# yamllint --format github .github/workflows/internal-images.yml
---
name: internal-images

# Refresh the tags once a day. This limits impact of rate-limited images. See RATIONALE.md
on:
  schedule:
    - cron: "23 3 * * *"
  workflow_dispatch:  # Allows manual refresh

# This builds images and pushes them to ghcr.io/tetratelabs/wazero/internal-$tag
# Using these avoid docker.io rate-limits particularly on pull requests.
jobs:
  copy-images:
    runs-on: ubuntu-22.04  # Hard-coding an LTS means maintenance, but only once each 2 years!
    strategy:
      matrix:
        # Be precise in tag versions to improve reproducibility
        include:
          - source: tonistiigi/binfmt:qemu-v6.2.0  # for docker/setup-qemu-action
            target_tag: binfmt

    steps:
      # Same as doing this locally: echo "${GHCR_TOKEN}" | docker login ghcr.io -u "${GHCR_TOKEN}" --password-stdin
      - name: "Login into GitHub Container Registry"
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          # GITHUB_TOKEN=<hex token value>
          #   - pushes Docker images to ghcr.io
          #   - create via https://github.com/settings/tokens
          #   - needs repo:status, public_repo, write:packages, delete:packages
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Pull and push
        run: |  # This will only push a single architecture, which is fine as we currently only support amd64
          docker pull ${{ matrix.source }}
          docker tag ${{ matrix.source }} ghcr.io/${{ github.repository }}/internal-${{ matrix.target_tag }}
          docker push ghcr.io/${{ github.repository }}/internal-${{ matrix.target_tag }}