name: Update Taskwarrior in Docker images

on:
  workflow_dispatch:
    inputs:
      release:
        type: choice
        description: Taskwarrior release
        options:
          - develop
          - stable
  schedule:
    - cron: 0 2 * * *

env:
  REGISTRY: "ghcr.io"
  RELEASE: ${{ github.event.inputs.release || 'develop' }}

jobs:
  build-and-push-docker-images:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write

    steps:
      - name: Create lowercase repository name
        run: |
          GHCR_REPOSITORY="${{ github.repository_owner }}"
          echo "REPOSITORY=${GHCR_REPOSITORY,,}" >> ${GITHUB_ENV}

      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install cosign
        uses: sigstore/cosign-installer@v3.7.0

      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/login-action@v3.3.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push Taskwarrior [${{ env.RELEASE }}]/Timewarrior [devlop] Docker image
        id: build-and-push-develop
        uses: docker/build-push-action@v6.11.0
        with:
          context: .
          file: "./test/docker/task-timew.dockerfile"
          push: true
          build-args: |
            TASK_IMAGE=${{ env.REGISTRY }}/${{ env.REPOSITORY }}/task:${{ env.RELEASE }}
            TIMEW_IMAGE=${{ env.REGISTRY }}/${{ env.REPOSITORY }}/timew:develop
          tags: ${{ env.REGISTRY }}/${{ env.REPOSITORY }}/task-timew:${{ env.RELEASE }}-develop

      - name: Sign the published Docker image
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: cosign sign ${{ env.REGISTRY }}/${{ env.REPOSITORY }}/task-timew@${{ steps.build-and-push-develop.outputs.digest }}

      - name: Build and push Taskwarrior [${{ env.RELEASE }}]/Timewarrior [stable] Docker image
        id: build-and-push-stable
        uses: docker/build-push-action@v6.11.0
        with:
          context: .
          file: "./test/docker/task-timew.dockerfile"
          push: true
          build-args: |
            TASK_IMAGE=${{ env.REGISTRY }}/${{ env.REPOSITORY }}/task:${{ env.RELEASE }}
            TIMEW_IMAGE=${{ env.REGISTRY }}/${{ env.REPOSITORY }}/timew:stable
          tags: ${{ env.REGISTRY }}/${{ env.REPOSITORY }}/task-timew:${{ env.RELEASE }}-stable

      - name: Sign the published Docker image
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: cosign sign ${{ env.REGISTRY }}/${{ env.REPOSITORY }}/task-timew@${{ steps.build-and-push-stable.outputs.digest }}