name: Build and Push Flutter SDK Image

on:
  release:
    types: [published, prereleased]

permissions:
  contents: read

env:
  IMAGE_NAME: flutter-sdk

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - dockerfile: Dockerfile
            variant: web
            description: Minimal Flutter SDK for Web/WASM CI builds
          - dockerfile: Dockerfile.android
            variant: android
            description: Flutter SDK for Android CI builds
          - dockerfile: Dockerfile.linux
            variant: linux
            description: Flutter SDK for Linux desktop CI builds
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Determine version and tag type
        id: version
        run: |
          if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
            # Pre-release: fetch latest stable version, tag as dev
            FLUTTER_VERSION=$(curl -fsSL https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json \
              | jq -r '.current_release.stable as $hash | .releases[] | select(.hash == $hash and .channel == "stable") | .version')
            echo "flutter_version=${FLUTTER_VERSION}" >> $GITHUB_OUTPUT
            echo "tag=${{ matrix.variant }}-dev" >> $GITHUB_OUTPUT
            echo "Using latest Flutter stable ${FLUTTER_VERSION} for pre-release test"
          else
            # Full release: use the release tag as the Flutter version
            echo "flutter_version=${{ github.event.release.tag_name }}" >> $GITHUB_OUTPUT
            echo "tag=${{ matrix.variant }}-latest" >> $GITHUB_OUTPUT
          fi

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Registry
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}

      - name: Build image for Scout analysis
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ${{ matrix.dockerfile }}
          platforms: linux/amd64
          push: false
          load: true
          build-args: |
            FLUTTER_VERSION=${{ steps.version.outputs.flutter_version }}
          tags: ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }}

      - name: Install Docker Scout
        run: |
          curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
          sh install-scout.sh

      - name: Docker Scout CVE Scan
        run: |
          docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }} --only-severity critical,high

      - name: Build and push with attestations
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ${{ matrix.dockerfile }}
          platforms: linux/amd64,linux/arm64
          push: true
          sbom: true
          provenance: mode=max
          build-args: |
            FLUTTER_VERSION=${{ steps.version.outputs.flutter_version }}
          tags: |
            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }}
            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.tag }}
          labels: |
            org.opencontainers.image.title=${{ env.IMAGE_NAME }}
            org.opencontainers.image.description=${{ matrix.description }}
            org.opencontainers.image.version=${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }}
            org.opencontainers.image.revision=${{ github.sha }}