name: Taskwarrior Docker image

on:
  workflow_dispatch:
  workflow_run:
    workflows: [tests]
    branches:
      - develop
      - stable
    types:
      - completed

env:
  REGISTRY: "ghcr.io"

jobs:
  build-and-push-docker-image:
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'success' }}
    permissions:
      contents: read
      packages: write
      id-token: write

    steps:
      - name: Create lowercase repository name
        run: |
          GHCR_REPOSITORY="${{ github.repository_owner }}"
          echo "REPOSITORY=${GHCR_REPOSITORY,,}" >> ${GITHUB_ENV}
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          submodules: "recursive"

      - name: Install cosign
        uses: sigstore/cosign-installer@v3.9.0

      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/login-action@v3.4.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push Taskwarrior Docker image
        id: build-and-push
        uses: docker/build-push-action@v6.18.0
        with:
          context: .
          file: "./docker/task.dockerfile"
          push: true
          tags: ${{ env.REGISTRY }}/${{ env.REPOSITORY }}/task:${{ github.ref_name }}

      - name: Sign the published Docker image
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: cosign sign ${{ env.REGISTRY }}/${{ env.REPOSITORY }}/task@${{ steps.build-and-push.outputs.digest }}