tags:
        description: "List of tags."
        required: true
        type: string
    secrets:
      dockerhub-user:
        required: true
      dockerhub-token:
        required: true
    outputs:
      metadata:
        description: "Metadata of the docker image."
        value: ${{ jobs.build-manifest.outputs.metadata }}

permissions:
  contents: read

# based on https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
jobs:
  build:
    name: Build image
    runs-on: ubuntu-22.04
    timeout-minutes: 180
    outputs:
      build-id: ${{ steps.build-id.outputs.id }}
    strategy:
      fail-fast: true
      matrix:
        platform: [
            # build-push action and qemu use different platform names
            # therefore we create a map
            { name: "amd64", qemu: "", docker: "linux/amd64" },
            { name: "arm64", qemu: "arm64", docker: "linux/arm64" },
          ]
    steps:
      - name: Create build id
        id: build-id
        shell: python
        run: |
          import hashlib
          import os

          hash = hashlib.sha256('''${{ inputs.namespace-repository }}
          ${{ inputs.file-dir }}
          ${{ inputs.build-args }}'''.encode())
          # Adds two spaces to the line breaks to ensure proper indentation
          # when passing the multi-line string to the wretry.action.
          # Without it, the multi-line string is passed like this:
          #
          # build-args: |
          #   ARG1=
          # ARG2=
          # ARG3=
          #
          # This causes the Docker action to interpret ARG2 and ARG3 as keys instead
          # of values ​​of the multi-line string.
          build_args = '''${{ inputs.build-args }}'''.replace("\n", "\n  ")

          with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
              print(f"id={hash.hexdigest()}", file=fh)
              print("build-args<<EOF", file=fh)
              print(build_args, file=fh)
              print("EOF", file=fh)

      - name: Set up QEMU
        if: matrix.platform.qemu != ''
        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
        with:
          platforms: ${{ matrix.platform.qemu }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images: ${{ inputs.namespace-repository }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0

      - name: Login to Docker Hub
        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
        with:
          username: ${{ secrets.dockerhub-user }}
          password: ${{ secrets.dockerhub-token }}

      - name: Build and push
        uses: Wandalen/wretry.action@6feedb7dedadeb826de0f45ff482b53b379a7844 # v3.5.0
        id: build
        with:
          action: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
          attempt_limit: 60 # 60 attempts * (9 secs delay + 1 sec retry) = ~10 mins
          attempt_delay: 9000 # 9 secs
          with: |
            pull: true
            platforms: ${{ matrix.platform.docker }}
            context: "{{defaultContext}}:${{ inputs.file-dir }}"
            outputs: type=image,name=${{ inputs.namespace-repository }},push-by-digest=true,name-canonical=true,push=true
            build-args: |
              ${{ steps.build-id.outputs.build-args }}

      - name: Export digest
        run: |
          mkdir -p /tmp/digests
          digest="${{ fromJSON(steps.build.outputs.outputs).digest }}"
          touch "/tmp/digests/${digest#sha256:}"

      - name: Upload digest
        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: digests-${{ steps.build-id.outputs.id }}-${{ matrix.platform.name }}
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1

  build-manifest:
    name: Build and push docker manifest for all platforms
    runs-on: ubuntu-22.04
    timeout-minutes: 10
    needs: build
    outputs:
      metadata: ${{ steps.meta.outputs.json }}
    steps:
      - name: Download digests
        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
        with:
          pattern: digests-${{ needs.build.outputs.build-id }}-*
          path: /tmp/digests
          merge-multiple: true

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images: ${{ inputs.namespace-repository }}
          tags: ${{ inputs.tags }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0

      - name: Login to Docker Hub
        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
        with:
          username: ${{ secrets.dockerhub-user }}
          password: ${{ secrets.dockerhub-token }}

      - name: Create manifest list and push
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
              $(printf '${{ inputs.namespace-repository }}@sha256:%s ' *)
      - name: Inspect image
        run: docker buildx imagetools inspect ${{ inputs.namespace-repository }}:${{ steps.meta.outputs.version }}
