name: Build and Push Docker Image from Nix
description: Build OCI image with Nix flake, push to registry with Attic caching

inputs:
  flake-output:
    description: 'Nix flake output for the OCI image (e.g., .#dojo-image)'
    required: true

  image-name:
    description: 'Target image name in registry (e.g., git.toph.so/user/repo)'
    required: true

  image-tag:
    description: 'Image tag'
    required: false
    default: 'main'

  registry:
    description: 'Docker registry'
    required: false
    default: 'registry.toph.so'

  registry-username:
    description: 'Registry username'
    required: false
    default: ${{ gitea.actor }}

  registry-password:
    description: 'Registry password/token'
    required: true

  cache-name:
    description: 'Attic cache name to push build artifacts'
    required: false
    default: 'ci'

  attic-endpoint:
    description: 'Attic cache endpoint'
    required: false
    default: 'https://cache.toph.so'

runs:
  using: composite
  steps:
    - name: Configure Nix
      shell: bash
      run: |
        mkdir -p ~/.config/nix
        cat > ~/.config/nix/nix.conf <<EOF
        experimental-features = nix-command flakes
        extra-substituters = https://cache.nixos.org/ ${{ inputs.attic-endpoint }}/ci ${{ inputs.attic-endpoint }}/toph
        extra-trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ci:db8ZBxd5cjqoGzOYThRQcxj4XnaqHJZBZw1phCQOiz8= toph:E/oP7KyljH/yprI5LArxNPpSlQCdo29sMOkh3jm53Yg=
        build-users-group =
        max-jobs = auto
        cores = 0
        EOF

    - name: Build OCI image with Nix
      shell: bash
      run: |
        echo "Building ${{ inputs.flake-output }}..."
        nix build "${{ inputs.flake-output }}" --print-build-logs --refresh

    - name: Push build artifacts to Attic cache
      shell: bash
      if: env.ATTIC_TOKEN != ''
      env:
        ATTIC_TOKEN: ${{ env.ATTIC_TOKEN }}
      run: |
        # Configure attic client
        mkdir -p ~/.config/attic
        cat > ~/.config/attic/config.toml <<EOF
        [servers.cache]
        endpoint = "${{ inputs.attic-endpoint }}"
        token = "${ATTIC_TOKEN}"
        EOF

        # Push entire closure to cache (don't fail if this fails)
        if ! attic push "${{ inputs.cache-name }}" ./result; then
          echo "Warning: Failed to push to Attic cache, continuing anyway"
        fi

    - name: Push image to registry with skopeo
      shell: bash
      run: |
        TARGET_IMAGE="docker://${{ inputs.registry }}/${{ inputs.image-name }}:${{ inputs.image-tag }}"
        echo "Pushing OCI image to: $TARGET_IMAGE"

        # Use skopeo to push directly from OCI tarball to registry
        skopeo copy \
          --dest-creds "${{ inputs.registry-username }}:${{ inputs.registry-password }}" \
          "docker-archive:./result" \
          "$TARGET_IMAGE"