name: nginx-build

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  workflow_dispatch:
    inputs:
      force:
        description: "Set to true to force a build even if no files changed."
        required: false
        default: "false"
  workflow_call:
    secrets:
      REGISTRY_TOKEN:
        required: true
        description: "Token for registry authentication."

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: docker/setup-buildx-action@v3

      - uses: docker/login-action@v3
        with:
          registry: gitea.auvem.com
          username: ${{ vars.REGISTRY_USER || github.actor }}
          password: ${{ secrets.REGISTRY_TOKEN }}

      - name: Decide and build nginx if needed
        shell: bash
        env:
          GIT_SHA_SHORT: ${GITHUB_SHA::7}
          FORCE: ${{ github.event.inputs.force || 'false' }}
        run: |
          set -euo pipefail

          if [[ ! -f nginx/Dockerfile ]]; then
            echo "No nginx/Dockerfile present; nothing to build."
            exit 0
          fi

          BUILD=false
          # Manual trigger or explicit force -> build
          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]] || [[ "$FORCE" == "true" ]]; then
            echo "Manual/forced trigger -> building nginx"
            BUILD=true
          else
            # detect changed files between base/head (or list all files for shallow contexts)
            if [[ "${{ github.event_name }}" == "pull_request" ]]; then
              BASE_SHA="${{ github.event.pull_request.base.sha }}"
              HEAD_SHA="${{ github.event.pull_request.head.sha }}"
            elif [[ "${{ github.event_name }}" == "push" ]]; then
              BASE_SHA="$(git rev-parse HEAD~1 2>/dev/null || true)"
              HEAD_SHA="$(git rev-parse HEAD 2>/dev/null || true)"
            else
              BASE_SHA=""
              HEAD_SHA="$(git rev-parse HEAD 2>/dev/null || true)"
            fi

            if [[ -n "$BASE_SHA" ]]; then
              CHANGED=$(git diff --name-only "$BASE_SHA" "$HEAD_SHA")
            else
              CHANGED=$(git ls-files)
            fi

            echo "Changed files:\n$CHANGED"

            if grep -q "^.github/workflows/" <<< "$CHANGED"; then
              echo "Workflow changed; building nginx"
              BUILD=true
            elif grep -q "^nginx/" <<< "$CHANGED"; then
              echo "nginx directory changed; building nginx"
              BUILD=true
            else
              BUILD=false
            fi
          fi

          if [[ "$BUILD" != "true" ]]; then
            echo "No relevant changes; skipping nginx build."
            exit 0
          fi

          IMAGE="gitea.auvem.com/auvem/wordpress-docker/nginx"
          TAG="latest"
          echo "Building $IMAGE:$TAG"
          docker buildx build --push --platform linux/amd64 \
            --tag "${IMAGE}:${TAG}" \
            --tag "${IMAGE}:git-${GIT_SHA_SHORT}" \
            --file nginx/Dockerfile \
            .
            IMAGE="gitea.auvem.com/auvem/wordpress-docker/nginx"
            TAG="latest"
            echo "Building nginx image ${IMAGE}:${TAG}"
            docker buildx build --push --platform linux/amd64 \
              --tag "${IMAGE}:${TAG}" \
              --tag "${IMAGE}:git-${GIT_SHA_SHORT}" \
              --file "nginx/Dockerfile" .
          done