name: Publish container images (GHCR)

on:
  push:
    tags:
      - "v*"

jobs:
  publish:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      packages: write

    steps:
      - name: Checkout repository (with tags)
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          fetch-tags: true

      - name: Compute version and stable flag
        id: info
        run: |
          set -euo pipefail

          SHA="$(git rev-parse HEAD)"
          VERSION="${GITHUB_REF_NAME#v}"

          STABLE_SHA="$(git rev-parse -q --verify refs/tags/stable^{commit} 2>/dev/null || true)"
          IS_STABLE=false
          [[ -n "${STABLE_SHA}" && "${STABLE_SHA}" == "${SHA}" ]] && IS_STABLE=true

          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
          echo "is_stable=${IS_STABLE}" >> "$GITHUB_OUTPUT"

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          use: true

      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Publish all images
        run: |
          set -euo pipefail
          OWNER="${{ github.repository_owner }}" \
          VERSION="${{ steps.info.outputs.version }}" \
          IS_STABLE="${{ steps.info.outputs.is_stable }}" \
          bash scripts/build/publish.sh