name: Create and publish docker image

on:
  push:
    branches: [ "main" ]
    paths-ignore:
      - 'README.md'
      - '.github/**'
  pull_request:
    branches: [ "main" ]

jobs:
  build:

    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      # This is used to complete the identity challenge
      # with sigstore/fulcio when running outside of PRs.
      id-token: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      # Workaround: https://github.com/docker/build-push-action/issues/461
      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v2.0.0

      # Login against a Docker registry except on PR
      # https://github.com/docker/login-action
      - name: Log into GitHub Container registry
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v2.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Log into Docker Hub
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v2.0.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Generate image name
        run: |
          echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}

      # Build and push Docker image with Buildx (don't push on PR)
      # https://github.com/docker/build-push-action
      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v3.1.1
        with:
          file: deployment/Dockerfile
          context: .
          push: ${{ github.event_name != 'pull_request' }}
          tags: |
            ghcr.io/${{ env.IMAGE_NAME }}:latest
            ${{ env.IMAGE_NAME }}:latest